Info
Potential threat (40)
THREATS (1)
Threat (6)
isaacwiper
References:
Titles (1)
- Malware Analysis Report (AR22-115B)
Sentences (1)
- MAR-10376640-1.v1 IsaacWiper and HermeticWizard
Links:
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (use_threat) >>
isaacwiper
-
463a2a119664cff0f6ea5941379a7700
>> (use_threat) >>
isaacwiper
-
60a3ce8706953c03b2a4f22e43dccb26
>> (use_threat) >>
isaacwiper
-
d7ed7d880b3eed5eae7787055766502c
>> (use_threat) >>
isaacwiper
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (use_threat) >>
isaacwiper
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (use_threat) >>
isaacwiper
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (use_threat) >>
isaacwiper
-
isaacwiper
>> (has_category) >>
malware
-
isaacwiper
>> (related) >>
hermeticwizard
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (use_threat) >>
isaacwiper
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (use_threat) >>
isaacwiper
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (use_threat) >>
isaacwiper
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (use_threat) >>
isaacwiper
-
87728459f7938f00f8d53d0bd6e6a337
>> (use_threat) >>
isaacwiper
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (use_threat) >>
isaacwiper
-
e099d3524b6906cf8460b4e6db0b11f2
>> (use_threat) >>
isaacwiper
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (use_threat) >>
isaacwiper
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (use_threat) >>
isaacwiper
-
decfc792ded248587084a6329217380e
>> (use_threat) >>
isaacwiper
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (use_threat) >>
isaacwiper
-
8156382b4b0f02a7467108b32103b82a
>> (use_threat) >>
isaacwiper
-
01185a4f21be653f13b885a655da2239
>> (use_threat) >>
isaacwiper
-
9475a59226943a3ad422e18169989f66
>> (use_threat) >>
isaacwiper
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (use_threat) >>
isaacwiper
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (use_threat) >>
isaacwiper
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (use_threat) >>
isaacwiper
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (use_threat) >>
isaacwiper
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (use_threat) >>
isaacwiper
-
d77cbf49cf473a8235a67912f0edd78f
>> (use_threat) >>
isaacwiper
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (use_threat) >>
isaacwiper
-
1e9e616d75f50f562b0d56edc472a8ea
>> (use_threat) >>
isaacwiper
-
31b2ae0f6a40196c4bce89d36302d545
>> (use_threat) >>
isaacwiper
-
99ec3d78dee2e180fa53da106a9a7540
>> (use_threat) >>
isaacwiper
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (use_threat) >>
isaacwiper
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (use_threat) >>
isaacwiper
hermeticwizard
References:
Titles (1)
- Malware Analysis Report (AR22-115B)
Sentences (1)
- MAR-10376640-1.v1 IsaacWiper and HermeticWizard
Links:
-
d7ed7d880b3eed5eae7787055766502c
>> (use_threat) >>
hermeticwizard
-
60a3ce8706953c03b2a4f22e43dccb26
>> (use_threat) >>
hermeticwizard
-
463a2a119664cff0f6ea5941379a7700
>> (use_threat) >>
hermeticwizard
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (use_threat) >>
hermeticwizard
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (use_threat) >>
hermeticwizard
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (use_threat) >>
hermeticwizard
-
31b2ae0f6a40196c4bce89d36302d545
>> (use_threat) >>
hermeticwizard
-
01185a4f21be653f13b885a655da2239
>> (use_threat) >>
hermeticwizard
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (use_threat) >>
hermeticwizard
-
isaacwiper
>> (related) >>
hermeticwizard
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (use_threat) >>
hermeticwizard
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (use_threat) >>
hermeticwizard
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (use_threat) >>
hermeticwizard
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (use_threat) >>
hermeticwizard
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (use_threat) >>
hermeticwizard
-
9475a59226943a3ad422e18169989f66
>> (use_threat) >>
hermeticwizard
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (use_threat) >>
hermeticwizard
-
8156382b4b0f02a7467108b32103b82a
>> (use_threat) >>
hermeticwizard
-
decfc792ded248587084a6329217380e
>> (use_threat) >>
hermeticwizard
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (use_threat) >>
hermeticwizard
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (use_threat) >>
hermeticwizard
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (use_threat) >>
hermeticwizard
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (use_threat) >>
hermeticwizard
-
e099d3524b6906cf8460b4e6db0b11f2
>> (use_threat) >>
hermeticwizard
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (use_threat) >>
hermeticwizard
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (use_threat) >>
hermeticwizard
-
87728459f7938f00f8d53d0bd6e6a337
>> (use_threat) >>
hermeticwizard
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (use_threat) >>
hermeticwizard
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (use_threat) >>
hermeticwizard
-
hermeticwizard
>> (has_category) >>
malware
-
99ec3d78dee2e180fa53da106a9a7540
>> (use_threat) >>
hermeticwizard
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (use_threat) >>
hermeticwizard
-
1e9e616d75f50f562b0d56edc472a8ea
>> (use_threat) >>
hermeticwizard
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (use_threat) >>
hermeticwizard
-
d77cbf49cf473a8235a67912f0edd78f
>> (use_threat) >>
hermeticwizard
hermeticwiper
References:
Titles (1)
- Malware Analysis Report (AR22-115B)
Sentences (0)
Links:
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (use_threat) >>
hermeticwiper
-
8156382b4b0f02a7467108b32103b82a
>> (use_threat) >>
hermeticwiper
-
decfc792ded248587084a6329217380e
>> (use_threat) >>
hermeticwiper
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (use_threat) >>
hermeticwiper
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (use_threat) >>
hermeticwiper
-
e099d3524b6906cf8460b4e6db0b11f2
>> (use_threat) >>
hermeticwiper
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (use_threat) >>
hermeticwiper
-
87728459f7938f00f8d53d0bd6e6a337
>> (use_threat) >>
hermeticwiper
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (use_threat) >>
hermeticwiper
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (use_threat) >>
hermeticwiper
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (use_threat) >>
hermeticwiper
-
99ec3d78dee2e180fa53da106a9a7540
>> (use_threat) >>
hermeticwiper
-
d7ed7d880b3eed5eae7787055766502c
>> (use_threat) >>
hermeticwiper
-
1e9e616d75f50f562b0d56edc472a8ea
>> (use_threat) >>
hermeticwiper
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (use_threat) >>
hermeticwiper
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (use_threat) >>
hermeticwiper
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (use_threat) >>
hermeticwiper
-
d77cbf49cf473a8235a67912f0edd78f
>> (use_threat) >>
hermeticwiper
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (use_threat) >>
hermeticwiper
-
hermeticwiper
>> (has_category) >>
malware
-
60a3ce8706953c03b2a4f22e43dccb26
>> (use_threat) >>
hermeticwiper
-
463a2a119664cff0f6ea5941379a7700
>> (use_threat) >>
hermeticwiper
-
01185a4f21be653f13b885a655da2239
>> (use_threat) >>
hermeticwiper
-
31b2ae0f6a40196c4bce89d36302d545
>> (use_threat) >>
hermeticwiper
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (use_threat) >>
hermeticwiper
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (use_threat) >>
hermeticwiper
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (use_threat) >>
hermeticwiper
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (use_threat) >>
hermeticwiper
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (use_threat) >>
hermeticwiper
-
9475a59226943a3ad422e18169989f66
>> (use_threat) >>
hermeticwiper
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (use_threat) >>
hermeticwiper
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (use_threat) >>
hermeticwiper
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (use_threat) >>
hermeticwiper
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (use_threat) >>
hermeticwiper
TTPS (0)
MEANINGS (1)
Category (4)
malware
References:
Titles (1)
- Malware Analysis Report (AR22-115B)
Sentences (0)
Links:
-
12bbe2ed84c503c161528eb9c65e06b7
>> (has_category) >>
malware
-
fd8214e8ca810e64eb947f522acbead7
>> (has_category) >>
malware
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (has_category) >>
malware
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (has_category) >>
malware
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (has_category) >>
malware
-
trojan/win32.agent
>> (has_category) >>
malware
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (has_category) >>
malware
-
a84958d0a1ba6ccf7f68b0f082a1c656
>> (has_category) >>
malware
-
alureon
>> (has_category) >>
malware
-
9475a59226943a3ad422e18169989f66
>> (has_category) >>
malware
-
99ec3d78dee2e180fa53da106a9a7540
>> (has_category) >>
malware
-
d7ed7d880b3eed5eae7787055766502c
>> (has_category) >>
malware
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (has_category) >>
malware
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (has_category) >>
malware
-
isaacwiper
>> (has_category) >>
malware
-
48f101db632bb445c21a10fd5501e343
>> (has_category) >>
malware
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (has_category) >>
malware
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (has_category) >>
malware
-
87728459f7938f00f8d53d0bd6e6a337
>> (has_category) >>
malware
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (has_category) >>
malware
-
4c8100d03804167a977995936cfbf536
>> (has_category) >>
malware
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (has_category) >>
malware
-
e099d3524b6906cf8460b4e6db0b11f2
>> (has_category) >>
malware
-
trojan.win32.trjgen.jngwij
>> (has_category) >>
malware
-
01185a4f21be653f13b885a655da2239
>> (has_category) >>
malware
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (has_category) >>
malware
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (has_category) >>
malware
-
hermeticwiper
>> (has_category) >>
malware
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (has_category) >>
malware
-
9676f7c827fb9388358aaba3e4bd0cc6
>> (has_category) >>
malware
-
5efc98798d0979e69e2a667fc20e3f24
>> (has_category) >>
malware
-
1e9e616d75f50f562b0d56edc472a8ea
>> (has_category) >>
malware
-
06d63fddf89fae3948764028712c36d6
>> (has_category) >>
malware
-
virus.wiper.isaac
>> (has_category) >>
malware
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (has_category) >>
malware
-
60a3ce8706953c03b2a4f22e43dccb26
>> (has_category) >>
malware
-
trojan.agentb
>> (has_category) >>
malware
-
463a2a119664cff0f6ea5941379a7700
>> (has_category) >>
malware
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (has_category) >>
malware
-
8156382b4b0f02a7467108b32103b82a
>> (has_category) >>
malware
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (has_category) >>
malware
-
decfc792ded248587084a6329217380e
>> (has_category) >>
malware
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (has_category) >>
malware
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (has_category) >>
malware
-
c1ecc108a6c84989eb4102d2d387c3cb
>> (has_category) >>
malware
-
hermeticwizard
>> (has_category) >>
malware
-
31b2ae0f6a40196c4bce89d36302d545
>> (has_category) >>
malware
-
a4b162717c197e11b76a4d9bc58ea25d
>> (has_category) >>
malware
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (has_category) >>
malware
-
28378e0c1da3cce94aa72585f5559fc6
>> (has_category) >>
malware
-
d77cbf49cf473a8235a67912f0edd78f
>> (has_category) >>
malware
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (has_category) >>
malware
trojan
References:
Titles (1)
- Malware Analysis Report (AR22-115B)
Sentences (0)
Links:
-
9475a59226943a3ad422e18169989f66
>> (has_category) >>
trojan
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (has_category) >>
trojan
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (has_category) >>
trojan
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (has_category) >>
trojan
-
87728459f7938f00f8d53d0bd6e6a337
>> (has_category) >>
trojan
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (has_category) >>
trojan
-
99ec3d78dee2e180fa53da106a9a7540
>> (has_category) >>
trojan
-
e099d3524b6906cf8460b4e6db0b11f2
>> (has_category) >>
trojan
-
d7ed7d880b3eed5eae7787055766502c
>> (has_category) >>
trojan
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (has_category) >>
trojan
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (has_category) >>
trojan
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (has_category) >>
trojan
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (has_category) >>
trojan
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (has_category) >>
trojan
-
60a3ce8706953c03b2a4f22e43dccb26
>> (has_category) >>
trojan
-
01185a4f21be653f13b885a655da2239
>> (has_category) >>
trojan
-
463a2a119664cff0f6ea5941379a7700
>> (has_category) >>
trojan
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (has_category) >>
trojan
-
8156382b4b0f02a7467108b32103b82a
>> (has_category) >>
trojan
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (has_category) >>
trojan
-
decfc792ded248587084a6329217380e
>> (has_category) >>
trojan
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (has_category) >>
trojan
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (has_category) >>
trojan
-
31b2ae0f6a40196c4bce89d36302d545
>> (has_category) >>
trojan
-
1e9e616d75f50f562b0d56edc472a8ea
>> (has_category) >>
trojan
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (has_category) >>
trojan
-
d77cbf49cf473a8235a67912f0edd78f
>> (has_category) >>
trojan
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (has_category) >>
trojan
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (has_category) >>
trojan
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (has_category) >>
trojan
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (has_category) >>
trojan
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (has_category) >>
trojan
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (has_category) >>
trojan
scan
References:
Titles (1)
- Malware Analysis Report (AR22-115B)
Sentences (0)
Links:
-
01185a4f21be653f13b885a655da2239
>> (has_category) >>
scan
-
60a3ce8706953c03b2a4f22e43dccb26
>> (has_category) >>
scan
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (has_category) >>
scan
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (has_category) >>
scan
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (has_category) >>
scan
-
e099d3524b6906cf8460b4e6db0b11f2
>> (has_category) >>
scan
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (has_category) >>
scan
-
d77cbf49cf473a8235a67912f0edd78f
>> (has_category) >>
scan
-
d7ed7d880b3eed5eae7787055766502c
>> (has_category) >>
scan
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (has_category) >>
scan
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (has_category) >>
scan
-
decfc792ded248587084a6329217380e
>> (has_category) >>
scan
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (has_category) >>
scan
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (has_category) >>
scan
-
1e9e616d75f50f562b0d56edc472a8ea
>> (has_category) >>
scan
-
31b2ae0f6a40196c4bce89d36302d545
>> (has_category) >>
scan
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (has_category) >>
scan
-
9475a59226943a3ad422e18169989f66
>> (has_category) >>
scan
-
463a2a119664cff0f6ea5941379a7700
>> (has_category) >>
scan
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (has_category) >>
scan
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (has_category) >>
scan
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (has_category) >>
scan
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (has_category) >>
scan
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (has_category) >>
scan
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (has_category) >>
scan
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (has_category) >>
scan
-
99ec3d78dee2e180fa53da106a9a7540
>> (has_category) >>
scan
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (has_category) >>
scan
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (has_category) >>
scan
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (has_category) >>
scan
-
8156382b4b0f02a7467108b32103b82a
>> (has_category) >>
scan
-
87728459f7938f00f8d53d0bd6e6a337
>> (has_category) >>
scan
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (has_category) >>
scan
phishing
References:
Titles (1)
- Malware Analysis Report (AR22-115B)
Sentences (0)
Links:
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (has_category) >>
phishing
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (has_category) >>
phishing
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (has_category) >>
phishing
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (has_category) >>
phishing
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (has_category) >>
phishing
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (has_category) >>
phishing
-
87728459f7938f00f8d53d0bd6e6a337
>> (has_category) >>
phishing
-
9475a59226943a3ad422e18169989f66
>> (has_category) >>
phishing
-
99ec3d78dee2e180fa53da106a9a7540
>> (has_category) >>
phishing
-
d7ed7d880b3eed5eae7787055766502c
>> (has_category) >>
phishing
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (has_category) >>
phishing
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (has_category) >>
phishing
-
01185a4f21be653f13b885a655da2239
>> (has_category) >>
phishing
-
e099d3524b6906cf8460b4e6db0b11f2
>> (has_category) >>
phishing
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (has_category) >>
phishing
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (has_category) >>
phishing
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (has_category) >>
phishing
-
8156382b4b0f02a7467108b32103b82a
>> (has_category) >>
phishing
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (has_category) >>
phishing
-
decfc792ded248587084a6329217380e
>> (has_category) >>
phishing
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (has_category) >>
phishing
-
31b2ae0f6a40196c4bce89d36302d545
>> (has_category) >>
phishing
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (has_category) >>
phishing
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (has_category) >>
phishing
-
60a3ce8706953c03b2a4f22e43dccb26
>> (has_category) >>
phishing
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (has_category) >>
phishing
-
463a2a119664cff0f6ea5941379a7700
>> (has_category) >>
phishing
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (has_category) >>
phishing
-
d77cbf49cf473a8235a67912f0edd78f
>> (has_category) >>
phishing
-
1e9e616d75f50f562b0d56edc472a8ea
>> (has_category) >>
phishing
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (has_category) >>
phishing
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (has_category) >>
phishing
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (has_category) >>
phishing
IOCS (3)
Path (1)
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
References:
Titles (1)
- Malware Analysis Report (AR22-115B)
Sentences (0)
Links:
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
printer
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
2000kb
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
informational
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
cyren
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
unfavorable
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
answering
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
rdata
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
numbers--
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
borland
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
path
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
s13
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
characters
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
metadata
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
qaz123
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
corrupt
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
rsrc
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
lavasoft
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
contained_within
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
edited
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
relationship
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
cisa_10376640_02
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
reviewed
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
strives
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
isacc
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (use_threat) >>
isaacwiper
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (has_category) >>
scan
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
tachyon
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
xhxw-4345
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
desk
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
wevtutil
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
-n
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
faq
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
s12
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
mar analysis
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
15-05
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
cisa_10376640_05
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
generickd
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
console
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
entropy
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
nist
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
physicaldrive0
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
deny
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
white--disclosure
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
s15
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
posture
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
fktn7eenm2ek7mnousgpay8odcv
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
virusblokada zillya
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
siprnet
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
avira worm
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
habits
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
dynamic-link
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
relationships
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
authenticate
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
zb0wz3twfumdh34yslwexeus0doib9lco1bj
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
antiy
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
badcert-gen
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (has_category) >>
phishing
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
nanoav
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
herein
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
housecall
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
malicious
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
gnu7oimtlhyanf1bioenm2ek7mnousgpay8odcdcm7cisf4ro06lohgvjnuqo
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
data--
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
1-888-282-0870
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
s11
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
mifr
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
20220414_1037
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
exercise
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
g4olhlzjenm2ek7mnousgpay8odcdcmt
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
cisa_10376640_01
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
sha256_1
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
reloc
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
9faba348
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
minimal
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
juikt
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
foreseeable
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
a259e9b0ac
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
cds
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
s14
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
unwanted
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
20220413_1300
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (use_threat) >>
hermeticwiper
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
sejyu
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
passwords--
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
operable
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
315cc419f6ec600a345447b0f49e3de9f13c1e96d9bbc272f982204b1c7ec71cb3805f5ff7821da3e7944e327c22e5eba6f3c94b08c66b6e241395e1ea133ed1
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
30-04
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
romance
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
overwriting
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
clamav
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
mersenne
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
endorse
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
acls
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
b08ce87165b82db5a35353f9e42665fa9e736603b8e131e46501c0bbf4c830abbaba7bdbb5513af6201f19ba6741aa86b7cf736a8d92fef2c43a90383bf9ba68
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
ikarus
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
00028d131
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
800-83
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (use_threat) >>
hermeticwizard
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
cryptors
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
dhs
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
homepage
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
nhp
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
sha1 sha256
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
07-05
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
unless
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
--begin
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
backdoortrojanwiperworm
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
20220418_1900
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
anonymous
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
2d29f9ca1d
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
md5_2
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
hermeticwizard-9941571-0
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
corrupting
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
38d94ab0
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
last_modified
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
5549bdb658736c187c2d6493c82f46461dda728a0ec365833bf1987e9436a5f9e1a42cab68082af2640b5a10ab92aa9251095d3b453934d3ebeb211bfd42b212
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
0058f30e1
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
twister
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
dll
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
sipr
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
ssdeep
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
command-line--
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
-s
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
pjgwz
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
alphanumerical
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
backdoortrojanworm
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
up-to-date
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
usernames--
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
hgqrbrtnsehmhdh2irnl5tj1xungaskw
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
erasing
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
--end
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
timely
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
situational
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
emsisoft
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
wipe
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
sha256_3
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
hex
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (has_category) >>
trojan
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
warranties
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
17-05
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
5a300f72e2
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
6
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
dnyx5rvyw3mqphjhvmjc
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
accordance
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (has_category) >>
malware
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
1de912f50b7f5cc2f4fcea7b6d3c84a39bd15d668122f50a9b11da66447ed99f456e86e006d0dfe7ab0fca7dc8e35efa7ff57959033463d94ef37e5705515430
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
sha256_2
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
downloadable
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
reachable
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
path
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
qwerty123
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
ojc
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
files--
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
address
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
unsolicited
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
md5_3
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
exec_x32
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
killmbr
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
ldrtsumdh34dlwqeus0uizlr1nxktn7f
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
--
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
dropped_by
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
bqslxiv3bdnhxrvb8wzvpsprgssst7ncphjhlhmjz5e
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
j4wctqjtbyjszrjiylkytnsg9hcr1dndh2irnl5tj1xungask4ctfvf1wz62pntr
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
md5_1
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
logical
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
s10
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
jwics
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
w32
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
ipc
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
heal
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
unclass
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
scanned
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
cisa_10376640_03
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
render
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
a1d01b0a
Hash (43)
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
References:
Titles (1)
- Malware Analysis Report (AR22-115B)
Sentences (0)
Links:
Hash: 5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48
Hash: 0959bf541d52b6e2915420442bf44ce8
Hash: afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a
Hash: e9b96e9b86fad28d950ca428879168e0894d854f
Hash: ac5b6f16fc5115f0e2327a589246ba00b41439c2
File: worm.win32.agent
File: exec_x32.dll
File: cleaner.exe
File: malcert-s.oe
References:
Titles (1)
- Malware Analysis Report (AR22-115B)
Sentences (0)
Links:
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
warranties
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
xhxw-4345
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
wipe
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
virusblokada zillya
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
deny
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
sha256_2
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
1de912f50b7f5cc2f4fcea7b6d3c84a39bd15d668122f50a9b11da66447ed99f456e86e006d0dfe7ab0fca7dc8e35efa7ff57959033463d94ef37e5705515430
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
cisa_10376640_05
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
cryptors
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
zb0wz3twfumdh34yslwexeus0doib9lco1bj
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
nist
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
07-05
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
unless
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
metadata
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
habits
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
avira worm
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
38d94ab0
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
hermeticwizard-9941571-0
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
strives
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
authenticate
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
800-83
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
cisa_10376640_02
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
homepage
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
dhs
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
ipc
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
reviewed
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
jwics
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
nhp
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
9faba348
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
minimal
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
-n
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
5549bdb658736c187c2d6493c82f46461dda728a0ec365833bf1987e9436a5f9e1a42cab68082af2640b5a10ab92aa9251095d3b453934d3ebeb211bfd42b212
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
heal
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
cisa_10376640_01
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
unwanted
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
render
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
foreseeable
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
2000kb
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
informational
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
characters
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
s13
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
scanned
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (has_category) >>
trojan
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
path
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
cyren
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
mersenne
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
lavasoft
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
unfavorable
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
acls
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (has_category) >>
malware
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
sejyu
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
rsrc
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
clamav
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
corrupt
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
s12
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
downloadable
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
30-04
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
borland
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
overwriting
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
housecall
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
nanoav
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
sha256_3
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
s11
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
--
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
exercise
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
wevtutil
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
1-888-282-0870
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
20220414_1037
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
files--
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
qwerty123
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
entropy
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
mar analysis
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
twister
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
0058f30e1
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
fktn7eenm2ek7mnousgpay8odcv
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
juikt
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
j4wctqjtbyjszrjiylkytnsg9hcr1dndh2irnl5tj1xungask4ctfvf1wz62pntr
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
white--disclosure
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
ssdeep
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
sipr
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
killmbr
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
dll
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
herein
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
physicaldrive0
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
dynamic-link
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
backdoortrojanworm
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
alphanumerical
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
posture
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
s15
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
situational
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
siprnet
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
emsisoft
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
malicious
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
--end
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
hgqrbrtnsehmhdh2irnl5tj1xungaskw
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
erasing
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
up-to-date
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
badcert-gen
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
antiy
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
gnu7oimtlhyanf1bioenm2ek7mnousgpay8odcdcm7cisf4ro06lohgvjnuqo
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
relationship
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
answering
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
accordance
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
6
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
dnyx5rvyw3mqphjhvmjc
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
md5_2
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
20220418_1900
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (use_threat) >>
hermeticwizard
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
anonymous
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
sha1 sha256
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
--begin
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
corrupting
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
last_modified
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
edited
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
contained_within
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
2d29f9ca1d
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
backdoortrojanwiperworm
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
tachyon
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
a259e9b0ac
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
cds
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
generickd
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
bqslxiv3bdnhxrvb8wzvpsprgssst7ncphjhlhmjz5e
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
pjgwz
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (use_threat) >>
isaacwiper
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
-s
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
20220413_1300
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (use_threat) >>
hermeticwiper
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
s10
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (has_category) >>
scan
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
romance
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
dropped_by
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
00028d131
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
unclass
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
address
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (has_category) >>
phishing
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
b08ce87165b82db5a35353f9e42665fa9e736603b8e131e46501c0bbf4c830abbaba7bdbb5513af6201f19ba6741aa86b7cf736a8d92fef2c43a90383bf9ba68
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
endorse
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
w32
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
cisa_10376640_03
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
printer
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
a1d01b0a
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
ikarus
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
numbers--
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
data--
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
relationships
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
path
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
reachable
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
g4olhlzjenm2ek7mnousgpay8odcdcmt
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
qaz123
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
mifr
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
rdata
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
ojc
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
reloc
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
sha256_1
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
md5_3
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
exec_x32
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
s14
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
logical
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
command-line--
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
315cc419f6ec600a345447b0f49e3de9f13c1e96d9bbc272f982204b1c7ec71cb3805f5ff7821da3e7944e327c22e5eba6f3c94b08c66b6e241395e1ea133ed1
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
operable
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
ldrtsumdh34dlwqeus0uizlr1nxktn7f
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
passwords--
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
unsolicited
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
desk
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
isacc
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
md5_1
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
timely
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
usernames--
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
console
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
5a300f72e2
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
hex
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
15-05
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
faq
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
17-05
Hash: 3c54c9a49a8ddca02189fe15fea52fe24f41a86f
Hash: 6b5958bfabfe7c731193adb96880b225c8505b73
Hash: a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec
Hash: 517d2b385b846d6ea13b75b8adceb061
Hash: 58d71fff346017cf8311120c69c9946a
File: trojan.wh
File: romance.dll
File: trojan.win32.trjgen.jngwij
References:
Titles (1)
- Malware Analysis Report (AR22-115B)
Sentences (0)
Links:
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
1-888-282-0870
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
md5_2
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
mifr
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
anonymous
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
20220418_1900
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
g4olhlzjenm2ek7mnousgpay8odcdcmt
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
last_modified
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
corrupting
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
reloc
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
sha256_1
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
nanoav
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
800-83
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
ikarus
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
accordance
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
1de912f50b7f5cc2f4fcea7b6d3c84a39bd15d668122f50a9b11da66447ed99f456e86e006d0dfe7ab0fca7dc8e35efa7ff57959033463d94ef37e5705515430
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (use_threat) >>
hermeticwiper
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
sha256_2
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
sejyu
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
backdoortrojanworm
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
data--
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
overwriting
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
30-04
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
romance
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
--end
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
timely
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
emsisoft
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
situational
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
endorse
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (has_category) >>
malware
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
b08ce87165b82db5a35353f9e42665fa9e736603b8e131e46501c0bbf4c830abbaba7bdbb5513af6201f19ba6741aa86b7cf736a8d92fef2c43a90383bf9ba68
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
17-05
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
hex
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
5a300f72e2
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
killmbr
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (has_category) >>
trojan
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (use_threat) >>
hermeticwizard
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
foreseeable
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
ssdeep
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
command-line--
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
j4wctqjtbyjszrjiylkytnsg9hcr1dndh2irnl5tj1xungask4ctfvf1wz62pntr
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
logical
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
20220413_1300
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
qwerty123
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
sha1 sha256
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
ojc
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
files--
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
hermeticwizard-9941571-0
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
2d29f9ca1d
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
backdoortrojanwiperworm
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
sha256_3
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
38d94ab0
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
md5_3
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
exec_x32
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
numbers--
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
cryptors
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
dnyx5rvyw3mqphjhvmjc
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
6
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
path
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
rsrc
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
lavasoft
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
alphanumerical
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
07-05
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
unless
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
unclass
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
address
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
up-to-date
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
usernames--
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
hgqrbrtnsehmhdh2irnl5tj1xungaskw
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
printer
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
erasing
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
cisa_10376640_03
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
render
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
wipe
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
warranties
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
0058f30e1
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
twister
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
unsolicited
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
characters
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
path
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
dll
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
s13
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
bqslxiv3bdnhxrvb8wzvpsprgssst7ncphjhlhmjz5e
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
ldrtsumdh34dlwqeus0uizlr1nxktn7f
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
sipr
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
s10
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
jwics
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
md5_1
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
ipc
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
edited
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
contained_within
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
-n
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
cisa_10376640_02
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
strives
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
answering
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
habits
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
--
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (use_threat) >>
isaacwiper
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
rdata
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
zb0wz3twfumdh34yslwexeus0doib9lco1bj
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
borland
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
downloadable
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
qaz123
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
corrupt
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
reachable
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
w32
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
15-05
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
cisa_10376640_05
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
s12
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
scanned
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
console
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
a1d01b0a
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
informational
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
2000kb
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
virusblokada zillya
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
unfavorable
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
cyren
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
fktn7eenm2ek7mnousgpay8odcv
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
dynamic-link
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
herein
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
dropped_by
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
315cc419f6ec600a345447b0f49e3de9f13c1e96d9bbc272f982204b1c7ec71cb3805f5ff7821da3e7944e327c22e5eba6f3c94b08c66b6e241395e1ea133ed1
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
tachyon
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
desk
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
wevtutil
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
heal
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (has_category) >>
phishing
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
entropy
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
generickd
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
reviewed
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
s11
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
exercise
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
relationships
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
avira worm
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
metadata
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
housecall
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
authenticate
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
antiy
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
badcert-gen
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
malicious
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
xhxw-4345
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
relationship
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
gnu7oimtlhyanf1bioenm2ek7mnousgpay8odcdcm7cisf4ro06lohgvjnuqo
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
faq
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (has_category) >>
scan
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
nist
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
physicaldrive0
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
deny
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
clamav
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
white--disclosure
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
acls
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
siprnet
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
isacc
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
mersenne
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
s15
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
posture
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
cisa_10376640_01
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
5549bdb658736c187c2d6493c82f46461dda728a0ec365833bf1987e9436a5f9e1a42cab68082af2640b5a10ab92aa9251095d3b453934d3ebeb211bfd42b212
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
00028d131
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
9faba348
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
minimal
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
a259e9b0ac
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
cds
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
juikt
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
unwanted
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
-s
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
s14
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
dhs
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
mar analysis
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
pjgwz
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
passwords--
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
homepage
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
--begin
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
operable
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
nhp
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
20220414_1037
Hash: aa98b92e3320af7a1639de1bac6c17cc
Hash: ad602039c6f0237d4a997d5640e92ce5e2b3bba3
Hash: 2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b
File: cleaner.dll
References:
Titles (1)
- Malware Analysis Report (AR22-115B)
Sentences (0)
Links:
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
heal
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
qaz123
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
render
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
s10
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
rdata
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
dropped_by
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
--
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
exec_x32
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
md5_3
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
cyren
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
w32
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
cisa_10376640_03
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
logical
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
files--
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
downloadable
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
ldrtsumdh34dlwqeus0uizlr1nxktn7f
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
unsolicited
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
path
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
reachable
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
sha256_3
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
md5_1
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
j4wctqjtbyjszrjiylkytnsg9hcr1dndh2irnl5tj1xungask4ctfvf1wz62pntr
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
timely
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
killmbr
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
ojc
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
5a300f72e2
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
17-05
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
warranties
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
backdoortrojanworm
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
alphanumerical
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
wipe
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
emsisoft
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
sha256_2
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
1de912f50b7f5cc2f4fcea7b6d3c84a39bd15d668122f50a9b11da66447ed99f456e86e006d0dfe7ab0fca7dc8e35efa7ff57959033463d94ef37e5705515430
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
--end
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
erasing
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
hgqrbrtnsehmhdh2irnl5tj1xungaskw
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
command-line--
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
qwerty123
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
twister
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
0058f30e1
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
accordance
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
6
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
dnyx5rvyw3mqphjhvmjc
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
ssdeep
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
sipr
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
hermeticwizard-9941571-0
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
usernames--
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
dll
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
--begin
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
hex
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
situational
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
cryptors
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
up-to-date
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
unless
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
07-05
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
pjgwz
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
5549bdb658736c187c2d6493c82f46461dda728a0ec365833bf1987e9436a5f9e1a42cab68082af2640b5a10ab92aa9251095d3b453934d3ebeb211bfd42b212
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
-s
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
38d94ab0
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
anonymous
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
20220418_1900
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
md5_2
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
sha1 sha256
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
800-83
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
00028d131
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
homepage
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (has_category) >>
phishing
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
b08ce87165b82db5a35353f9e42665fa9e736603b8e131e46501c0bbf4c830abbaba7bdbb5513af6201f19ba6741aa86b7cf736a8d92fef2c43a90383bf9ba68
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
last_modified
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
corrupting
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
dhs
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
acls
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
sejyu
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (has_category) >>
malware
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
2d29f9ca1d
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
backdoortrojanwiperworm
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
a259e9b0ac
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
cds
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
nhp
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
ikarus
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
overwriting
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
minimal
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
9faba348
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (use_threat) >>
isaacwiper
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
cisa_10376640_01
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
20220413_1300
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
unwanted
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
g4olhlzjenm2ek7mnousgpay8odcdcmt
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
foreseeable
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
romance
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
sha256_1
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
reloc
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
endorse
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
mersenne
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
s14
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
clamav
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
20220414_1037
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
30-04
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
315cc419f6ec600a345447b0f49e3de9f13c1e96d9bbc272f982204b1c7ec71cb3805f5ff7821da3e7944e327c22e5eba6f3c94b08c66b6e241395e1ea133ed1
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
operable
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
data--
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
housecall
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
nanoav
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
passwords--
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
relationships
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
juikt
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
mifr
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
s11
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
herein
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
physicaldrive0
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
dynamic-link
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
exercise
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
siprnet
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
virusblokada zillya
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
wevtutil
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
1-888-282-0870
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
malicious
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
antiy
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
zb0wz3twfumdh34yslwexeus0doib9lco1bj
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
nist
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
entropy
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
badcert-gen
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
gnu7oimtlhyanf1bioenm2ek7mnousgpay8odcdcm7cisf4ro06lohgvjnuqo
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
habits
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
avira worm
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
mar analysis
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
fktn7eenm2ek7mnousgpay8odcv
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
desk
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
isacc
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
white--disclosure
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (use_threat) >>
hermeticwizard
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
strives
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
authenticate
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
console
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
cisa_10376640_02
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
cisa_10376640_05
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
faq
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
15-05
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
s12
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
posture
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
s15
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
xhxw-4345
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
edited
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
contained_within
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
deny
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
tachyon
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
generickd
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
metadata
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
-n
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
relationship
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (use_threat) >>
hermeticwiper
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
answering
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
informational
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (has_category) >>
scan
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
2000kb
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
s13
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
scanned
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
unclass
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
address
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
path
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (has_category) >>
trojan
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
characters
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
lavasoft
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
unfavorable
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
rsrc
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
ipc
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
reviewed
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
corrupt
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
printer
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
a1d01b0a
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
jwics
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
borland
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
numbers--
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
bqslxiv3bdnhxrvb8wzvpsprgssst7ncphjhlhmjz5e
Hash: 8061889aaebd955ba6fb493abe7a4de1
Hash: e9b96e9b86fad28d950ca428879168e0894d854f
References:
Titles (1)
- Malware Analysis Report (AR22-115B)
Sentences (0)
Links:
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
housecall
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (has_category) >>
trojan
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
generickd
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
up-to-date
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
files--
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
tachyon
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
clamav
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
mersenne
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
posture
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
s15
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
dll
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
sipr
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
white--disclosure
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
render
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
6
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
dnyx5rvyw3mqphjhvmjc
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
unwanted
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
twister
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
cisa_10376640_01
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
mar analysis
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
0058f30e1
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
gnu7oimtlhyanf1bioenm2ek7mnousgpay8odcdcm7cisf4ro06lohgvjnuqo
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
9faba348
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
minimal
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (has_category) >>
scan
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
antiy
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
badcert-gen
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
nhp
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
jwics
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
erasing
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
hgqrbrtnsehmhdh2irnl5tj1xungaskw
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
malicious
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
1-888-282-0870
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
ipc
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
acls
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
siprnet
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
rsrc
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
lavasoft
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
dhs
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
alphanumerical
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
homepage
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
physicaldrive0
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
characters
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
800-83
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
path
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
s13
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
juikt
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
5549bdb658736c187c2d6493c82f46461dda728a0ec365833bf1987e9436a5f9e1a42cab68082af2640b5a10ab92aa9251095d3b453934d3ebeb211bfd42b212
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
-n
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
nanoav
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
30-04
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
downloadable
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
20220414_1037
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
cyren
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
15-05
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
cisa_10376640_05
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
hex
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
s12
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
cisa_10376640_02
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
--
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
console
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
strives
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
foreseeable
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
desk
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
heal
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
habits
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
overwriting
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
zb0wz3twfumdh34yslwexeus0doib9lco1bj
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
borland
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
command-line--
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
corrupt
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
1de912f50b7f5cc2f4fcea7b6d3c84a39bd15d668122f50a9b11da66447ed99f456e86e006d0dfe7ab0fca7dc8e35efa7ff57959033463d94ef37e5705515430
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
sha256_2
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
reviewed
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
sejyu
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
virusblokada zillya
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
unfavorable
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
17-05
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
scanned
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
5a300f72e2
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
ojc
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
informational
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
2000kb
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
timely
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
path
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
38d94ab0
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (has_category) >>
malware
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
relationships
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (has_category) >>
phishing
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
metadata
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
07-05
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
unless
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
cryptors
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
logical
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
deny
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
cisa_10376640_03
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
xhxw-4345
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
exec_x32
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
md5_3
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
faq
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
usernames--
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
authenticate
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
hermeticwizard-9941571-0
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
s10
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
isacc
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
avira worm
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
bqslxiv3bdnhxrvb8wzvpsprgssst7ncphjhlhmjz5e
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
nist
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
numbers--
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
cds
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
a259e9b0ac
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
printer
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
wipe
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
last_modified
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
corrupting
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
warranties
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
address
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
unclass
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
00028d131
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
md5_2
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
20220418_1900
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
mifr
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
anonymous
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
md5_1
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
answering
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
reachable
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
-s
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
unsolicited
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
pjgwz
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
passwords--
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
data--
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
ldrtsumdh34dlwqeus0uizlr1nxktn7f
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
operable
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
315cc419f6ec600a345447b0f49e3de9f13c1e96d9bbc272f982204b1c7ec71cb3805f5ff7821da3e7944e327c22e5eba6f3c94b08c66b6e241395e1ea133ed1
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
contained_within
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
edited
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
s14
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
w32
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (use_threat) >>
hermeticwiper
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
situational
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
endorse
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (use_threat) >>
isaacwiper
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
--begin
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
reloc
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
sha256_1
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
dropped_by
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
romance
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
rdata
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
ssdeep
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
qaz123
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
accordance
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
g4olhlzjenm2ek7mnousgpay8odcdcmt
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
20220413_1300
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
fktn7eenm2ek7mnousgpay8odcv
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
entropy
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
ikarus
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
qwerty123
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
a1d01b0a
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
--end
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (use_threat) >>
hermeticwizard
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
backdoortrojanwiperworm
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
wevtutil
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
2d29f9ca1d
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
emsisoft
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
exercise
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
backdoortrojanworm
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
b08ce87165b82db5a35353f9e42665fa9e736603b8e131e46501c0bbf4c830abbaba7bdbb5513af6201f19ba6741aa86b7cf736a8d92fef2c43a90383bf9ba68
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
dynamic-link
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
herein
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
sha1 sha256
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
killmbr
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
s11
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
j4wctqjtbyjszrjiylkytnsg9hcr1dndh2irnl5tj1xungask4ctfvf1wz62pntr
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
sha256_3
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
relationship
Hash: ecce8845921a91854ab34bff2623151e
Hash: 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033
Hash: 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950
File: mar-10376640-1.v1.stix
References:
Titles (1)
- Malware Analysis Report (AR22-115B)
Sentences (0)
Links:
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
mersenne
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
20220413_1300
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
clamav
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
a259e9b0ac
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
cds
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
20220414_1037
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
files--
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
ikarus
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
30-04
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
sha256_1
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
reloc
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
md5_3
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
exec_x32
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
endorse
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
g4olhlzjenm2ek7mnousgpay8odcdcmt
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
juikt
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
j4wctqjtbyjszrjiylkytnsg9hcr1dndh2irnl5tj1xungask4ctfvf1wz62pntr
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
romance
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
killmbr
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
315cc419f6ec600a345447b0f49e3de9f13c1e96d9bbc272f982204b1c7ec71cb3805f5ff7821da3e7944e327c22e5eba6f3c94b08c66b6e241395e1ea133ed1
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
operable
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
nanoav
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
data--
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
passwords--
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
s14
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
sha256_3
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
path
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
emsisoft
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
logical
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
1-888-282-0870
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
--end
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
hgqrbrtnsehmhdh2irnl5tj1xungaskw
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
erasing
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
qwerty123
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
5a300f72e2
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
backdoortrojanworm
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (use_threat) >>
isaacwiper
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
17-05
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
warranties
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
alphanumerical
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
wipe
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
mifr
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
accordance
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
6
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
timely
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
dnyx5rvyw3mqphjhvmjc
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
ssdeep
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
sipr
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
ojc
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
dll
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
twister
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
0058f30e1
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
situational
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
1de912f50b7f5cc2f4fcea7b6d3c84a39bd15d668122f50a9b11da66447ed99f456e86e006d0dfe7ab0fca7dc8e35efa7ff57959033463d94ef37e5705515430
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
sha256_2
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
command-line--
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
up-to-date
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
hex
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
edited
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
contained_within
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
hermeticwizard-9941571-0
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
strives
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
usernames--
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (has_category) >>
scan
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
cisa_10376640_02
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
07-05
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
unless
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
-n
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
answering
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
backdoortrojanwiperworm
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
2d29f9ca1d
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
cryptors
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
printer
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
a1d01b0a
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
sha1 sha256
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
address
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
unclass
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
path
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
s13
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
characters
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
38d94ab0
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
unfavorable
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
qaz123
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
informational
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
s10
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
2000kb
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
numbers--
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
rdata
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
scanned
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (has_category) >>
trojan
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
dropped_by
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
bqslxiv3bdnhxrvb8wzvpsprgssst7ncphjhlhmjz5e
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
heal
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
lavasoft
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
rsrc
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
ipc
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
corrupt
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
cisa_10376640_03
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (use_threat) >>
hermeticwizard
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
jwics
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
borland
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
--
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
w32
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
cyren
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
reachable
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
render
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
md5_1
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
ldrtsumdh34dlwqeus0uizlr1nxktn7f
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
unsolicited
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
relationships
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (use_threat) >>
hermeticwiper
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
virusblokada zillya
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
downloadable
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
housecall
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
9faba348
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
nist
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
herein
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
dynamic-link
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
exercise
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
siprnet
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
desk
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
s11
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
zb0wz3twfumdh34yslwexeus0doib9lco1bj
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
authenticate
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
physicaldrive0
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
entropy
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
habits
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
avira worm
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
gnu7oimtlhyanf1bioenm2ek7mnousgpay8odcdcm7cisf4ro06lohgvjnuqo
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
mar analysis
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
isacc
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
wevtutil
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
malicious
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
deny
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
antiy
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
badcert-gen
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
console
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
s12
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
15-05
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
cisa_10376640_05
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
faq
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
xhxw-4345
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
fktn7eenm2ek7mnousgpay8odcv
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
s15
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
posture
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
white--disclosure
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
generickd
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
--begin
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
metadata
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
800-83
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
5549bdb658736c187c2d6493c82f46461dda728a0ec365833bf1987e9436a5f9e1a42cab68082af2640b5a10ab92aa9251095d3b453934d3ebeb211bfd42b212
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
pjgwz
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
relationship
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
-s
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
acls
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
tachyon
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
reviewed
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
nhp
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
overwriting
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
00028d131
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
homepage
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (has_category) >>
phishing
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
b08ce87165b82db5a35353f9e42665fa9e736603b8e131e46501c0bbf4c830abbaba7bdbb5513af6201f19ba6741aa86b7cf736a8d92fef2c43a90383bf9ba68
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
dhs
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
corrupting
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
last_modified
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (has_category) >>
malware
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
sejyu
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
unwanted
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
md5_2
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
anonymous
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
20220418_1900
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
foreseeable
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
minimal
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
cisa_10376640_01
Hash: abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f
File: wizard.dll
References:
Titles (1)
- Malware Analysis Report (AR22-115B)
Sentences (0)
Links:
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
siprnet
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
herein
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
white--disclosure
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
6
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
backdoortrojanworm
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
dnyx5rvyw3mqphjhvmjc
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
dynamic-link
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
fktn7eenm2ek7mnousgpay8odcv
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
physicaldrive0
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
accordance
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
gnu7oimtlhyanf1bioenm2ek7mnousgpay8odcdcm7cisf4ro06lohgvjnuqo
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
sha256_3
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
nanoav
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
malicious
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (use_threat) >>
hermeticwizard
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
files--
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
antiy
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
badcert-gen
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
qwerty123
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
housecall
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
1-888-282-0870
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
downloadable
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
20220414_1037
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
exercise
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
--
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
s11
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
j4wctqjtbyjszrjiylkytnsg9hcr1dndh2irnl5tj1xungask4ctfvf1wz62pntr
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
foreseeable
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
killmbr
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
unwanted
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
juikt
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
heal
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
minimal
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
9faba348
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
cisa_10376640_01
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
30-04
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
mersenne
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
ipc
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
overwriting
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
acls
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
clamav
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
jwics
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
cyren
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
sejyu
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (has_category) >>
malware
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
unfavorable
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
characters
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
path
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
s13
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
informational
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
2000kb
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (has_category) >>
trojan
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
scanned
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
800-83
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
render
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
metadata
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
07-05
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
unless
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
corrupt
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
borland
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
rsrc
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
nhp
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
lavasoft
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
homepage
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
reviewed
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
cryptors
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
dhs
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
strives
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
38d94ab0
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
cisa_10376640_02
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
desk
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
5549bdb658736c187c2d6493c82f46461dda728a0ec365833bf1987e9436a5f9e1a42cab68082af2640b5a10ab92aa9251095d3b453934d3ebeb211bfd42b212
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
-n
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
hermeticwizard-9941571-0
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
isacc
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
deny
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
nist
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
virusblokada zillya
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
faq
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
command-line--
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
warranties
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
xhxw-4345
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
console
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
wipe
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
5a300f72e2
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
cisa_10376640_05
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
15-05
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
s12
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
hex
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
17-05
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
usernames--
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
authenticate
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
reachable
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
avira worm
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
timely
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
relationships
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
zb0wz3twfumdh34yslwexeus0doib9lco1bj
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
path
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
data--
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
habits
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
1de912f50b7f5cc2f4fcea7b6d3c84a39bd15d668122f50a9b11da66447ed99f456e86e006d0dfe7ab0fca7dc8e35efa7ff57959033463d94ef37e5705515430
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
sha256_2
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
exec_x32
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
md5_3
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
reloc
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
sha256_1
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (use_threat) >>
isaacwiper
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
ojc
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
g4olhlzjenm2ek7mnousgpay8odcdcmt
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
dropped_by
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
mifr
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
md5_1
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
s10
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
ldrtsumdh34dlwqeus0uizlr1nxktn7f
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
operable
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
315cc419f6ec600a345447b0f49e3de9f13c1e96d9bbc272f982204b1c7ec71cb3805f5ff7821da3e7944e327c22e5eba6f3c94b08c66b6e241395e1ea133ed1
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
bqslxiv3bdnhxrvb8wzvpsprgssst7ncphjhlhmjz5e
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
20220413_1300
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
unsolicited
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
logical
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
passwords--
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
a1d01b0a
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
s14
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
s15
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
cisa_10376640_03
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
cds
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
a259e9b0ac
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
printer
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
b08ce87165b82db5a35353f9e42665fa9e736603b8e131e46501c0bbf4c830abbaba7bdbb5513af6201f19ba6741aa86b7cf736a8d92fef2c43a90383bf9ba68
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
w32
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
endorse
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
address
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
unclass
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
00028d131
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
qaz123
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (has_category) >>
phishing
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
romance
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
rdata
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
numbers--
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
answering
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
relationship
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
ikarus
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
backdoortrojanwiperworm
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
2d29f9ca1d
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
sha1 sha256
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
last_modified
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
corrupting
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
contained_within
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
edited
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
md5_2
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
20220418_1900
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
anonymous
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
sipr
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (has_category) >>
scan
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
--begin
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
dll
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
pjgwz
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
0058f30e1
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
twister
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
mar analysis
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
ssdeep
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
-s
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
generickd
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
entropy
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
erasing
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
hgqrbrtnsehmhdh2irnl5tj1xungaskw
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
up-to-date
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
situational
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (use_threat) >>
hermeticwiper
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
wevtutil
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
emsisoft
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
tachyon
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
alphanumerical
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
--end
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
posture
Hash: 0802be27b58612f1b2648b8a57d1acfd
File: exploit-dcomrpc.c.gen
References:
Titles (1)
- Malware Analysis Report (AR22-115B)
Sentences (0)
Links:
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
acls
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (has_category) >>
malware
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
sejyu
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
endorse
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
mersenne
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
s14
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
a259e9b0ac
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
cds
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
clamav
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
overwriting
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
9faba348
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
30-04
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
operable
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
minimal
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
315cc419f6ec600a345447b0f49e3de9f13c1e96d9bbc272f982204b1c7ec71cb3805f5ff7821da3e7944e327c22e5eba6f3c94b08c66b6e241395e1ea133ed1
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
cisa_10376640_01
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
passwords--
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
20220413_1300
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
unwanted
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
g4olhlzjenm2ek7mnousgpay8odcdcmt
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
foreseeable
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
juikt
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
mifr
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
s11
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
reloc
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
sha256_1
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
exercise
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
20220414_1037
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
1-888-282-0870
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
malicious
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
data--
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
housecall
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
nanoav
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
badcert-gen
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
antiy
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
zb0wz3twfumdh34yslwexeus0doib9lco1bj
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
relationships
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
gnu7oimtlhyanf1bioenm2ek7mnousgpay8odcdcm7cisf4ro06lohgvjnuqo
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
habits
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
avira worm
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
fktn7eenm2ek7mnousgpay8odcv
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
white--disclosure
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
herein
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
physicaldrive0
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
authenticate
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
console
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
dynamic-link
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
15-05
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
faq
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
cisa_10376640_05
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
s12
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
virusblokada zillya
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
wevtutil
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
s15
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
posture
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
xhxw-4345
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
siprnet
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
deny
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
tachyon
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
nist
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
entropy
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
generickd
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
mar analysis
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
-n
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
desk
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
isacc
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (use_threat) >>
hermeticwizard
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
strives
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
cisa_10376640_02
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (has_category) >>
scan
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
contained_within
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
edited
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
rsrc
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
lavasoft
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
reviewed
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
corrupt
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
metadata
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
borland
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
numbers--
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
relationship
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (use_threat) >>
hermeticwiper
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
answering
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
2000kb
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
informational
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
qaz123
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
render
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
characters
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (has_category) >>
trojan
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
unclass
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
rdata
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
address
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
s13
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
scanned
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
path
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
unfavorable
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
ipc
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
cyren
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
w32
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
printer
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
a1d01b0a
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
jwics
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
cisa_10376640_03
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
logical
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
bqslxiv3bdnhxrvb8wzvpsprgssst7ncphjhlhmjz5e
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
ldrtsumdh34dlwqeus0uizlr1nxktn7f
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
heal
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
unsolicited
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
s10
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
md5_1
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
j4wctqjtbyjszrjiylkytnsg9hcr1dndh2irnl5tj1xungask4ctfvf1wz62pntr
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
dropped_by
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
--
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
killmbr
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
ojc
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
md5_3
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
exec_x32
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
files--
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
downloadable
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
sha256_2
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
1de912f50b7f5cc2f4fcea7b6d3c84a39bd15d668122f50a9b11da66447ed99f456e86e006d0dfe7ab0fca7dc8e35efa7ff57959033463d94ef37e5705515430
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
qwerty123
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
path
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
reachable
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
sha256_3
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
timely
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
accordance
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
dnyx5rvyw3mqphjhvmjc
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
6
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
5a300f72e2
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
usernames--
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
17-05
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
warranties
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
backdoortrojanworm
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
alphanumerical
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
hex
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
wipe
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
emsisoft
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
situational
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
--end
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
hgqrbrtnsehmhdh2irnl5tj1xungaskw
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
command-line--
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
erasing
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
up-to-date
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
0058f30e1
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
twister
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
pjgwz
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
5549bdb658736c187c2d6493c82f46461dda728a0ec365833bf1987e9436a5f9e1a42cab68082af2640b5a10ab92aa9251095d3b453934d3ebeb211bfd42b212
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
-s
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
38d94ab0
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
ssdeep
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
sipr
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
hermeticwizard-9941571-0
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
md5_2
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
dll
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
anonymous
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
20220418_1900
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
--begin
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
sha1 sha256
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
homepage
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
last_modified
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
corrupting
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
dhs
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
cryptors
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
2d29f9ca1d
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
backdoortrojanwiperworm
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
07-05
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
unless
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
nhp
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
ikarus
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (use_threat) >>
isaacwiper
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
800-83
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
00028d131
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
romance
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (has_category) >>
phishing
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
b08ce87165b82db5a35353f9e42665fa9e736603b8e131e46501c0bbf4c830abbaba7bdbb5513af6201f19ba6741aa86b7cf736a8d92fef2c43a90383bf9ba68
Hash: 6ca6e4584fdfe512c2567bc3df334540
File: apexcfc.backdoor.gen
References:
Titles (1)
- Malware Analysis Report (AR22-115B)
Sentences (0)
Links:
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
acls
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
sejyu
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (has_category) >>
malware
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
endorse
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
mersenne
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
s14
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
a259e9b0ac
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
cds
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
clamav
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
overwriting
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
9faba348
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
30-04
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
operable
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
315cc419f6ec600a345447b0f49e3de9f13c1e96d9bbc272f982204b1c7ec71cb3805f5ff7821da3e7944e327c22e5eba6f3c94b08c66b6e241395e1ea133ed1
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
minimal
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
cisa_10376640_01
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
passwords--
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
20220413_1300
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
unwanted
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
g4olhlzjenm2ek7mnousgpay8odcdcmt
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
foreseeable
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
juikt
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
mifr
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
s11
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
reloc
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
sha256_1
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
exercise
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
20220414_1037
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
1-888-282-0870
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
malicious
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
data--
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
housecall
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
nanoav
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
badcert-gen
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
zb0wz3twfumdh34yslwexeus0doib9lco1bj
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
antiy
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
relationships
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
gnu7oimtlhyanf1bioenm2ek7mnousgpay8odcdcm7cisf4ro06lohgvjnuqo
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
habits
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
avira worm
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
fktn7eenm2ek7mnousgpay8odcv
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
white--disclosure
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
herein
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
physicaldrive0
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
authenticate
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
console
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
dynamic-link
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
15-05
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
faq
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
cisa_10376640_05
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
s12
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
virusblokada zillya
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
wevtutil
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
posture
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
s15
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
xhxw-4345
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
siprnet
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
deny
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
tachyon
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
nist
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
entropy
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
generickd
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
mar analysis
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
-n
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
desk
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
isacc
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (use_threat) >>
hermeticwizard
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
strives
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
cisa_10376640_02
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (has_category) >>
scan
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
contained_within
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
edited
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
rsrc
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
lavasoft
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
reviewed
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
corrupt
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
metadata
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
borland
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
numbers--
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
relationship
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (use_threat) >>
hermeticwiper
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
answering
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
2000kb
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
informational
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
qaz123
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
render
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
characters
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (has_category) >>
trojan
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
unclass
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
rdata
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
address
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
scanned
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
s13
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
path
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
unfavorable
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
ipc
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
cyren
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
w32
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
printer
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
a1d01b0a
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
jwics
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
cisa_10376640_03
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
logical
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
bqslxiv3bdnhxrvb8wzvpsprgssst7ncphjhlhmjz5e
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
ldrtsumdh34dlwqeus0uizlr1nxktn7f
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
heal
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
unsolicited
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
s10
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
md5_1
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
j4wctqjtbyjszrjiylkytnsg9hcr1dndh2irnl5tj1xungask4ctfvf1wz62pntr
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
dropped_by
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
--
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
killmbr
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
ojc
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
md5_3
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
exec_x32
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
files--
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
downloadable
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
sha256_2
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
1de912f50b7f5cc2f4fcea7b6d3c84a39bd15d668122f50a9b11da66447ed99f456e86e006d0dfe7ab0fca7dc8e35efa7ff57959033463d94ef37e5705515430
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
qwerty123
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
path
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
reachable
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
sha256_3
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
timely
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
accordance
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
dnyx5rvyw3mqphjhvmjc
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
6
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
5a300f72e2
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
usernames--
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
17-05
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
warranties
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
backdoortrojanworm
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
alphanumerical
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
hex
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
wipe
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
emsisoft
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
situational
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
--end
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
erasing
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
command-line--
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
hgqrbrtnsehmhdh2irnl5tj1xungaskw
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
up-to-date
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
0058f30e1
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
twister
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
pjgwz
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
5549bdb658736c187c2d6493c82f46461dda728a0ec365833bf1987e9436a5f9e1a42cab68082af2640b5a10ab92aa9251095d3b453934d3ebeb211bfd42b212
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
-s
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
38d94ab0
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
ssdeep
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
sipr
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
hermeticwizard-9941571-0
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
md5_2
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
dll
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
20220418_1900
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
--begin
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
anonymous
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
sha1 sha256
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
homepage
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
last_modified
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
corrupting
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
dhs
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
cryptors
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
2d29f9ca1d
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
backdoortrojanwiperworm
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
07-05
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
unless
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
nhp
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
ikarus
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (use_threat) >>
isaacwiper
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
800-83
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
00028d131
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
romance
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (has_category) >>
phishing
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
b08ce87165b82db5a35353f9e42665fa9e736603b8e131e46501c0bbf4c830abbaba7bdbb5513af6201f19ba6741aa86b7cf736a8d92fef2c43a90383bf9ba68
Hash: 023be81d5f495e7428cde5d930ecf8ce
File: trojan.killdisk
References:
Titles (1)
- Malware Analysis Report (AR22-115B)
Sentences (0)
Links:
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
corrupt
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
ipc
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
lavasoft
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
rsrc
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
heal
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
unclass
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
scanned
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
address
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
a1d01b0a
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
printer
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
informational
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
2000kb
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
reviewed
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
unfavorable
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
answering
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (has_category) >>
malware
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (use_threat) >>
isaacwiper
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
characters
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
s13
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
metadata
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
path
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
tachyon
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
edited
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
contained_within
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
xhxw-4345
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
relationship
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
-n
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
faq
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
15-05
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
s12
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
cisa_10376640_05
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
cisa_10376640_02
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
generickd
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
console
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
strives
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
deny
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
white--disclosure
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
isacc
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
s15
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
fktn7eenm2ek7mnousgpay8odcv
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
posture
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
avira worm
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
habits
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
authenticate
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
zb0wz3twfumdh34yslwexeus0doib9lco1bj
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
antiy
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
badcert-gen
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
malicious
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
desk
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
wevtutil
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
mar analysis
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
gnu7oimtlhyanf1bioenm2ek7mnousgpay8odcdcm7cisf4ro06lohgvjnuqo
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
entropy
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
nist
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
physicaldrive0
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
1-888-282-0870
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
s11
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
mifr
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
virusblokada zillya
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
siprnet
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
exercise
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
dynamic-link
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
relationships
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
herein
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
nanoav
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
housecall
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
juikt
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
s14
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
passwords--
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
data--
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
operable
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
315cc419f6ec600a345447b0f49e3de9f13c1e96d9bbc272f982204b1c7ec71cb3805f5ff7821da3e7944e327c22e5eba6f3c94b08c66b6e241395e1ea133ed1
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
30-04
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
romance
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
20220414_1037
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
clamav
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
g4olhlzjenm2ek7mnousgpay8odcdcmt
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
mersenne
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
endorse
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
cisa_10376640_01
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
sha256_1
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
reloc
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
minimal
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
9faba348
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
ikarus
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
foreseeable
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
a259e9b0ac
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
cds
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (use_threat) >>
hermeticwiper
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
20220413_1300
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
unwanted
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
sejyu
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
dhs
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
homepage
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
overwriting
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (has_category) >>
scan
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
nhp
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
sha1 sha256
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
2d29f9ca1d
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
20220418_1900
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
anonymous
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
acls
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
backdoortrojanwiperworm
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
md5_2
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
corrupting
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
last_modified
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
38d94ab0
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
b08ce87165b82db5a35353f9e42665fa9e736603b8e131e46501c0bbf4c830abbaba7bdbb5513af6201f19ba6741aa86b7cf736a8d92fef2c43a90383bf9ba68
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
5549bdb658736c187c2d6493c82f46461dda728a0ec365833bf1987e9436a5f9e1a42cab68082af2640b5a10ab92aa9251095d3b453934d3ebeb211bfd42b212
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
00028d131
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
800-83
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (has_category) >>
trojan
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (use_threat) >>
hermeticwizard
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
cryptors
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
-s
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
pjgwz
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
unless
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
07-05
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
--begin
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
up-to-date
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
usernames--
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
hermeticwizard-9941571-0
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
situational
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
0058f30e1
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
twister
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
hex
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
dll
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
sipr
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
ssdeep
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
command-line--
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
6
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
dnyx5rvyw3mqphjhvmjc
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
accordance
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
1de912f50b7f5cc2f4fcea7b6d3c84a39bd15d668122f50a9b11da66447ed99f456e86e006d0dfe7ab0fca7dc8e35efa7ff57959033463d94ef37e5705515430
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
sha256_2
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
alphanumerical
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
backdoortrojanworm
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
qwerty123
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
ojc
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
erasing
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
--end
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
hgqrbrtnsehmhdh2irnl5tj1xungaskw
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
timely
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
emsisoft
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
wipe
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
sha256_3
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
warranties
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
17-05
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
unsolicited
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
5a300f72e2
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
killmbr
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
ldrtsumdh34dlwqeus0uizlr1nxktn7f
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
downloadable
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
j4wctqjtbyjszrjiylkytnsg9hcr1dndh2irnl5tj1xungask4ctfvf1wz62pntr
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
md5_1
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
logical
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
reachable
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
path
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
w32
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (has_category) >>
phishing
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
files--
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
cisa_10376640_03
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
render
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
cyren
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
exec_x32
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
md5_3
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
--
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
dropped_by
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
bqslxiv3bdnhxrvb8wzvpsprgssst7ncphjhlhmjz5e
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
rdata
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
numbers--
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
borland
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
s10
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
jwics
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
qaz123
Hash: 5ed93c823af444567d6fac7c5b868db8
File: worm.hermetic
References:
Titles (1)
- Malware Analysis Report (AR22-115B)
Sentences (0)
Links:
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
corrupting
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
last_modified
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
dhs
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
20220414_1037
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
reloc
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
1-888-282-0870
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
homepage
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
nhp
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
badcert-gen
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
antiy
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
malicious
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (use_threat) >>
isaacwiper
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
data--
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
nanoav
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
gnu7oimtlhyanf1bioenm2ek7mnousgpay8odcdcm7cisf4ro06lohgvjnuqo
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
avira worm
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
800-83
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
physicaldrive0
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
authenticate
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
white--disclosure
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
00028d131
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
siprnet
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
s15
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
posture
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
xhxw-4345
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
cds
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
a259e9b0ac
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
clamav
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
faq
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
tachyon
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
acls
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
nist
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
mersenne
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
cisa_10376640_01
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
deny
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
9faba348
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
isacc
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
minimal
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
generickd
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
mar analysis
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
unwanted
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (use_threat) >>
hermeticwizard
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
s11
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
exercise
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
reviewed
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
housecall
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
borland
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
relationship
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
corrupt
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
habits
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
metadata
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
zb0wz3twfumdh34yslwexeus0doib9lco1bj
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
relationships
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (use_threat) >>
hermeticwiper
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
scanned
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
rdata
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
fktn7eenm2ek7mnousgpay8odcv
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
dynamic-link
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
2000kb
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
informational
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
qaz123
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
cisa_10376640_05
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
herein
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
s12
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
unfavorable
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
15-05
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
cyren
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
console
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
w32
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
virusblokada zillya
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
wevtutil
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
a1d01b0a
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (has_category) >>
phishing
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
unsolicited
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
entropy
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
ldrtsumdh34dlwqeus0uizlr1nxktn7f
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (has_category) >>
malware
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
heal
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
-n
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
md5_1
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
desk
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
dropped_by
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
cisa_10376640_02
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
strives
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
--
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
edited
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
contained_within
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
downloadable
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
lavasoft
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
rsrc
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
answering
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
numbers--
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
render
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
reachable
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
20220418_1900
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
usernames--
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
6
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
dnyx5rvyw3mqphjhvmjc
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
characters
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
s13
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
path
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
wipe
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
unclass
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
address
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
warranties
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
printer
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
alphanumerical
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
jwics
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
cisa_10376640_03
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
ipc
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
up-to-date
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
hgqrbrtnsehmhdh2irnl5tj1xungaskw
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
erasing
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
logical
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
bqslxiv3bdnhxrvb8wzvpsprgssst7ncphjhlhmjz5e
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
s10
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
twister
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
hermeticwizard-9941571-0
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
0058f30e1
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
dll
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
killmbr
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
38d94ab0
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
ojc
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
sipr
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
j4wctqjtbyjszrjiylkytnsg9hcr1dndh2irnl5tj1xungask4ctfvf1wz62pntr
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
sha1 sha256
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
exec_x32
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
md5_3
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
cryptors
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
backdoortrojanwiperworm
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
2d29f9ca1d
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
1de912f50b7f5cc2f4fcea7b6d3c84a39bd15d668122f50a9b11da66447ed99f456e86e006d0dfe7ab0fca7dc8e35efa7ff57959033463d94ef37e5705515430
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
sha256_2
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
qwerty123
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
ikarus
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
files--
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
unless
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
path
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
07-05
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
sha256_3
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
timely
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
accordance
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
romance
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
17-05
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
backdoortrojanworm
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
hex
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
virusblokada
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
5a300f72e2
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
sejyu
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
endorse
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
b08ce87165b82db5a35353f9e42665fa9e736603b8e131e46501c0bbf4c830abbaba7bdbb5513af6201f19ba6741aa86b7cf736a8d92fef2c43a90383bf9ba68
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
--end
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
command-line--
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
emsisoft
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
overwriting
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (has_category) >>
scan
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
situational
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
30-04
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
s14
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (has_category) >>
trojan
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
passwords--
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
20220413_1300
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
operable
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
315cc419f6ec600a345447b0f49e3de9f13c1e96d9bbc272f982204b1c7ec71cb3805f5ff7821da3e7944e327c22e5eba6f3c94b08c66b6e241395e1ea133ed1
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
-s
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
ssdeep
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
pjgwz
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
juikt
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
5549bdb658736c187c2d6493c82f46461dda728a0ec365833bf1987e9436a5f9e1a42cab68082af2640b5a10ab92aa9251095d3b453934d3ebeb211bfd42b212
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
mifr
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
g4olhlzjenm2ek7mnousgpay8odcdcmt
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
--begin
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
foreseeable
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
anonymous
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
sha256_1
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
md5_2
Hash: d2ceb15c0042bf0981352c5e7af10677
File: regsvr32.exe
References:
Titles (1)
- Malware Analysis Report (AR22-115B)
Sentences (0)
Links:
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
unclass
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
address
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
-n
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
printer
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
nist
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
physicaldrive0
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (has_category) >>
malware
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
numbers--
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
characters
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
s13
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
siprnet
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
bqslxiv3bdnhxrvb8wzvpsprgssst7ncphjhlhmjz5e
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
isacc
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
path
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
avira worm
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
s10
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
jwics
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
authenticate
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
lavasoft
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
badcert-gen
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
rsrc
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
antiy
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
ipc
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
malicious
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (use_threat) >>
hermeticwizard
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
xhxw-4345
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
gnu7oimtlhyanf1bioenm2ek7mnousgpay8odcdcm7cisf4ro06lohgvjnuqo
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
cisa_10376640_03
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
faq
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
render
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
mar analysis
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
deny
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
white--disclosure
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
s15
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
posture
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
metadata
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
tachyon
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
relationships
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (use_threat) >>
hermeticwiper
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
housecall
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
relationship
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
generickd
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
sejyu
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
reviewed
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
virusblokada zillya
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
overwriting
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
s11
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
habits
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
dynamic-link
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
exercise
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
zb0wz3twfumdh34yslwexeus0doib9lco1bj
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
herein
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
b08ce87165b82db5a35353f9e42665fa9e736603b8e131e46501c0bbf4c830abbaba7bdbb5513af6201f19ba6741aa86b7cf736a8d92fef2c43a90383bf9ba68
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
ikarus
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
desk
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
wevtutil
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
cisa_10376640_05
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
foreseeable
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
s12
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
15-05
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
console
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
entropy
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
20220413_1300
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (has_category) >>
scan
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
20220414_1037
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
30-04
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
fktn7eenm2ek7mnousgpay8odcv
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
romance
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
g4olhlzjenm2ek7mnousgpay8odcdcmt
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
--begin
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
endorse
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
reloc
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
sha256_1
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
nanoav
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
juikt
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
5549bdb658736c187c2d6493c82f46461dda728a0ec365833bf1987e9436a5f9e1a42cab68082af2640b5a10ab92aa9251095d3b453934d3ebeb211bfd42b212
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
s14
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
800-83
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
passwords--
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
operable
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
315cc419f6ec600a345447b0f49e3de9f13c1e96d9bbc272f982204b1c7ec71cb3805f5ff7821da3e7944e327c22e5eba6f3c94b08c66b6e241395e1ea133ed1
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
-s
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
dhs
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
data--
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
pjgwz
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
1-888-282-0870
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
homepage
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
mifr
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
alphanumerical
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
nhp
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
acls
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
20220418_1900
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
anonymous
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (use_threat) >>
isaacwiper
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
md5_2
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
erasing
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
cisa_10376640_01
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
hgqrbrtnsehmhdh2irnl5tj1xungaskw
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
corrupting
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
last_modified
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
00028d131
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
wipe
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
9faba348
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
minimal
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (has_category) >>
trojan
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
warranties
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
twister
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
cds
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
0058f30e1
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
a259e9b0ac
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
unwanted
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
dll
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
dnyx5rvyw3mqphjhvmjc
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
6
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
sipr
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
clamav
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
hermeticwizard-9941571-0
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
mersenne
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
up-to-date
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
usernames--
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
files--
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
sha256_3
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
exec_x32
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
md5_3
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
cryptors
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
killmbr
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
j4wctqjtbyjszrjiylkytnsg9hcr1dndh2irnl5tj1xungask4ctfvf1wz62pntr
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
logical
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
backdoortrojanworm
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
sha1 sha256
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
07-05
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
path
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
unless
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
2d29f9ca1d
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
backdoortrojanwiperworm
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
--end
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
timely
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
qwerty123
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
38d94ab0
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
ojc
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
emsisoft
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
scanned
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
a1d01b0a
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
17-05
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
informational
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
2000kb
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
5a300f72e2
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
unfavorable
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
accordance
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
sha256_2
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
1de912f50b7f5cc2f4fcea7b6d3c84a39bd15d668122f50a9b11da66447ed99f456e86e006d0dfe7ab0fca7dc8e35efa7ff57959033463d94ef37e5705515430
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
ssdeep
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
command-line--
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
rdata
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
borland
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
dropped_by
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
qaz123
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
corrupt
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (has_category) >>
phishing
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
w32
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
edited
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
contained_within
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
heal
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
situational
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
cisa_10376640_02
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
hex
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
unsolicited
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
strives
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
cyren
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
ldrtsumdh34dlwqeus0uizlr1nxktn7f
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
--
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
answering
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
md5_1
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
downloadable
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
reachable
Hash: 84a3f07cc1f758d0993531a1da9e3f6a
File: trojan.agent
References:
Titles (1)
- Malware Analysis Report (AR22-115B)
Sentences (0)
Links:
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
generickd
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
relationship
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
files--
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
housecall
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
up-to-date
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
mersenne
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
tachyon
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
clamav
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
s15
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
posture
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
sipr
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
white--disclosure
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
6
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
dnyx5rvyw3mqphjhvmjc
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
dll
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
unwanted
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
0058f30e1
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
twister
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
mar analysis
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
render
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
gnu7oimtlhyanf1bioenm2ek7mnousgpay8odcdcm7cisf4ro06lohgvjnuqo
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
minimal
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
9faba348
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (use_threat) >>
hermeticwizard
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
cisa_10376640_01
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
erasing
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
hgqrbrtnsehmhdh2irnl5tj1xungaskw
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
malicious
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (use_threat) >>
isaacwiper
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
ipc
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
acls
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
antiy
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
lavasoft
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
rsrc
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
badcert-gen
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
jwics
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
alphanumerical
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
nhp
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
homepage
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
1-888-282-0870
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
siprnet
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
s13
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
dhs
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
path
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
characters
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
physicaldrive0
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
800-83
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
5549bdb658736c187c2d6493c82f46461dda728a0ec365833bf1987e9436a5f9e1a42cab68082af2640b5a10ab92aa9251095d3b453934d3ebeb211bfd42b212
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
juikt
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (use_threat) >>
hermeticwiper
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
-n
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
nanoav
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
30-04
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
downloadable
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
20220414_1037
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
--
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
console
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
cyren
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
strives
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
foreseeable
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
cisa_10376640_05
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
s12
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
hex
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
15-05
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
cisa_10376640_02
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
desk
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
heal
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
zb0wz3twfumdh34yslwexeus0doib9lco1bj
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
habits
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
corrupt
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
overwriting
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
virusblokada zillya
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
borland
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
command-line--
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
1de912f50b7f5cc2f4fcea7b6d3c84a39bd15d668122f50a9b11da66447ed99f456e86e006d0dfe7ab0fca7dc8e35efa7ff57959033463d94ef37e5705515430
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
sha256_2
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
reviewed
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
sejyu
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (has_category) >>
malware
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
unfavorable
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
5a300f72e2
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
informational
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
17-05
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
2000kb
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
scanned
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (has_category) >>
trojan
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
ojc
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
38d94ab0
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
timely
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
relationships
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
metadata
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
path
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
07-05
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
unless
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
logical
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
deny
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
cryptors
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
md5_3
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
exec_x32
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
faq
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
cisa_10376640_03
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
xhxw-4345
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
usernames--
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
authenticate
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
hermeticwizard-9941571-0
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
s10
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
avira worm
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
isacc
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
bqslxiv3bdnhxrvb8wzvpsprgssst7ncphjhlhmjz5e
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
numbers--
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
nist
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
a259e9b0ac
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
cds
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
printer
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
warranties
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
unclass
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
wipe
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
address
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
00028d131
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
corrupting
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
last_modified
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (has_category) >>
phishing
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
anonymous
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
20220418_1900
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
md5_2
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
reachable
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (has_category) >>
scan
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
mifr
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
md5_1
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
pjgwz
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
answering
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
data--
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
ldrtsumdh34dlwqeus0uizlr1nxktn7f
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
-s
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
operable
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
315cc419f6ec600a345447b0f49e3de9f13c1e96d9bbc272f982204b1c7ec71cb3805f5ff7821da3e7944e327c22e5eba6f3c94b08c66b6e241395e1ea133ed1
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
unsolicited
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
passwords--
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
s14
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
situational
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
edited
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
contained_within
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
reloc
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
w32
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
sha256_1
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
endorse
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
virusblokada
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
qaz123
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
--begin
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
g4olhlzjenm2ek7mnousgpay8odcdcmt
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
dropped_by
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
romance
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
fktn7eenm2ek7mnousgpay8odcv
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
rdata
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
ssdeep
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
accordance
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
20220413_1300
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
entropy
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
a1d01b0a
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
wevtutil
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
emsisoft
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
ikarus
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
qwerty123
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
--end
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
b08ce87165b82db5a35353f9e42665fa9e736603b8e131e46501c0bbf4c830abbaba7bdbb5513af6201f19ba6741aa86b7cf736a8d92fef2c43a90383bf9ba68
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
2d29f9ca1d
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
backdoortrojanwiperworm
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
herein
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
sha1 sha256
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
exercise
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
backdoortrojanworm
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
dynamic-link
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
s11
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
j4wctqjtbyjszrjiylkytnsg9hcr1dndh2irnl5tj1xungask4ctfvf1wz62pntr
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
killmbr
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
sha256_3
Hash: 0efd6cfc0613f20a06fa0746b2d5b8bc
File: trojan.gen.mbt
References:
Titles (1)
- Malware Analysis Report (AR22-115B)
Sentences (0)
Links:
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
numbers--
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
heal
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
s10
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (use_threat) >>
hermeticwiper
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
dropped_by
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
scanned
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
rdata
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
ojc
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
informational
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
2000kb
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
qaz123
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
characters
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
path
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
unclass
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
address
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
s13
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
unfavorable
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
printer
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
downloadable
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
qwerty123
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
a1d01b0a
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
logical
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
unsolicited
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
path
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
sha256_3
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
ldrtsumdh34dlwqeus0uizlr1nxktn7f
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
md5_1
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
reachable
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
killmbr
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
usernames--
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
j4wctqjtbyjszrjiylkytnsg9hcr1dndh2irnl5tj1xungask4ctfvf1wz62pntr
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
hex
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
--
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
exec_x32
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
md5_3
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
command-line--
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
1de912f50b7f5cc2f4fcea7b6d3c84a39bd15d668122f50a9b11da66447ed99f456e86e006d0dfe7ab0fca7dc8e35efa7ff57959033463d94ef37e5705515430
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
sha256_2
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
situational
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
up-to-date
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
files--
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
ssdeep
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
0058f30e1
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
timely
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
twister
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
accordance
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
dll
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
38d94ab0
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
sipr
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
17-05
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
backdoortrojanworm
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
6
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
dnyx5rvyw3mqphjhvmjc
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
anonymous
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
20220418_1900
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
md5_2
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
wipe
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
5a300f72e2
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
corrupting
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
sha1 sha256
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
dhs
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
warranties
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
last_modified
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
alphanumerical
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
cryptors
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
--end
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
2d29f9ca1d
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
homepage
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
backdoortrojanwiperworm
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
emsisoft
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (has_category) >>
scan
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
nhp
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
hgqrbrtnsehmhdh2irnl5tj1xungaskw
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
erasing
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (has_category) >>
phishing
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (use_threat) >>
isaacwiper
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
07-05
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
unless
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
-s
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
hermeticwizard-9941571-0
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
pjgwz
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
5549bdb658736c187c2d6493c82f46461dda728a0ec365833bf1987e9436a5f9e1a42cab68082af2640b5a10ab92aa9251095d3b453934d3ebeb211bfd42b212
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
800-83
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
--begin
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
romance
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
endorse
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
cds
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
a259e9b0ac
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
clamav
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
mersenne
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
30-04
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
ikarus
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
cisa_10376640_01
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
20220413_1300
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
minimal
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
9faba348
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
mifr
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
unwanted
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
foreseeable
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
s11
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
00028d131
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
sejyu
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
exercise
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
b08ce87165b82db5a35353f9e42665fa9e736603b8e131e46501c0bbf4c830abbaba7bdbb5513af6201f19ba6741aa86b7cf736a8d92fef2c43a90383bf9ba68
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
1-888-282-0870
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
acls
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
overwriting
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
housecall
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
s14
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (has_category) >>
trojan
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
passwords--
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
data--
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
nanoav
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
operable
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
315cc419f6ec600a345447b0f49e3de9f13c1e96d9bbc272f982204b1c7ec71cb3805f5ff7821da3e7944e327c22e5eba6f3c94b08c66b6e241395e1ea133ed1
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (has_category) >>
malware
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
relationships
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
juikt
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
g4olhlzjenm2ek7mnousgpay8odcdcmt
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
fktn7eenm2ek7mnousgpay8odcv
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
white--disclosure
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
s12
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
reloc
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
sha256_1
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
15-05
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
cisa_10376640_05
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
posture
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
console
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
s15
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
xhxw-4345
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
20220414_1037
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
faq
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
wevtutil
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
badcert-gen
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
antiy
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
deny
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
malicious
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
habits
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
entropy
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
isacc
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
zb0wz3twfumdh34yslwexeus0doib9lco1bj
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
mar analysis
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
gnu7oimtlhyanf1bioenm2ek7mnousgpay8odcdcm7cisf4ro06lohgvjnuqo
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
avira worm
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
desk
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
physicaldrive0
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
authenticate
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
dynamic-link
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
herein
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
siprnet
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
reviewed
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
tachyon
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
virusblokada zillya
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
nist
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
relationship
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
metadata
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
answering
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
generickd
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
-n
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
render
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
cisa_10376640_02
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (use_threat) >>
hermeticwizard
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
strives
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
contained_within
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
edited
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
cyren
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
w32
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
jwics
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
cisa_10376640_03
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
ipc
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
rsrc
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
lavasoft
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
borland
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
corrupt
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
bqslxiv3bdnhxrvb8wzvpsprgssst7ncphjhlhmjz5e
Hash: 90d5fe0b84e27aef0c20e1f645feb2b0
File: bscope.trojan.agent
References:
Titles (1)
- Malware Analysis Report (AR22-115B)
Sentences (0)
Links:
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
nist
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
virusblokada zillya
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
faq
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
timely
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
xhxw-4345
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
console
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
path
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
cisa_10376640_05
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
s12
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
15-05
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
authenticate
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
1de912f50b7f5cc2f4fcea7b6d3c84a39bd15d668122f50a9b11da66447ed99f456e86e006d0dfe7ab0fca7dc8e35efa7ff57959033463d94ef37e5705515430
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
sha256_2
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
avira worm
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
downloadable
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
relationships
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
md5_3
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
exec_x32
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
zb0wz3twfumdh34yslwexeus0doib9lco1bj
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
nanoav
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
--
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
habits
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
ojc
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
1-888-282-0870
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
20220414_1037
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
heal
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
logical
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
foreseeable
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
ipc
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
unwanted
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
juikt
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
jwics
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
cyren
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
9faba348
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
unfavorable
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
characters
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
path
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
minimal
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
s13
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
cisa_10376640_01
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
informational
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
2000kb
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
30-04
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
mersenne
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
scanned
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (has_category) >>
trojan
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
overwriting
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
acls
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
render
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
clamav
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (has_category) >>
malware
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
sejyu
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
corrupt
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
relationship
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
borland
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
lavasoft
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
rsrc
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
800-83
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
strives
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
nhp
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
cisa_10376640_02
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
homepage
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
2d29f9ca1d
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
backdoortrojanwiperworm
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
-n
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
mar analysis
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
dhs
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
sha1 sha256
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
generickd
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
entropy
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
sipr
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
wevtutil
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
dll
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
tachyon
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
5549bdb658736c187c2d6493c82f46461dda728a0ec365833bf1987e9436a5f9e1a42cab68082af2640b5a10ab92aa9251095d3b453934d3ebeb211bfd42b212
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
twister
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
ssdeep
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
0058f30e1
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
posture
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
s15
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
siprnet
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
herein
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
white--disclosure
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
dynamic-link
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
hgqrbrtnsehmhdh2irnl5tj1xungaskw
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
erasing
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
fktn7eenm2ek7mnousgpay8odcv
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
up-to-date
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (use_threat) >>
hermeticwiper
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
physicaldrive0
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
situational
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
emsisoft
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
gnu7oimtlhyanf1bioenm2ek7mnousgpay8odcdcm7cisf4ro06lohgvjnuqo
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
alphanumerical
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
--end
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
data--
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
virusblokada
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
malicious
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
6
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
backdoortrojanworm
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
dnyx5rvyw3mqphjhvmjc
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
antiy
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
badcert-gen
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
housecall
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
reachable
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
accordance
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
exercise
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
sha256_3
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
reloc
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
sha256_1
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
s11
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (use_threat) >>
hermeticwizard
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
files--
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
qwerty123
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
g4olhlzjenm2ek7mnousgpay8odcdcmt
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
mifr
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
operable
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
315cc419f6ec600a345447b0f49e3de9f13c1e96d9bbc272f982204b1c7ec71cb3805f5ff7821da3e7944e327c22e5eba6f3c94b08c66b6e241395e1ea133ed1
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
20220413_1300
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
passwords--
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
j4wctqjtbyjszrjiylkytnsg9hcr1dndh2irnl5tj1xungask4ctfvf1wz62pntr
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (use_threat) >>
isaacwiper
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
s14
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
killmbr
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
dropped_by
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
md5_1
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
cds
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
a259e9b0ac
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
s10
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
b08ce87165b82db5a35353f9e42665fa9e736603b8e131e46501c0bbf4c830abbaba7bdbb5513af6201f19ba6741aa86b7cf736a8d92fef2c43a90383bf9ba68
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
ldrtsumdh34dlwqeus0uizlr1nxktn7f
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
endorse
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
bqslxiv3bdnhxrvb8wzvpsprgssst7ncphjhlhmjz5e
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
00028d131
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
unsolicited
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (has_category) >>
phishing
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
a1d01b0a
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
romance
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
cisa_10376640_03
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
printer
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
w32
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
unclass
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
address
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
unless
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
07-05
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
qaz123
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
ikarus
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
rdata
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
cryptors
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
numbers--
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
last_modified
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
corrupting
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
answering
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
metadata
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
md5_2
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
anonymous
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
20220418_1900
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
38d94ab0
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
--begin
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
reviewed
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
pjgwz
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
hermeticwizard-9941571-0
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
-s
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
contained_within
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
edited
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (has_category) >>
scan
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
desk
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
command-line--
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
warranties
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
isacc
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
wipe
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
5a300f72e2
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
hex
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
deny
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
17-05
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
usernames--
Hash: 6e7013478def0b223ed6acb0a52fad70
File: log.txt
References:
Titles (1)
- Malware Analysis Report (AR22-115B)
Sentences (0)
Links:
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
juikt
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
-s
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
s14
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
pjgwz
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
passwords--
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
data--
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
--begin
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
315cc419f6ec600a345447b0f49e3de9f13c1e96d9bbc272f982204b1c7ec71cb3805f5ff7821da3e7944e327c22e5eba6f3c94b08c66b6e241395e1ea133ed1
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
30-04
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
operable
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
romance
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
20220414_1037
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
g4olhlzjenm2ek7mnousgpay8odcdcmt
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
situational
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
endorse
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
hex
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
sha256_1
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
reloc
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
ikarus
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
foreseeable
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
ssdeep
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
command-line--
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
accordance
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
sha256_2
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
1de912f50b7f5cc2f4fcea7b6d3c84a39bd15d668122f50a9b11da66447ed99f456e86e006d0dfe7ab0fca7dc8e35efa7ff57959033463d94ef37e5705515430
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
20220413_1300
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
sejyu
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
backdoortrojanworm
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
overwriting
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
qwerty123
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
sha1 sha256
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
ojc
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
--end
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
timely
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
2d29f9ca1d
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
backdoortrojanwiperworm
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
emsisoft
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
sha256_3
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
38d94ab0
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (has_category) >>
malware
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
b08ce87165b82db5a35353f9e42665fa9e736603b8e131e46501c0bbf4c830abbaba7bdbb5513af6201f19ba6741aa86b7cf736a8d92fef2c43a90383bf9ba68
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
17-05
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
5a300f72e2
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
killmbr
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (has_category) >>
trojan
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
cryptors
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
j4wctqjtbyjszrjiylkytnsg9hcr1dndh2irnl5tj1xungask4ctfvf1wz62pntr
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
logical
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
path
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
unless
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
07-05
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
up-to-date
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
usernames--
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
files--
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
hermeticwizard-9941571-0
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
cisa_10376640_03
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
render
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
exec_x32
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
md5_3
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
twister
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
0058f30e1
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
dll
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
bqslxiv3bdnhxrvb8wzvpsprgssst7ncphjhlhmjz5e
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
numbers--
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
sipr
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
s10
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
jwics
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
dnyx5rvyw3mqphjhvmjc
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
6
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
ipc
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
rsrc
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
lavasoft
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
alphanumerical
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
unclass
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
address
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
hgqrbrtnsehmhdh2irnl5tj1xungaskw
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
erasing
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
printer
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
wipe
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
answering
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
warranties
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
unsolicited
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
path
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
s13
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
characters
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
ldrtsumdh34dlwqeus0uizlr1nxktn7f
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
downloadable
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
md5_1
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
reachable
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
edited
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
contained_within
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
w32
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
-n
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
s12
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
cisa_10376640_05
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
15-05
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
cisa_10376640_02
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
console
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
strives
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
cyren
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
fktn7eenm2ek7mnousgpay8odcv
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
habits
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
--
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
dropped_by
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
rdata
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
zb0wz3twfumdh34yslwexeus0doib9lco1bj
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
borland
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
qaz123
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
corrupt
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
desk
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
wevtutil
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
heal
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
entropy
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
scanned
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
a1d01b0a
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
informational
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
2000kb
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
reviewed
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
s11
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
virusblokada zillya
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
unfavorable
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
exercise
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
dynamic-link
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
relationships
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (use_threat) >>
isaacwiper
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
herein
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
metadata
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
housecall
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
tachyon
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
xhxw-4345
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
relationship
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (has_category) >>
phishing
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
faq
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
generickd
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
deny
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
clamav
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
white--disclosure
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
isacc
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
mersenne
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
posture
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
s15
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
cisa_10376640_01
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
avira worm
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
9faba348
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
minimal
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
authenticate
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
badcert-gen
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
antiy
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
cds
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
a259e9b0ac
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
malicious
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (use_threat) >>
hermeticwiper
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
unwanted
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
dhs
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
mar analysis
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
gnu7oimtlhyanf1bioenm2ek7mnousgpay8odcdcm7cisf4ro06lohgvjnuqo
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
homepage
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
nist
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (has_category) >>
scan
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
physicaldrive0
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
nhp
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
1-888-282-0870
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
md5_2
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
20220418_1900
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
acls
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
siprnet
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
anonymous
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
mifr
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
last_modified
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
corrupting
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
5549bdb658736c187c2d6493c82f46461dda728a0ec365833bf1987e9436a5f9e1a42cab68082af2640b5a10ab92aa9251095d3b453934d3ebeb211bfd42b212
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
00028d131
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
800-83
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
nanoav
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (use_threat) >>
hermeticwizard
UNKNOWNWORDS (1)
UnknownWord (198)
sha1 sha256
References:
Titles (0)
Sentences (0)
Links:
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
sha1 sha256
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
sha1 sha256
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
sha1 sha256
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
sha1 sha256
-
decfc792ded248587084a6329217380e
>> (related) >>
sha1 sha256
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
sha1 sha256
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
sha1 sha256
-
01185a4f21be653f13b885a655da2239
>> (related) >>
sha1 sha256
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
sha1 sha256
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
sha1 sha256
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
sha1 sha256
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
sha1 sha256
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
sha1 sha256
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
sha1 sha256
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
sha1 sha256
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
sha1 sha256
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
sha1 sha256
-
9475a59226943a3ad422e18169989f66
>> (related) >>
sha1 sha256
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
sha1 sha256
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
sha1 sha256
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
sha1 sha256
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
sha1 sha256
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
sha1 sha256
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
sha1 sha256
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
sha1 sha256
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
sha1 sha256
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
sha1 sha256
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
sha1 sha256
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
sha1 sha256
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
sha1 sha256
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
sha1 sha256
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
sha1 sha256
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
sha1 sha256
virusblokada zillya
References:
Titles (0)
Sentences (0)
Links:
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
virusblokada zillya
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
virusblokada zillya
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
virusblokada zillya
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
virusblokada zillya
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
virusblokada zillya
-
01185a4f21be653f13b885a655da2239
>> (related) >>
virusblokada zillya
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
virusblokada zillya
-
9475a59226943a3ad422e18169989f66
>> (related) >>
virusblokada zillya
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
virusblokada zillya
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
virusblokada zillya
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
virusblokada zillya
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
virusblokada zillya
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
virusblokada zillya
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
virusblokada zillya
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
virusblokada zillya
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
virusblokada zillya
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
virusblokada zillya
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
virusblokada zillya
-
decfc792ded248587084a6329217380e
>> (related) >>
virusblokada zillya
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
virusblokada zillya
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
virusblokada zillya
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
virusblokada zillya
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
virusblokada zillya
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
virusblokada zillya
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
virusblokada zillya
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
virusblokada zillya
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
virusblokada zillya
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
virusblokada zillya
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
virusblokada zillya
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
virusblokada zillya
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
virusblokada zillya
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
virusblokada zillya
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
virusblokada zillya
metadata
References:
Titles (0)
Sentences (0)
Links:
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
metadata
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
metadata
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
metadata
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
metadata
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
metadata
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
metadata
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
metadata
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
metadata
-
9475a59226943a3ad422e18169989f66
>> (related) >>
metadata
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
metadata
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
metadata
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
metadata
-
decfc792ded248587084a6329217380e
>> (related) >>
metadata
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
metadata
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
metadata
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
metadata
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
metadata
-
01185a4f21be653f13b885a655da2239
>> (related) >>
metadata
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
metadata
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
metadata
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
metadata
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
metadata
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
metadata
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
metadata
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
metadata
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
metadata
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
metadata
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
metadata
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
metadata
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
metadata
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
metadata
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
metadata
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
metadata
ipc
References:
Titles (0)
Sentences (0)
Links:
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
ipc
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
ipc
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
ipc
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
ipc
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
ipc
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
ipc
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
ipc
-
01185a4f21be653f13b885a655da2239
>> (related) >>
ipc
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
ipc
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
ipc
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
ipc
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
ipc
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
ipc
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
ipc
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
ipc
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
ipc
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
ipc
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
ipc
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
ipc
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
ipc
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
ipc
-
9475a59226943a3ad422e18169989f66
>> (related) >>
ipc
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
ipc
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
ipc
-
decfc792ded248587084a6329217380e
>> (related) >>
ipc
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
ipc
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
ipc
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
ipc
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
ipc
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
ipc
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
ipc
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
ipc
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
ipc
avira worm
References:
Titles (0)
Sentences (0)
Links:
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
avira worm
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
avira worm
-
01185a4f21be653f13b885a655da2239
>> (related) >>
avira worm
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
avira worm
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
avira worm
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
avira worm
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
avira worm
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
avira worm
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
avira worm
-
9475a59226943a3ad422e18169989f66
>> (related) >>
avira worm
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
avira worm
-
decfc792ded248587084a6329217380e
>> (related) >>
avira worm
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
avira worm
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
avira worm
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
avira worm
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
avira worm
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
avira worm
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
avira worm
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
avira worm
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
avira worm
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
avira worm
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
avira worm
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
avira worm
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
avira worm
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
avira worm
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
avira worm
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
avira worm
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
avira worm
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
avira worm
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
avira worm
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
avira worm
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
avira worm
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
avira worm
mar analysis
References:
Titles (0)
Sentences (0)
Links:
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
mar analysis
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
mar analysis
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
mar analysis
-
01185a4f21be653f13b885a655da2239
>> (related) >>
mar analysis
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
mar analysis
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
mar analysis
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
mar analysis
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
mar analysis
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
mar analysis
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
mar analysis
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
mar analysis
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
mar analysis
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
mar analysis
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
mar analysis
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
mar analysis
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
mar analysis
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
mar analysis
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
mar analysis
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
mar analysis
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
mar analysis
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
mar analysis
-
decfc792ded248587084a6329217380e
>> (related) >>
mar analysis
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
mar analysis
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
mar analysis
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
mar analysis
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
mar analysis
-
9475a59226943a3ad422e18169989f66
>> (related) >>
mar analysis
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
mar analysis
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
mar analysis
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
mar analysis
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
mar analysis
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
mar analysis
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
mar analysis
informational
References:
Titles (0)
Sentences (0)
Links:
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
informational
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
informational
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
informational
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
informational
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
informational
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
informational
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
informational
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
informational
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
informational
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
informational
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
informational
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
informational
-
01185a4f21be653f13b885a655da2239
>> (related) >>
informational
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
informational
-
decfc792ded248587084a6329217380e
>> (related) >>
informational
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
informational
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
informational
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
informational
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
informational
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
informational
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
informational
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
informational
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
informational
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
informational
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
informational
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
informational
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
informational
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
informational
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
informational
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
informational
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
informational
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
informational
-
9475a59226943a3ad422e18169989f66
>> (related) >>
informational
dhs
References:
Titles (0)
Sentences (0)
Links:
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
dhs
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
dhs
-
decfc792ded248587084a6329217380e
>> (related) >>
dhs
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
dhs
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
dhs
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
dhs
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
dhs
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
dhs
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
dhs
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
dhs
-
01185a4f21be653f13b885a655da2239
>> (related) >>
dhs
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
dhs
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
dhs
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
dhs
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
dhs
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
dhs
-
9475a59226943a3ad422e18169989f66
>> (related) >>
dhs
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
dhs
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
dhs
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
dhs
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
dhs
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
dhs
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
dhs
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
dhs
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
dhs
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
dhs
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
dhs
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
dhs
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
dhs
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
dhs
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
dhs
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
dhs
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
dhs
warranties
References:
Titles (0)
Sentences (0)
Links:
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
warranties
-
9475a59226943a3ad422e18169989f66
>> (related) >>
warranties
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
warranties
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
warranties
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
warranties
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
warranties
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
warranties
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
warranties
-
01185a4f21be653f13b885a655da2239
>> (related) >>
warranties
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
warranties
-
decfc792ded248587084a6329217380e
>> (related) >>
warranties
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
warranties
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
warranties
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
warranties
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
warranties
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
warranties
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
warranties
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
warranties
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
warranties
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
warranties
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
warranties
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
warranties
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
warranties
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
warranties
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
warranties
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
warranties
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
warranties
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
warranties
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
warranties
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
warranties
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
warranties
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
warranties
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
warranties
herein
References:
Titles (0)
Sentences (0)
Links:
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
herein
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
herein
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
herein
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
herein
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
herein
-
01185a4f21be653f13b885a655da2239
>> (related) >>
herein
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
herein
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
herein
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
herein
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
herein
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
herein
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
herein
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
herein
-
decfc792ded248587084a6329217380e
>> (related) >>
herein
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
herein
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
herein
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
herein
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
herein
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
herein
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
herein
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
herein
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
herein
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
herein
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
herein
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
herein
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
herein
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
herein
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
herein
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
herein
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
herein
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
herein
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
herein
-
9475a59226943a3ad422e18169989f66
>> (related) >>
herein
endorse
References:
Titles (0)
Sentences (0)
Links:
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
endorse
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
endorse
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
endorse
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
endorse
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
endorse
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
endorse
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
endorse
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
endorse
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
endorse
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
endorse
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
endorse
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
endorse
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
endorse
-
decfc792ded248587084a6329217380e
>> (related) >>
endorse
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
endorse
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
endorse
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
endorse
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
endorse
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
endorse
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
endorse
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
endorse
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
endorse
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
endorse
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
endorse
-
01185a4f21be653f13b885a655da2239
>> (related) >>
endorse
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
endorse
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
endorse
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
endorse
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
endorse
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
endorse
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
endorse
-
9475a59226943a3ad422e18169989f66
>> (related) >>
endorse
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
endorse
white--disclosure
References:
Titles (0)
Sentences (0)
Links:
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
white--disclosure
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
white--disclosure
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
white--disclosure
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
white--disclosure
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
white--disclosure
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
white--disclosure
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
white--disclosure
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
white--disclosure
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
white--disclosure
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
white--disclosure
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
white--disclosure
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
white--disclosure
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
white--disclosure
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
white--disclosure
-
decfc792ded248587084a6329217380e
>> (related) >>
white--disclosure
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
white--disclosure
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
white--disclosure
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
white--disclosure
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
white--disclosure
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
white--disclosure
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
white--disclosure
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
white--disclosure
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
white--disclosure
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
white--disclosure
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
white--disclosure
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
white--disclosure
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
white--disclosure
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
white--disclosure
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
white--disclosure
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
white--disclosure
-
9475a59226943a3ad422e18169989f66
>> (related) >>
white--disclosure
-
01185a4f21be653f13b885a655da2239
>> (related) >>
white--disclosure
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
white--disclosure
minimal
References:
Titles (0)
Sentences (0)
Links:
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
minimal
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
minimal
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
minimal
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
minimal
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
minimal
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
minimal
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
minimal
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
minimal
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
minimal
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
minimal
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
minimal
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
minimal
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
minimal
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
minimal
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
minimal
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
minimal
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
minimal
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
minimal
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
minimal
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
minimal
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
minimal
-
9475a59226943a3ad422e18169989f66
>> (related) >>
minimal
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
minimal
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
minimal
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
minimal
-
decfc792ded248587084a6329217380e
>> (related) >>
minimal
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
minimal
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
minimal
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
minimal
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
minimal
-
01185a4f21be653f13b885a655da2239
>> (related) >>
minimal
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
minimal
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
minimal
foreseeable
References:
Titles (0)
Sentences (0)
Links:
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
foreseeable
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
foreseeable
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
foreseeable
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
foreseeable
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
foreseeable
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
foreseeable
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
foreseeable
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
foreseeable
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
foreseeable
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
foreseeable
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
foreseeable
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
foreseeable
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
foreseeable
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
foreseeable
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
foreseeable
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
foreseeable
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
foreseeable
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
foreseeable
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
foreseeable
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
foreseeable
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
foreseeable
-
decfc792ded248587084a6329217380e
>> (related) >>
foreseeable
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
foreseeable
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
foreseeable
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
foreseeable
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
foreseeable
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
foreseeable
-
01185a4f21be653f13b885a655da2239
>> (related) >>
foreseeable
-
9475a59226943a3ad422e18169989f66
>> (related) >>
foreseeable
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
foreseeable
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
foreseeable
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
foreseeable
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
foreseeable
accordance
References:
Titles (0)
Sentences (0)
Links:
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
accordance
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
accordance
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
accordance
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
accordance
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
accordance
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
accordance
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
accordance
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
accordance
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
accordance
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
accordance
-
decfc792ded248587084a6329217380e
>> (related) >>
accordance
-
9475a59226943a3ad422e18169989f66
>> (related) >>
accordance
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
accordance
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
accordance
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
accordance
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
accordance
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
accordance
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
accordance
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
accordance
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
accordance
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
accordance
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
accordance
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
accordance
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
accordance
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
accordance
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
accordance
-
01185a4f21be653f13b885a655da2239
>> (related) >>
accordance
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
accordance
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
accordance
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
accordance
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
accordance
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
accordance
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
accordance
dynamic-link
References:
Titles (0)
Sentences (0)
Links:
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
dynamic-link
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
dynamic-link
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
dynamic-link
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
dynamic-link
-
01185a4f21be653f13b885a655da2239
>> (related) >>
dynamic-link
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
dynamic-link
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
dynamic-link
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
dynamic-link
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
dynamic-link
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
dynamic-link
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
dynamic-link
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
dynamic-link
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
dynamic-link
-
decfc792ded248587084a6329217380e
>> (related) >>
dynamic-link
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
dynamic-link
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
dynamic-link
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
dynamic-link
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
dynamic-link
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
dynamic-link
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
dynamic-link
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
dynamic-link
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
dynamic-link
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
dynamic-link
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
dynamic-link
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
dynamic-link
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
dynamic-link
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
dynamic-link
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
dynamic-link
-
9475a59226943a3ad422e18169989f66
>> (related) >>
dynamic-link
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
dynamic-link
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
dynamic-link
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
dynamic-link
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
dynamic-link
render
References:
Titles (0)
Sentences (0)
Links:
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
render
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
render
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
render
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
render
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
render
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
render
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
render
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
render
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
render
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
render
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
render
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
render
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
render
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
render
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
render
-
decfc792ded248587084a6329217380e
>> (related) >>
render
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
render
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
render
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
render
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
render
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
render
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
render
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
render
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
render
-
9475a59226943a3ad422e18169989f66
>> (related) >>
render
-
01185a4f21be653f13b885a655da2239
>> (related) >>
render
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
render
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
render
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
render
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
render
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
render
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
render
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
render
operable
References:
Titles (0)
Sentences (0)
Links:
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
operable
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
operable
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
operable
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
operable
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
operable
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
operable
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
operable
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
operable
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
operable
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
operable
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
operable
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
operable
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
operable
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
operable
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
operable
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
operable
-
01185a4f21be653f13b885a655da2239
>> (related) >>
operable
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
operable
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
operable
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
operable
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
operable
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
operable
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
operable
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
operable
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
operable
-
decfc792ded248587084a6329217380e
>> (related) >>
operable
-
9475a59226943a3ad422e18169989f66
>> (related) >>
operable
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
operable
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
operable
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
operable
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
operable
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
operable
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
operable
downloadable
References:
Titles (0)
Sentences (0)
Links:
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
downloadable
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
downloadable
-
9475a59226943a3ad422e18169989f66
>> (related) >>
downloadable
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
downloadable
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
downloadable
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
downloadable
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
downloadable
-
decfc792ded248587084a6329217380e
>> (related) >>
downloadable
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
downloadable
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
downloadable
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
downloadable
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
downloadable
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
downloadable
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
downloadable
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
downloadable
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
downloadable
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
downloadable
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
downloadable
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
downloadable
-
01185a4f21be653f13b885a655da2239
>> (related) >>
downloadable
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
downloadable
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
downloadable
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
downloadable
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
downloadable
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
downloadable
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
downloadable
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
downloadable
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
downloadable
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
downloadable
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
downloadable
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
downloadable
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
downloadable
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
downloadable
backdoortrojanwiperworm
References:
Titles (0)
Sentences (0)
Links:
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
backdoortrojanwiperworm
-
decfc792ded248587084a6329217380e
>> (related) >>
backdoortrojanwiperworm
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
backdoortrojanwiperworm
-
01185a4f21be653f13b885a655da2239
>> (related) >>
backdoortrojanwiperworm
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
backdoortrojanwiperworm
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
backdoortrojanwiperworm
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
backdoortrojanwiperworm
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
backdoortrojanwiperworm
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
backdoortrojanwiperworm
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
backdoortrojanwiperworm
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
backdoortrojanwiperworm
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
backdoortrojanwiperworm
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
backdoortrojanwiperworm
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
backdoortrojanwiperworm
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
backdoortrojanwiperworm
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
backdoortrojanwiperworm
-
9475a59226943a3ad422e18169989f66
>> (related) >>
backdoortrojanwiperworm
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
backdoortrojanwiperworm
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
backdoortrojanwiperworm
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
backdoortrojanwiperworm
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
backdoortrojanwiperworm
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
backdoortrojanwiperworm
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
backdoortrojanwiperworm
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
backdoortrojanwiperworm
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
backdoortrojanwiperworm
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
backdoortrojanwiperworm
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
backdoortrojanwiperworm
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
backdoortrojanwiperworm
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
backdoortrojanwiperworm
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
backdoortrojanwiperworm
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
backdoortrojanwiperworm
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
backdoortrojanwiperworm
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
backdoortrojanwiperworm
console
References:
Titles (0)
Sentences (0)
Links:
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
console
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
console
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
console
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
console
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
console
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
console
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
console
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
console
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
console
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
console
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
console
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
console
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
console
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
console
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
console
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
console
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
console
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
console
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
console
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
console
-
decfc792ded248587084a6329217380e
>> (related) >>
console
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
console
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
console
-
01185a4f21be653f13b885a655da2239
>> (related) >>
console
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
console
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
console
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
console
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
console
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
console
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
console
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
console
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
console
-
9475a59226943a3ad422e18169989f66
>> (related) >>
console
b08ce87165b82db5a35353f9e42665fa9e736603b8e131e46501c0bbf4c830abbaba7bdbb5513af6201f19ba6741aa86b7cf736a8d92fef2c43a90383bf9ba68
References:
Titles (0)
Sentences (0)
Links:
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
b08ce87165b82db5a35353f9e42665fa9e736603b8e131e46501c0bbf4c830abbaba7bdbb5513af6201f19ba6741aa86b7cf736a8d92fef2c43a90383bf9ba68
-
9475a59226943a3ad422e18169989f66
>> (related) >>
b08ce87165b82db5a35353f9e42665fa9e736603b8e131e46501c0bbf4c830abbaba7bdbb5513af6201f19ba6741aa86b7cf736a8d92fef2c43a90383bf9ba68
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
b08ce87165b82db5a35353f9e42665fa9e736603b8e131e46501c0bbf4c830abbaba7bdbb5513af6201f19ba6741aa86b7cf736a8d92fef2c43a90383bf9ba68
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
b08ce87165b82db5a35353f9e42665fa9e736603b8e131e46501c0bbf4c830abbaba7bdbb5513af6201f19ba6741aa86b7cf736a8d92fef2c43a90383bf9ba68
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
b08ce87165b82db5a35353f9e42665fa9e736603b8e131e46501c0bbf4c830abbaba7bdbb5513af6201f19ba6741aa86b7cf736a8d92fef2c43a90383bf9ba68
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
b08ce87165b82db5a35353f9e42665fa9e736603b8e131e46501c0bbf4c830abbaba7bdbb5513af6201f19ba6741aa86b7cf736a8d92fef2c43a90383bf9ba68
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
b08ce87165b82db5a35353f9e42665fa9e736603b8e131e46501c0bbf4c830abbaba7bdbb5513af6201f19ba6741aa86b7cf736a8d92fef2c43a90383bf9ba68
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
b08ce87165b82db5a35353f9e42665fa9e736603b8e131e46501c0bbf4c830abbaba7bdbb5513af6201f19ba6741aa86b7cf736a8d92fef2c43a90383bf9ba68
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
b08ce87165b82db5a35353f9e42665fa9e736603b8e131e46501c0bbf4c830abbaba7bdbb5513af6201f19ba6741aa86b7cf736a8d92fef2c43a90383bf9ba68
-
01185a4f21be653f13b885a655da2239
>> (related) >>
b08ce87165b82db5a35353f9e42665fa9e736603b8e131e46501c0bbf4c830abbaba7bdbb5513af6201f19ba6741aa86b7cf736a8d92fef2c43a90383bf9ba68
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
b08ce87165b82db5a35353f9e42665fa9e736603b8e131e46501c0bbf4c830abbaba7bdbb5513af6201f19ba6741aa86b7cf736a8d92fef2c43a90383bf9ba68
-
decfc792ded248587084a6329217380e
>> (related) >>
b08ce87165b82db5a35353f9e42665fa9e736603b8e131e46501c0bbf4c830abbaba7bdbb5513af6201f19ba6741aa86b7cf736a8d92fef2c43a90383bf9ba68
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
b08ce87165b82db5a35353f9e42665fa9e736603b8e131e46501c0bbf4c830abbaba7bdbb5513af6201f19ba6741aa86b7cf736a8d92fef2c43a90383bf9ba68
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
b08ce87165b82db5a35353f9e42665fa9e736603b8e131e46501c0bbf4c830abbaba7bdbb5513af6201f19ba6741aa86b7cf736a8d92fef2c43a90383bf9ba68
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
b08ce87165b82db5a35353f9e42665fa9e736603b8e131e46501c0bbf4c830abbaba7bdbb5513af6201f19ba6741aa86b7cf736a8d92fef2c43a90383bf9ba68
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
b08ce87165b82db5a35353f9e42665fa9e736603b8e131e46501c0bbf4c830abbaba7bdbb5513af6201f19ba6741aa86b7cf736a8d92fef2c43a90383bf9ba68
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
b08ce87165b82db5a35353f9e42665fa9e736603b8e131e46501c0bbf4c830abbaba7bdbb5513af6201f19ba6741aa86b7cf736a8d92fef2c43a90383bf9ba68
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
b08ce87165b82db5a35353f9e42665fa9e736603b8e131e46501c0bbf4c830abbaba7bdbb5513af6201f19ba6741aa86b7cf736a8d92fef2c43a90383bf9ba68
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
b08ce87165b82db5a35353f9e42665fa9e736603b8e131e46501c0bbf4c830abbaba7bdbb5513af6201f19ba6741aa86b7cf736a8d92fef2c43a90383bf9ba68
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
b08ce87165b82db5a35353f9e42665fa9e736603b8e131e46501c0bbf4c830abbaba7bdbb5513af6201f19ba6741aa86b7cf736a8d92fef2c43a90383bf9ba68
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
b08ce87165b82db5a35353f9e42665fa9e736603b8e131e46501c0bbf4c830abbaba7bdbb5513af6201f19ba6741aa86b7cf736a8d92fef2c43a90383bf9ba68
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
b08ce87165b82db5a35353f9e42665fa9e736603b8e131e46501c0bbf4c830abbaba7bdbb5513af6201f19ba6741aa86b7cf736a8d92fef2c43a90383bf9ba68
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
b08ce87165b82db5a35353f9e42665fa9e736603b8e131e46501c0bbf4c830abbaba7bdbb5513af6201f19ba6741aa86b7cf736a8d92fef2c43a90383bf9ba68
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
b08ce87165b82db5a35353f9e42665fa9e736603b8e131e46501c0bbf4c830abbaba7bdbb5513af6201f19ba6741aa86b7cf736a8d92fef2c43a90383bf9ba68
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
b08ce87165b82db5a35353f9e42665fa9e736603b8e131e46501c0bbf4c830abbaba7bdbb5513af6201f19ba6741aa86b7cf736a8d92fef2c43a90383bf9ba68
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
b08ce87165b82db5a35353f9e42665fa9e736603b8e131e46501c0bbf4c830abbaba7bdbb5513af6201f19ba6741aa86b7cf736a8d92fef2c43a90383bf9ba68
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
b08ce87165b82db5a35353f9e42665fa9e736603b8e131e46501c0bbf4c830abbaba7bdbb5513af6201f19ba6741aa86b7cf736a8d92fef2c43a90383bf9ba68
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
b08ce87165b82db5a35353f9e42665fa9e736603b8e131e46501c0bbf4c830abbaba7bdbb5513af6201f19ba6741aa86b7cf736a8d92fef2c43a90383bf9ba68
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
b08ce87165b82db5a35353f9e42665fa9e736603b8e131e46501c0bbf4c830abbaba7bdbb5513af6201f19ba6741aa86b7cf736a8d92fef2c43a90383bf9ba68
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
b08ce87165b82db5a35353f9e42665fa9e736603b8e131e46501c0bbf4c830abbaba7bdbb5513af6201f19ba6741aa86b7cf736a8d92fef2c43a90383bf9ba68
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
b08ce87165b82db5a35353f9e42665fa9e736603b8e131e46501c0bbf4c830abbaba7bdbb5513af6201f19ba6741aa86b7cf736a8d92fef2c43a90383bf9ba68
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
b08ce87165b82db5a35353f9e42665fa9e736603b8e131e46501c0bbf4c830abbaba7bdbb5513af6201f19ba6741aa86b7cf736a8d92fef2c43a90383bf9ba68
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
b08ce87165b82db5a35353f9e42665fa9e736603b8e131e46501c0bbf4c830abbaba7bdbb5513af6201f19ba6741aa86b7cf736a8d92fef2c43a90383bf9ba68
ssdeep
References:
Titles (0)
Sentences (0)
Links:
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
ssdeep
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
ssdeep
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
ssdeep
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
ssdeep
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
ssdeep
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
ssdeep
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
ssdeep
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
ssdeep
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
ssdeep
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
ssdeep
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
ssdeep
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
ssdeep
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
ssdeep
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
ssdeep
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
ssdeep
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
ssdeep
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
ssdeep
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
ssdeep
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
ssdeep
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
ssdeep
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
ssdeep
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
ssdeep
-
decfc792ded248587084a6329217380e
>> (related) >>
ssdeep
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
ssdeep
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
ssdeep
-
01185a4f21be653f13b885a655da2239
>> (related) >>
ssdeep
-
9475a59226943a3ad422e18169989f66
>> (related) >>
ssdeep
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
ssdeep
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
ssdeep
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
ssdeep
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
ssdeep
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
ssdeep
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
ssdeep
zb0wz3twfumdh34yslwexeus0doib9lco1bj
References:
Titles (0)
Sentences (0)
Links:
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
zb0wz3twfumdh34yslwexeus0doib9lco1bj
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
zb0wz3twfumdh34yslwexeus0doib9lco1bj
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
zb0wz3twfumdh34yslwexeus0doib9lco1bj
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
zb0wz3twfumdh34yslwexeus0doib9lco1bj
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
zb0wz3twfumdh34yslwexeus0doib9lco1bj
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
zb0wz3twfumdh34yslwexeus0doib9lco1bj
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
zb0wz3twfumdh34yslwexeus0doib9lco1bj
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
zb0wz3twfumdh34yslwexeus0doib9lco1bj
-
9475a59226943a3ad422e18169989f66
>> (related) >>
zb0wz3twfumdh34yslwexeus0doib9lco1bj
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
zb0wz3twfumdh34yslwexeus0doib9lco1bj
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
zb0wz3twfumdh34yslwexeus0doib9lco1bj
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
zb0wz3twfumdh34yslwexeus0doib9lco1bj
-
decfc792ded248587084a6329217380e
>> (related) >>
zb0wz3twfumdh34yslwexeus0doib9lco1bj
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
zb0wz3twfumdh34yslwexeus0doib9lco1bj
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
zb0wz3twfumdh34yslwexeus0doib9lco1bj
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
zb0wz3twfumdh34yslwexeus0doib9lco1bj
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
zb0wz3twfumdh34yslwexeus0doib9lco1bj
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
zb0wz3twfumdh34yslwexeus0doib9lco1bj
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
zb0wz3twfumdh34yslwexeus0doib9lco1bj
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
zb0wz3twfumdh34yslwexeus0doib9lco1bj
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
zb0wz3twfumdh34yslwexeus0doib9lco1bj
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
zb0wz3twfumdh34yslwexeus0doib9lco1bj
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
zb0wz3twfumdh34yslwexeus0doib9lco1bj
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
zb0wz3twfumdh34yslwexeus0doib9lco1bj
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
zb0wz3twfumdh34yslwexeus0doib9lco1bj
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
zb0wz3twfumdh34yslwexeus0doib9lco1bj
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
zb0wz3twfumdh34yslwexeus0doib9lco1bj
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
zb0wz3twfumdh34yslwexeus0doib9lco1bj
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
zb0wz3twfumdh34yslwexeus0doib9lco1bj
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
zb0wz3twfumdh34yslwexeus0doib9lco1bj
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
zb0wz3twfumdh34yslwexeus0doib9lco1bj
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
zb0wz3twfumdh34yslwexeus0doib9lco1bj
-
01185a4f21be653f13b885a655da2239
>> (related) >>
zb0wz3twfumdh34yslwexeus0doib9lco1bj
fktn7eenm2ek7mnousgpay8odcv
References:
Titles (0)
Sentences (0)
Links:
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
fktn7eenm2ek7mnousgpay8odcv
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
fktn7eenm2ek7mnousgpay8odcv
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
fktn7eenm2ek7mnousgpay8odcv
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
fktn7eenm2ek7mnousgpay8odcv
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
fktn7eenm2ek7mnousgpay8odcv
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
fktn7eenm2ek7mnousgpay8odcv
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
fktn7eenm2ek7mnousgpay8odcv
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
fktn7eenm2ek7mnousgpay8odcv
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
fktn7eenm2ek7mnousgpay8odcv
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
fktn7eenm2ek7mnousgpay8odcv
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
fktn7eenm2ek7mnousgpay8odcv
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
fktn7eenm2ek7mnousgpay8odcv
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
fktn7eenm2ek7mnousgpay8odcv
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
fktn7eenm2ek7mnousgpay8odcv
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
fktn7eenm2ek7mnousgpay8odcv
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
fktn7eenm2ek7mnousgpay8odcv
-
decfc792ded248587084a6329217380e
>> (related) >>
fktn7eenm2ek7mnousgpay8odcv
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
fktn7eenm2ek7mnousgpay8odcv
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
fktn7eenm2ek7mnousgpay8odcv
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
fktn7eenm2ek7mnousgpay8odcv
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
fktn7eenm2ek7mnousgpay8odcv
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
fktn7eenm2ek7mnousgpay8odcv
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
fktn7eenm2ek7mnousgpay8odcv
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
fktn7eenm2ek7mnousgpay8odcv
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
fktn7eenm2ek7mnousgpay8odcv
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
fktn7eenm2ek7mnousgpay8odcv
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
fktn7eenm2ek7mnousgpay8odcv
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
fktn7eenm2ek7mnousgpay8odcv
-
9475a59226943a3ad422e18169989f66
>> (related) >>
fktn7eenm2ek7mnousgpay8odcv
-
01185a4f21be653f13b885a655da2239
>> (related) >>
fktn7eenm2ek7mnousgpay8odcv
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
fktn7eenm2ek7mnousgpay8odcv
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
fktn7eenm2ek7mnousgpay8odcv
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
fktn7eenm2ek7mnousgpay8odcv
ldrtsumdh34dlwqeus0uizlr1nxktn7f
References:
Titles (0)
Sentences (0)
Links:
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
ldrtsumdh34dlwqeus0uizlr1nxktn7f
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
ldrtsumdh34dlwqeus0uizlr1nxktn7f
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
ldrtsumdh34dlwqeus0uizlr1nxktn7f
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
ldrtsumdh34dlwqeus0uizlr1nxktn7f
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
ldrtsumdh34dlwqeus0uizlr1nxktn7f
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
ldrtsumdh34dlwqeus0uizlr1nxktn7f
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
ldrtsumdh34dlwqeus0uizlr1nxktn7f
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
ldrtsumdh34dlwqeus0uizlr1nxktn7f
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
ldrtsumdh34dlwqeus0uizlr1nxktn7f
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
ldrtsumdh34dlwqeus0uizlr1nxktn7f
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
ldrtsumdh34dlwqeus0uizlr1nxktn7f
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
ldrtsumdh34dlwqeus0uizlr1nxktn7f
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
ldrtsumdh34dlwqeus0uizlr1nxktn7f
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
ldrtsumdh34dlwqeus0uizlr1nxktn7f
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
ldrtsumdh34dlwqeus0uizlr1nxktn7f
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
ldrtsumdh34dlwqeus0uizlr1nxktn7f
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
ldrtsumdh34dlwqeus0uizlr1nxktn7f
-
01185a4f21be653f13b885a655da2239
>> (related) >>
ldrtsumdh34dlwqeus0uizlr1nxktn7f
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
ldrtsumdh34dlwqeus0uizlr1nxktn7f
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
ldrtsumdh34dlwqeus0uizlr1nxktn7f
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
ldrtsumdh34dlwqeus0uizlr1nxktn7f
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
ldrtsumdh34dlwqeus0uizlr1nxktn7f
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
ldrtsumdh34dlwqeus0uizlr1nxktn7f
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
ldrtsumdh34dlwqeus0uizlr1nxktn7f
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
ldrtsumdh34dlwqeus0uizlr1nxktn7f
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
ldrtsumdh34dlwqeus0uizlr1nxktn7f
-
9475a59226943a3ad422e18169989f66
>> (related) >>
ldrtsumdh34dlwqeus0uizlr1nxktn7f
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
ldrtsumdh34dlwqeus0uizlr1nxktn7f
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
ldrtsumdh34dlwqeus0uizlr1nxktn7f
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
ldrtsumdh34dlwqeus0uizlr1nxktn7f
-
decfc792ded248587084a6329217380e
>> (related) >>
ldrtsumdh34dlwqeus0uizlr1nxktn7f
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
ldrtsumdh34dlwqeus0uizlr1nxktn7f
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
ldrtsumdh34dlwqeus0uizlr1nxktn7f
entropy
References:
Titles (0)
Sentences (0)
Links:
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
entropy
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
entropy
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
entropy
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
entropy
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
entropy
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
entropy
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
entropy
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
entropy
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
entropy
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
entropy
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
entropy
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
entropy
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
entropy
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
entropy
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
entropy
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
entropy
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
entropy
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
entropy
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
entropy
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
entropy
-
decfc792ded248587084a6329217380e
>> (related) >>
entropy
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
entropy
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
entropy
-
9475a59226943a3ad422e18169989f66
>> (related) >>
entropy
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
entropy
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
entropy
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
entropy
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
entropy
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
entropy
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
entropy
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
entropy
-
01185a4f21be653f13b885a655da2239
>> (related) >>
entropy
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
entropy
pjgwz
References:
Titles (0)
Sentences (0)
Links:
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
pjgwz
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
pjgwz
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
pjgwz
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
pjgwz
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
pjgwz
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
pjgwz
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
pjgwz
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
pjgwz
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
pjgwz
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
pjgwz
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
pjgwz
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
pjgwz
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
pjgwz
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
pjgwz
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
pjgwz
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
pjgwz
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
pjgwz
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
pjgwz
-
01185a4f21be653f13b885a655da2239
>> (related) >>
pjgwz
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
pjgwz
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
pjgwz
-
decfc792ded248587084a6329217380e
>> (related) >>
pjgwz
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
pjgwz
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
pjgwz
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
pjgwz
-
9475a59226943a3ad422e18169989f66
>> (related) >>
pjgwz
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
pjgwz
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
pjgwz
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
pjgwz
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
pjgwz
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
pjgwz
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
pjgwz
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
pjgwz
generickd
References:
Titles (0)
Sentences (0)
Links:
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
generickd
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
generickd
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
generickd
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
generickd
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
generickd
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
generickd
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
generickd
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
generickd
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
generickd
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
generickd
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
generickd
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
generickd
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
generickd
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
generickd
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
generickd
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
generickd
-
01185a4f21be653f13b885a655da2239
>> (related) >>
generickd
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
generickd
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
generickd
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
generickd
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
generickd
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
generickd
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
generickd
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
generickd
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
generickd
-
decfc792ded248587084a6329217380e
>> (related) >>
generickd
-
9475a59226943a3ad422e18169989f66
>> (related) >>
generickd
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
generickd
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
generickd
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
generickd
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
generickd
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
generickd
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
generickd
cyren
References:
Titles (0)
Sentences (0)
Links:
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
cyren
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
cyren
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
cyren
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
cyren
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
cyren
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
cyren
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
cyren
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
cyren
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
cyren
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
cyren
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
cyren
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
cyren
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
cyren
-
decfc792ded248587084a6329217380e
>> (related) >>
cyren
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
cyren
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
cyren
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
cyren
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
cyren
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
cyren
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
cyren
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
cyren
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
cyren
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
cyren
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
cyren
-
01185a4f21be653f13b885a655da2239
>> (related) >>
cyren
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
cyren
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
cyren
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
cyren
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
cyren
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
cyren
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
cyren
-
9475a59226943a3ad422e18169989f66
>> (related) >>
cyren
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
cyren
w32
References:
Titles (0)
Sentences (0)
Links:
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
w32
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
w32
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
w32
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
w32
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
w32
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
w32
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
w32
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
w32
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
w32
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
w32
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
w32
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
w32
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
w32
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
w32
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
w32
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
w32
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
w32
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
w32
-
decfc792ded248587084a6329217380e
>> (related) >>
w32
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
w32
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
w32
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
w32
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
w32
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
w32
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
w32
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
w32
-
01185a4f21be653f13b885a655da2239
>> (related) >>
w32
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
w32
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
w32
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
w32
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
w32
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
w32
-
9475a59226943a3ad422e18169989f66
>> (related) >>
w32
xhxw-4345
References:
Titles (0)
Sentences (0)
Links:
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
xhxw-4345
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
xhxw-4345
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
xhxw-4345
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
xhxw-4345
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
xhxw-4345
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
xhxw-4345
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
xhxw-4345
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
xhxw-4345
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
xhxw-4345
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
xhxw-4345
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
xhxw-4345
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
xhxw-4345
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
xhxw-4345
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
xhxw-4345
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
xhxw-4345
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
xhxw-4345
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
xhxw-4345
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
xhxw-4345
-
decfc792ded248587084a6329217380e
>> (related) >>
xhxw-4345
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
xhxw-4345
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
xhxw-4345
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
xhxw-4345
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
xhxw-4345
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
xhxw-4345
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
xhxw-4345
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
xhxw-4345
-
01185a4f21be653f13b885a655da2239
>> (related) >>
xhxw-4345
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
xhxw-4345
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
xhxw-4345
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
xhxw-4345
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
xhxw-4345
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
xhxw-4345
-
9475a59226943a3ad422e18169989f66
>> (related) >>
xhxw-4345
ojc
References:
Titles (0)
Sentences (0)
Links:
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
ojc
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
ojc
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
ojc
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
ojc
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
ojc
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
ojc
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
ojc
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
ojc
-
9475a59226943a3ad422e18169989f66
>> (related) >>
ojc
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
ojc
-
01185a4f21be653f13b885a655da2239
>> (related) >>
ojc
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
ojc
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
ojc
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
ojc
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
ojc
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
ojc
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
ojc
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
ojc
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
ojc
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
ojc
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
ojc
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
ojc
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
ojc
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
ojc
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
ojc
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
ojc
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
ojc
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
ojc
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
ojc
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
ojc
-
decfc792ded248587084a6329217380e
>> (related) >>
ojc
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
ojc
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
ojc
emsisoft
References:
Titles (0)
Sentences (0)
Links:
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
emsisoft
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
emsisoft
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
emsisoft
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
emsisoft
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
emsisoft
-
01185a4f21be653f13b885a655da2239
>> (related) >>
emsisoft
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
emsisoft
-
9475a59226943a3ad422e18169989f66
>> (related) >>
emsisoft
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
emsisoft
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
emsisoft
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
emsisoft
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
emsisoft
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
emsisoft
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
emsisoft
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
emsisoft
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
emsisoft
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
emsisoft
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
emsisoft
-
decfc792ded248587084a6329217380e
>> (related) >>
emsisoft
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
emsisoft
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
emsisoft
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
emsisoft
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
emsisoft
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
emsisoft
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
emsisoft
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
emsisoft
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
emsisoft
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
emsisoft
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
emsisoft
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
emsisoft
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
emsisoft
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
emsisoft
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
emsisoft
ikarus
References:
Titles (0)
Sentences (0)
Links:
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
ikarus
-
9475a59226943a3ad422e18169989f66
>> (related) >>
ikarus
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
ikarus
-
01185a4f21be653f13b885a655da2239
>> (related) >>
ikarus
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
ikarus
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
ikarus
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
ikarus
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
ikarus
-
decfc792ded248587084a6329217380e
>> (related) >>
ikarus
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
ikarus
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
ikarus
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
ikarus
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
ikarus
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
ikarus
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
ikarus
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
ikarus
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
ikarus
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
ikarus
-
virus.wiper.isaac
>> (related) >>
ikarus
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
ikarus
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
ikarus
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
ikarus
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
ikarus
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
ikarus
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
ikarus
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
ikarus
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
ikarus
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
ikarus
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
ikarus
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
ikarus
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
ikarus
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
ikarus
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
ikarus
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
ikarus
0058f30e1
References:
Titles (0)
Sentences (0)
Links:
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
0058f30e1
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
0058f30e1
-
01185a4f21be653f13b885a655da2239
>> (related) >>
0058f30e1
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
0058f30e1
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
0058f30e1
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
0058f30e1
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
0058f30e1
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
0058f30e1
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
0058f30e1
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
0058f30e1
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
0058f30e1
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
0058f30e1
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
0058f30e1
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
0058f30e1
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
0058f30e1
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
0058f30e1
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
0058f30e1
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
0058f30e1
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
0058f30e1
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
0058f30e1
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
0058f30e1
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
0058f30e1
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
0058f30e1
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
0058f30e1
-
9475a59226943a3ad422e18169989f66
>> (related) >>
0058f30e1
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
0058f30e1
-
decfc792ded248587084a6329217380e
>> (related) >>
0058f30e1
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
0058f30e1
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
0058f30e1
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
0058f30e1
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
0058f30e1
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
0058f30e1
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
0058f30e1
lavasoft
References:
Titles (0)
Sentences (0)
Links:
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
lavasoft
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
lavasoft
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
lavasoft
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
lavasoft
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
lavasoft
-
9475a59226943a3ad422e18169989f66
>> (related) >>
lavasoft
-
01185a4f21be653f13b885a655da2239
>> (related) >>
lavasoft
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
lavasoft
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
lavasoft
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
lavasoft
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
lavasoft
-
decfc792ded248587084a6329217380e
>> (related) >>
lavasoft
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
lavasoft
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
lavasoft
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
lavasoft
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
lavasoft
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
lavasoft
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
lavasoft
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
lavasoft
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
lavasoft
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
lavasoft
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
lavasoft
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
lavasoft
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
lavasoft
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
lavasoft
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
lavasoft
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
lavasoft
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
lavasoft
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
lavasoft
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
lavasoft
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
lavasoft
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
lavasoft
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
lavasoft
heal
References:
Titles (0)
Sentences (0)
Links:
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
heal
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
heal
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
heal
-
01185a4f21be653f13b885a655da2239
>> (related) >>
heal
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
heal
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
heal
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
heal
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
heal
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
heal
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
heal
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
heal
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
heal
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
heal
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
heal
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
heal
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
heal
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
heal
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
heal
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
heal
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
heal
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
heal
-
decfc792ded248587084a6329217380e
>> (related) >>
heal
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
heal
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
heal
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
heal
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
heal
-
9475a59226943a3ad422e18169989f66
>> (related) >>
heal
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
heal
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
heal
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
heal
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
heal
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
heal
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
heal
badcert-gen
References:
Titles (0)
Sentences (0)
Links:
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
badcert-gen
-
9475a59226943a3ad422e18169989f66
>> (related) >>
badcert-gen
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
badcert-gen
-
01185a4f21be653f13b885a655da2239
>> (related) >>
badcert-gen
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
badcert-gen
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
badcert-gen
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
badcert-gen
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
badcert-gen
-
decfc792ded248587084a6329217380e
>> (related) >>
badcert-gen
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
badcert-gen
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
badcert-gen
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
badcert-gen
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
badcert-gen
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
badcert-gen
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
badcert-gen
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
badcert-gen
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
badcert-gen
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
badcert-gen
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
badcert-gen
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
badcert-gen
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
badcert-gen
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
badcert-gen
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
badcert-gen
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
badcert-gen
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
badcert-gen
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
badcert-gen
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
badcert-gen
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
badcert-gen
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
badcert-gen
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
badcert-gen
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
badcert-gen
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
badcert-gen
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
badcert-gen
a1d01b0a
References:
Titles (0)
Sentences (0)
Links:
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
a1d01b0a
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
a1d01b0a
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
a1d01b0a
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
a1d01b0a
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
a1d01b0a
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
a1d01b0a
-
01185a4f21be653f13b885a655da2239
>> (related) >>
a1d01b0a
-
9475a59226943a3ad422e18169989f66
>> (related) >>
a1d01b0a
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
a1d01b0a
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
a1d01b0a
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
a1d01b0a
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
a1d01b0a
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
a1d01b0a
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
a1d01b0a
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
a1d01b0a
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
a1d01b0a
-
decfc792ded248587084a6329217380e
>> (related) >>
a1d01b0a
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
a1d01b0a
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
a1d01b0a
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
a1d01b0a
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
a1d01b0a
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
a1d01b0a
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
a1d01b0a
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
a1d01b0a
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
a1d01b0a
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
a1d01b0a
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
a1d01b0a
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
a1d01b0a
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
a1d01b0a
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
a1d01b0a
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
a1d01b0a
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
a1d01b0a
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
a1d01b0a
housecall
References:
Titles (0)
Sentences (0)
Links:
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
housecall
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
housecall
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
housecall
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
housecall
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
housecall
-
9475a59226943a3ad422e18169989f66
>> (related) >>
housecall
-
decfc792ded248587084a6329217380e
>> (related) >>
housecall
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
housecall
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
housecall
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
housecall
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
housecall
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
housecall
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
housecall
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
housecall
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
housecall
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
housecall
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
housecall
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
housecall
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
housecall
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
housecall
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
housecall
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
housecall
-
01185a4f21be653f13b885a655da2239
>> (related) >>
housecall
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
housecall
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
housecall
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
housecall
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
housecall
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
housecall
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
housecall
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
housecall
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
housecall
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
housecall
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
housecall
cisa_10376640_02
References:
Titles (0)
Sentences (0)
Links:
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
cisa_10376640_02
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
cisa_10376640_02
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
cisa_10376640_02
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
cisa_10376640_02
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
cisa_10376640_02
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
cisa_10376640_02
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
cisa_10376640_02
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
cisa_10376640_02
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
cisa_10376640_02
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
cisa_10376640_02
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
cisa_10376640_02
-
9475a59226943a3ad422e18169989f66
>> (related) >>
cisa_10376640_02
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
cisa_10376640_02
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
cisa_10376640_02
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
cisa_10376640_02
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
cisa_10376640_02
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
cisa_10376640_02
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
cisa_10376640_02
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
cisa_10376640_02
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
cisa_10376640_02
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
cisa_10376640_02
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
cisa_10376640_02
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
cisa_10376640_02
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
cisa_10376640_02
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
cisa_10376640_02
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
cisa_10376640_02
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
cisa_10376640_02
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
cisa_10376640_02
-
01185a4f21be653f13b885a655da2239
>> (related) >>
cisa_10376640_02
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
cisa_10376640_02
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
cisa_10376640_02
-
decfc792ded248587084a6329217380e
>> (related) >>
cisa_10376640_02
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
cisa_10376640_02
last_modified
References:
Titles (0)
Sentences (0)
Links:
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
last_modified
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
last_modified
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
last_modified
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
last_modified
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
last_modified
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
last_modified
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
last_modified
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
last_modified
-
01185a4f21be653f13b885a655da2239
>> (related) >>
last_modified
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
last_modified
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
last_modified
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
last_modified
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
last_modified
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
last_modified
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
last_modified
-
9475a59226943a3ad422e18169989f66
>> (related) >>
last_modified
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
last_modified
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
last_modified
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
last_modified
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
last_modified
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
last_modified
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
last_modified
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
last_modified
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
last_modified
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
last_modified
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
last_modified
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
last_modified
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
last_modified
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
last_modified
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
last_modified
-
decfc792ded248587084a6329217380e
>> (related) >>
last_modified
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
last_modified
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
last_modified
20220413_1300
References:
Titles (0)
Sentences (0)
Links:
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
20220413_1300
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
20220413_1300
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
20220413_1300
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
20220413_1300
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
20220413_1300
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
20220413_1300
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
20220413_1300
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
20220413_1300
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
20220413_1300
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
20220413_1300
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
20220413_1300
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
20220413_1300
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
20220413_1300
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
20220413_1300
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
20220413_1300
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
20220413_1300
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
20220413_1300
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
20220413_1300
-
decfc792ded248587084a6329217380e
>> (related) >>
20220413_1300
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
20220413_1300
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
20220413_1300
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
20220413_1300
-
9475a59226943a3ad422e18169989f66
>> (related) >>
20220413_1300
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
20220413_1300
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
20220413_1300
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
20220413_1300
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
20220413_1300
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
20220413_1300
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
20220413_1300
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
20220413_1300
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
20220413_1300
-
01185a4f21be653f13b885a655da2239
>> (related) >>
20220413_1300
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
20220413_1300
md5_1
References:
Titles (0)
Sentences (0)
Links:
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
md5_1
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
md5_1
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
md5_1
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
md5_1
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
md5_1
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
md5_1
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
md5_1
-
01185a4f21be653f13b885a655da2239
>> (related) >>
md5_1
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
md5_1
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
md5_1
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
md5_1
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
md5_1
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
md5_1
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
md5_1
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
md5_1
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
md5_1
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
md5_1
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
md5_1
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
md5_1
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
md5_1
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
md5_1
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
md5_1
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
md5_1
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
md5_1
-
decfc792ded248587084a6329217380e
>> (related) >>
md5_1
-
9475a59226943a3ad422e18169989f66
>> (related) >>
md5_1
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
md5_1
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
md5_1
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
md5_1
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
md5_1
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
md5_1
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
md5_1
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
md5_1
sha256_1
References:
Titles (0)
Sentences (0)
Links:
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
sha256_1
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
sha256_1
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
sha256_1
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
sha256_1
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
sha256_1
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
sha256_1
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
sha256_1
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
sha256_1
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
sha256_1
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
sha256_1
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
sha256_1
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
sha256_1
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
sha256_1
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
sha256_1
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
sha256_1
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
sha256_1
-
9475a59226943a3ad422e18169989f66
>> (related) >>
sha256_1
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
sha256_1
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
sha256_1
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
sha256_1
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
sha256_1
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
sha256_1
-
01185a4f21be653f13b885a655da2239
>> (related) >>
sha256_1
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
sha256_1
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
sha256_1
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
sha256_1
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
sha256_1
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
sha256_1
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
sha256_1
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
sha256_1
-
decfc792ded248587084a6329217380e
>> (related) >>
sha256_1
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
sha256_1
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
sha256_1
s10
References:
Titles (0)
Sentences (0)
Links:
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
s10
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
s10
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
s10
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
s10
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
s10
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
s10
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
s10
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
s10
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
s10
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
s10
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
s10
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
s10
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
s10
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
s10
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
s10
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
s10
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
s10
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
s10
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
s10
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
s10
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
s10
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
s10
-
decfc792ded248587084a6329217380e
>> (related) >>
s10
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
s10
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
s10
-
01185a4f21be653f13b885a655da2239
>> (related) >>
s10
-
9475a59226943a3ad422e18169989f66
>> (related) >>
s10
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
s10
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
s10
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
s10
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
s10
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
s10
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
s10
s11
References:
Titles (0)
Sentences (0)
Links:
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
s11
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
s11
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
s11
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
s11
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
s11
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
s11
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
s11
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
s11
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
s11
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
s11
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
s11
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
s11
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
s11
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
s11
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
s11
-
9475a59226943a3ad422e18169989f66
>> (related) >>
s11
-
01185a4f21be653f13b885a655da2239
>> (related) >>
s11
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
s11
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
s11
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
s11
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
s11
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
s11
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
s11
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
s11
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
s11
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
s11
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
s11
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
s11
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
s11
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
s11
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
s11
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
s11
-
decfc792ded248587084a6329217380e
>> (related) >>
s11
s12
References:
Titles (0)
Sentences (0)
Links:
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
s12
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
s12
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
s12
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
s12
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
s12
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
s12
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
s12
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
s12
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
s12
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
s12
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
s12
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
s12
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
s12
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
s12
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
s12
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
s12
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
s12
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
s12
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
s12
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
s12
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
s12
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
s12
-
decfc792ded248587084a6329217380e
>> (related) >>
s12
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
s12
-
01185a4f21be653f13b885a655da2239
>> (related) >>
s12
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
s12
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
s12
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
s12
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
s12
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
s12
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
s12
-
9475a59226943a3ad422e18169989f66
>> (related) >>
s12
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
s12
s13
References:
Titles (0)
Sentences (0)
Links:
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
s13
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
s13
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
s13
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
s13
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
s13
-
01185a4f21be653f13b885a655da2239
>> (related) >>
s13
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
s13
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
s13
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
s13
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
s13
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
s13
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
s13
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
s13
-
decfc792ded248587084a6329217380e
>> (related) >>
s13
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
s13
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
s13
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
s13
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
s13
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
s13
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
s13
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
s13
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
s13
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
s13
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
s13
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
s13
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
s13
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
s13
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
s13
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
s13
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
s13
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
s13
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
s13
-
9475a59226943a3ad422e18169989f66
>> (related) >>
s13
s14
References:
Titles (0)
Sentences (0)
Links:
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
s14
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
s14
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
s14
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
s14
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
s14
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
s14
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
s14
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
s14
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
s14
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
s14
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
s14
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
s14
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
s14
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
s14
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
s14
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
s14
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
s14
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
s14
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
s14
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
s14
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
s14
-
9475a59226943a3ad422e18169989f66
>> (related) >>
s14
-
01185a4f21be653f13b885a655da2239
>> (related) >>
s14
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
s14
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
s14
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
s14
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
s14
-
decfc792ded248587084a6329217380e
>> (related) >>
s14
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
s14
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
s14
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
s14
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
s14
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
s14
s15
References:
Titles (0)
Sentences (0)
Links:
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
s15
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
s15
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
s15
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
s15
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
s15
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
s15
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
s15
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
s15
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
s15
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
s15
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
s15
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
s15
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
s15
-
decfc792ded248587084a6329217380e
>> (related) >>
s15
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
s15
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
s15
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
s15
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
s15
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
s15
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
s15
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
s15
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
s15
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
s15
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
s15
-
01185a4f21be653f13b885a655da2239
>> (related) >>
s15
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
s15
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
s15
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
s15
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
s15
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
s15
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
s15
-
9475a59226943a3ad422e18169989f66
>> (related) >>
s15
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
s15
07-05
References:
Titles (0)
Sentences (0)
Links:
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
07-05
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
07-05
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
07-05
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
07-05
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
07-05
-
decfc792ded248587084a6329217380e
>> (related) >>
07-05
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
07-05
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
07-05
-
9475a59226943a3ad422e18169989f66
>> (related) >>
07-05
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
07-05
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
07-05
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
07-05
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
07-05
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
07-05
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
07-05
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
07-05
-
01185a4f21be653f13b885a655da2239
>> (related) >>
07-05
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
07-05
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
07-05
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
07-05
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
07-05
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
07-05
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
07-05
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
07-05
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
07-05
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
07-05
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
07-05
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
07-05
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
07-05
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
07-05
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
07-05
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
07-05
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
07-05
rdata
References:
Titles (0)
Sentences (0)
Links:
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
rdata
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
rdata
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
rdata
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
rdata
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
rdata
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
rdata
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
rdata
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
rdata
-
decfc792ded248587084a6329217380e
>> (related) >>
rdata
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
rdata
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
rdata
-
9475a59226943a3ad422e18169989f66
>> (related) >>
rdata
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
rdata
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
rdata
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
rdata
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
rdata
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
rdata
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
rdata
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
rdata
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
rdata
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
rdata
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
rdata
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
rdata
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
rdata
-
a84958d0a1ba6ccf7f68b0f082a1c656
>> (related) >>
rdata
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
rdata
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
rdata
-
01185a4f21be653f13b885a655da2239
>> (related) >>
rdata
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
rdata
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
rdata
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
rdata
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
rdata
-
48f101db632bb445c21a10fd5501e343
>> (related) >>
rdata
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
rdata
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
rdata
reloc
References:
Titles (0)
Sentences (0)
Links:
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
reloc
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
reloc
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
reloc
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
reloc
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
reloc
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
reloc
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
reloc
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
reloc
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
reloc
-
4c8100d03804167a977995936cfbf536
>> (related) >>
reloc
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
reloc
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
reloc
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
reloc
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
reloc
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
reloc
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
reloc
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
reloc
-
9475a59226943a3ad422e18169989f66
>> (related) >>
reloc
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
reloc
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
reloc
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
reloc
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
reloc
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
reloc
-
01185a4f21be653f13b885a655da2239
>> (related) >>
reloc
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
reloc
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
reloc
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
reloc
-
9676f7c827fb9388358aaba3e4bd0cc6
>> (related) >>
reloc
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
reloc
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
reloc
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
reloc
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
reloc
-
decfc792ded248587084a6329217380e
>> (related) >>
reloc
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
reloc
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
reloc
cryptors
References:
Titles (0)
Sentences (0)
Links:
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
cryptors
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
cryptors
-
9475a59226943a3ad422e18169989f66
>> (related) >>
cryptors
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
cryptors
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
cryptors
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
cryptors
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
cryptors
-
decfc792ded248587084a6329217380e
>> (related) >>
cryptors
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
cryptors
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
cryptors
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
cryptors
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
cryptors
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
cryptors
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
cryptors
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
cryptors
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
cryptors
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
cryptors
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
cryptors
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
cryptors
-
01185a4f21be653f13b885a655da2239
>> (related) >>
cryptors
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
cryptors
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
cryptors
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
cryptors
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
cryptors
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
cryptors
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
cryptors
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
cryptors
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
cryptors
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
cryptors
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
cryptors
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
cryptors
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
cryptors
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
cryptors
borland
References:
Titles (0)
Sentences (0)
Links:
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
borland
-
9475a59226943a3ad422e18169989f66
>> (related) >>
borland
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
borland
-
01185a4f21be653f13b885a655da2239
>> (related) >>
borland
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
borland
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
borland
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
borland
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
borland
-
decfc792ded248587084a6329217380e
>> (related) >>
borland
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
borland
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
borland
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
borland
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
borland
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
borland
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
borland
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
borland
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
borland
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
borland
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
borland
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
borland
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
borland
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
borland
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
borland
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
borland
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
borland
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
borland
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
borland
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
borland
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
borland
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
borland
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
borland
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
borland
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
borland
relationships
References:
Titles (0)
Sentences (0)
Links:
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
relationships
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
relationships
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
relationships
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
relationships
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
relationships
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
relationships
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
relationships
-
9475a59226943a3ad422e18169989f66
>> (related) >>
relationships
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
relationships
-
decfc792ded248587084a6329217380e
>> (related) >>
relationships
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
relationships
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
relationships
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
relationships
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
relationships
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
relationships
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
relationships
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
relationships
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
relationships
-
01185a4f21be653f13b885a655da2239
>> (related) >>
relationships
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
relationships
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
relationships
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
relationships
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
relationships
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
relationships
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
relationships
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
relationships
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
relationships
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
relationships
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
relationships
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
relationships
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
relationships
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
relationships
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
relationships
5a300f72e2
References:
Titles (0)
Sentences (0)
Links:
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
5a300f72e2
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
5a300f72e2
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
5a300f72e2
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
5a300f72e2
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
5a300f72e2
-
01185a4f21be653f13b885a655da2239
>> (related) >>
5a300f72e2
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
5a300f72e2
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
5a300f72e2
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
5a300f72e2
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
5a300f72e2
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
5a300f72e2
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
5a300f72e2
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
5a300f72e2
-
decfc792ded248587084a6329217380e
>> (related) >>
5a300f72e2
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
5a300f72e2
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
5a300f72e2
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
5a300f72e2
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
5a300f72e2
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
5a300f72e2
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
5a300f72e2
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
5a300f72e2
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
5a300f72e2
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
5a300f72e2
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
5a300f72e2
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
5a300f72e2
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
5a300f72e2
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
5a300f72e2
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
5a300f72e2
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
5a300f72e2
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
5a300f72e2
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
5a300f72e2
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
5a300f72e2
-
9475a59226943a3ad422e18169989f66
>> (related) >>
5a300f72e2
contained_within
References:
Titles (0)
Sentences (0)
Links:
-
decfc792ded248587084a6329217380e
>> (related) >>
contained_within
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
contained_within
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
contained_within
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
contained_within
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
contained_within
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
contained_within
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
contained_within
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
contained_within
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
contained_within
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
contained_within
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
contained_within
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
contained_within
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
contained_within
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
contained_within
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
contained_within
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
contained_within
-
9475a59226943a3ad422e18169989f66
>> (related) >>
contained_within
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
contained_within
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
contained_within
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
contained_within
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
contained_within
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
contained_within
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
contained_within
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
contained_within
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
contained_within
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
contained_within
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
contained_within
-
01185a4f21be653f13b885a655da2239
>> (related) >>
contained_within
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
contained_within
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
contained_within
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
contained_within
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
contained_within
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
contained_within
dropped_by
References:
Titles (0)
Sentences (0)
Links:
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
dropped_by
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
dropped_by
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
dropped_by
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
dropped_by
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
dropped_by
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
dropped_by
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
dropped_by
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
dropped_by
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
dropped_by
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
dropped_by
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
dropped_by
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
dropped_by
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
dropped_by
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
dropped_by
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
dropped_by
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
dropped_by
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
dropped_by
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
dropped_by
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
dropped_by
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
dropped_by
-
decfc792ded248587084a6329217380e
>> (related) >>
dropped_by
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
dropped_by
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
dropped_by
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
dropped_by
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
dropped_by
-
01185a4f21be653f13b885a655da2239
>> (related) >>
dropped_by
-
9475a59226943a3ad422e18169989f66
>> (related) >>
dropped_by
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
dropped_by
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
dropped_by
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
dropped_by
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
dropped_by
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
dropped_by
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
dropped_by
hex
References:
Titles (0)
Sentences (0)
Links:
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
hex
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
hex
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
hex
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
hex
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
hex
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
hex
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
hex
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
hex
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
hex
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
hex
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
hex
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
hex
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
hex
-
decfc792ded248587084a6329217380e
>> (related) >>
hex
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
hex
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
hex
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
hex
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
hex
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
hex
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
hex
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
hex
-
01185a4f21be653f13b885a655da2239
>> (related) >>
hex
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
hex
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
hex
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
hex
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
hex
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
hex
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
hex
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
hex
-
9475a59226943a3ad422e18169989f66
>> (related) >>
hex
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
hex
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
hex
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
hex
authenticate
References:
Titles (0)
Sentences (0)
Links:
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
authenticate
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
authenticate
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
authenticate
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
authenticate
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
authenticate
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
authenticate
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
authenticate
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
authenticate
-
decfc792ded248587084a6329217380e
>> (related) >>
authenticate
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
authenticate
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
authenticate
-
9475a59226943a3ad422e18169989f66
>> (related) >>
authenticate
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
authenticate
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
authenticate
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
authenticate
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
authenticate
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
authenticate
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
authenticate
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
authenticate
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
authenticate
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
authenticate
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
authenticate
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
authenticate
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
authenticate
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
authenticate
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
authenticate
-
01185a4f21be653f13b885a655da2239
>> (related) >>
authenticate
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
authenticate
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
authenticate
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
authenticate
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
authenticate
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
authenticate
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
authenticate
--begin
References:
Titles (0)
Sentences (0)
Links:
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
--begin
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
--begin
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
--begin
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
--begin
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
--begin
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
--begin
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
--begin
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
--begin
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
--begin
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
--begin
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
--begin
-
9475a59226943a3ad422e18169989f66
>> (related) >>
--begin
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
--begin
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
--begin
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
--begin
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
--begin
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
--begin
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
--begin
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
--begin
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
--begin
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
--begin
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
--begin
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
--begin
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
--begin
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
--begin
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
--begin
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
--begin
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
--begin
-
01185a4f21be653f13b885a655da2239
>> (related) >>
--begin
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
--begin
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
--begin
-
decfc792ded248587084a6329217380e
>> (related) >>
--begin
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
--begin
usernames--
References:
Titles (0)
Sentences (0)
Links:
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
usernames--
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
usernames--
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
usernames--
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
usernames--
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
usernames--
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
usernames--
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
usernames--
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
usernames--
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
usernames--
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
usernames--
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
usernames--
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
usernames--
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
usernames--
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
usernames--
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
usernames--
-
decfc792ded248587084a6329217380e
>> (related) >>
usernames--
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
usernames--
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
usernames--
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
usernames--
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
usernames--
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
usernames--
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
usernames--
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
usernames--
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
usernames--
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
usernames--
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
usernames--
-
9475a59226943a3ad422e18169989f66
>> (related) >>
usernames--
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
usernames--
-
01185a4f21be653f13b885a655da2239
>> (related) >>
usernames--
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
usernames--
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
usernames--
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
usernames--
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
usernames--
--end
References:
Titles (0)
Sentences (0)
Links:
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
--end
-
01185a4f21be653f13b885a655da2239
>> (related) >>
--end
-
9475a59226943a3ad422e18169989f66
>> (related) >>
--end
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
--end
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
--end
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
--end
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
--end
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
--end
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
--end
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
--end
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
--end
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
--end
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
--end
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
--end
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
--end
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
--end
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
--end
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
--end
-
decfc792ded248587084a6329217380e
>> (related) >>
--end
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
--end
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
--end
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
--end
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
--end
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
--end
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
--end
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
--end
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
--end
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
--end
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
--end
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
--end
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
--end
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
--end
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
--end
passwords--
References:
Titles (0)
Sentences (0)
Links:
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
passwords--
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
passwords--
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
passwords--
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
passwords--
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
passwords--
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
passwords--
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
passwords--
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
passwords--
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
passwords--
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
passwords--
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
passwords--
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
passwords--
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
passwords--
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
passwords--
-
01185a4f21be653f13b885a655da2239
>> (related) >>
passwords--
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
passwords--
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
passwords--
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
passwords--
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
passwords--
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
passwords--
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
passwords--
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
passwords--
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
passwords--
-
decfc792ded248587084a6329217380e
>> (related) >>
passwords--
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
passwords--
-
9475a59226943a3ad422e18169989f66
>> (related) >>
passwords--
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
passwords--
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
passwords--
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
passwords--
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
passwords--
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
passwords--
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
passwords--
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
passwords--
qaz123
References:
Titles (0)
Sentences (0)
Links:
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
qaz123
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
qaz123
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
qaz123
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
qaz123
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
qaz123
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
qaz123
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
qaz123
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
qaz123
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
qaz123
-
decfc792ded248587084a6329217380e
>> (related) >>
qaz123
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
qaz123
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
qaz123
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
qaz123
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
qaz123
-
9475a59226943a3ad422e18169989f66
>> (related) >>
qaz123
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
qaz123
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
qaz123
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
qaz123
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
qaz123
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
qaz123
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
qaz123
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
qaz123
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
qaz123
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
qaz123
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
qaz123
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
qaz123
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
qaz123
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
qaz123
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
qaz123
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
qaz123
-
01185a4f21be653f13b885a655da2239
>> (related) >>
qaz123
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
qaz123
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
qaz123
qwerty123
References:
Titles (0)
Sentences (0)
Links:
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
qwerty123
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
qwerty123
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
qwerty123
-
01185a4f21be653f13b885a655da2239
>> (related) >>
qwerty123
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
qwerty123
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
qwerty123
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
qwerty123
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
qwerty123
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
qwerty123
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
qwerty123
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
qwerty123
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
qwerty123
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
qwerty123
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
qwerty123
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
qwerty123
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
qwerty123
-
9475a59226943a3ad422e18169989f66
>> (related) >>
qwerty123
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
qwerty123
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
qwerty123
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
qwerty123
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
qwerty123
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
qwerty123
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
qwerty123
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
qwerty123
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
qwerty123
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
qwerty123
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
qwerty123
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
qwerty123
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
qwerty123
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
qwerty123
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
qwerty123
-
decfc792ded248587084a6329217380e
>> (related) >>
qwerty123
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
qwerty123
command-line--
References:
Titles (0)
Sentences (0)
Links:
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
command-line--
-
01185a4f21be653f13b885a655da2239
>> (related) >>
command-line--
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
command-line--
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
command-line--
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
command-line--
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
command-line--
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
command-line--
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
command-line--
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
command-line--
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
command-line--
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
command-line--
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
command-line--
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
command-line--
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
command-line--
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
command-line--
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
command-line--
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
command-line--
-
9475a59226943a3ad422e18169989f66
>> (related) >>
command-line--
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
command-line--
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
command-line--
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
command-line--
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
command-line--
-
decfc792ded248587084a6329217380e
>> (related) >>
command-line--
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
command-line--
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
command-line--
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
command-line--
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
command-line--
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
command-line--
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
command-line--
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
command-line--
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
command-line--
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
command-line--
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
command-line--
malicious
References:
Titles (0)
Sentences (0)
Links:
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
malicious
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
malicious
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
malicious
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
malicious
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
malicious
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
malicious
-
9475a59226943a3ad422e18169989f66
>> (related) >>
malicious
-
01185a4f21be653f13b885a655da2239
>> (related) >>
malicious
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
malicious
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
malicious
-
decfc792ded248587084a6329217380e
>> (related) >>
malicious
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
malicious
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
malicious
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
malicious
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
malicious
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
malicious
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
malicious
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
malicious
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
malicious
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
malicious
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
malicious
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
malicious
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
malicious
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
malicious
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
malicious
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
malicious
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
malicious
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
malicious
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
malicious
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
malicious
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
malicious
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
malicious
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
malicious
dll
References:
Titles (0)
Sentences (0)
Links:
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
dll
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
dll
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
dll
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
dll
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
dll
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
dll
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
dll
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
dll
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
dll
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
dll
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
dll
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
dll
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
dll
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
dll
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
dll
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
dll
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
dll
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
dll
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
dll
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
dll
-
decfc792ded248587084a6329217380e
>> (related) >>
dll
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
dll
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
dll
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
dll
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
dll
-
01185a4f21be653f13b885a655da2239
>> (related) >>
dll
-
9475a59226943a3ad422e18169989f66
>> (related) >>
dll
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
dll
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
dll
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
dll
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
dll
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
dll
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
dll
-n
References:
Titles (0)
Sentences (0)
Links:
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
-n
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
-n
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
-n
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
-n
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
-n
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
-n
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
-n
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
-n
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
-n
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
-n
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
-n
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
-n
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
-n
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
-n
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
-n
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
-n
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
-n
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
-n
-
01185a4f21be653f13b885a655da2239
>> (related) >>
-n
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
-n
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
-n
-
decfc792ded248587084a6329217380e
>> (related) >>
-n
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
-n
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
-n
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
-n
-
9475a59226943a3ad422e18169989f66
>> (related) >>
-n
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
-n
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
-n
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
-n
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
-n
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
-n
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
-n
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
-n
wevtutil
References:
Titles (0)
Sentences (0)
Links:
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
wevtutil
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
wevtutil
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
wevtutil
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
wevtutil
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
wevtutil
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
wevtutil
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
wevtutil
-
01185a4f21be653f13b885a655da2239
>> (related) >>
wevtutil
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
wevtutil
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
wevtutil
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
wevtutil
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
wevtutil
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
wevtutil
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
wevtutil
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
wevtutil
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
wevtutil
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
wevtutil
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
wevtutil
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
wevtutil
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
wevtutil
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
wevtutil
-
9475a59226943a3ad422e18169989f66
>> (related) >>
wevtutil
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
wevtutil
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
wevtutil
-
decfc792ded248587084a6329217380e
>> (related) >>
wevtutil
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
wevtutil
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
wevtutil
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
wevtutil
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
wevtutil
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
wevtutil
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
wevtutil
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
wevtutil
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
wevtutil
315cc419f6ec600a345447b0f49e3de9f13c1e96d9bbc272f982204b1c7ec71cb3805f5ff7821da3e7944e327c22e5eba6f3c94b08c66b6e241395e1ea133ed1
References:
Titles (0)
Sentences (0)
Links:
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
315cc419f6ec600a345447b0f49e3de9f13c1e96d9bbc272f982204b1c7ec71cb3805f5ff7821da3e7944e327c22e5eba6f3c94b08c66b6e241395e1ea133ed1
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
315cc419f6ec600a345447b0f49e3de9f13c1e96d9bbc272f982204b1c7ec71cb3805f5ff7821da3e7944e327c22e5eba6f3c94b08c66b6e241395e1ea133ed1
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
315cc419f6ec600a345447b0f49e3de9f13c1e96d9bbc272f982204b1c7ec71cb3805f5ff7821da3e7944e327c22e5eba6f3c94b08c66b6e241395e1ea133ed1
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
315cc419f6ec600a345447b0f49e3de9f13c1e96d9bbc272f982204b1c7ec71cb3805f5ff7821da3e7944e327c22e5eba6f3c94b08c66b6e241395e1ea133ed1
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
315cc419f6ec600a345447b0f49e3de9f13c1e96d9bbc272f982204b1c7ec71cb3805f5ff7821da3e7944e327c22e5eba6f3c94b08c66b6e241395e1ea133ed1
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
315cc419f6ec600a345447b0f49e3de9f13c1e96d9bbc272f982204b1c7ec71cb3805f5ff7821da3e7944e327c22e5eba6f3c94b08c66b6e241395e1ea133ed1
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
315cc419f6ec600a345447b0f49e3de9f13c1e96d9bbc272f982204b1c7ec71cb3805f5ff7821da3e7944e327c22e5eba6f3c94b08c66b6e241395e1ea133ed1
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
315cc419f6ec600a345447b0f49e3de9f13c1e96d9bbc272f982204b1c7ec71cb3805f5ff7821da3e7944e327c22e5eba6f3c94b08c66b6e241395e1ea133ed1
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
315cc419f6ec600a345447b0f49e3de9f13c1e96d9bbc272f982204b1c7ec71cb3805f5ff7821da3e7944e327c22e5eba6f3c94b08c66b6e241395e1ea133ed1
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
315cc419f6ec600a345447b0f49e3de9f13c1e96d9bbc272f982204b1c7ec71cb3805f5ff7821da3e7944e327c22e5eba6f3c94b08c66b6e241395e1ea133ed1
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
315cc419f6ec600a345447b0f49e3de9f13c1e96d9bbc272f982204b1c7ec71cb3805f5ff7821da3e7944e327c22e5eba6f3c94b08c66b6e241395e1ea133ed1
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
315cc419f6ec600a345447b0f49e3de9f13c1e96d9bbc272f982204b1c7ec71cb3805f5ff7821da3e7944e327c22e5eba6f3c94b08c66b6e241395e1ea133ed1
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
315cc419f6ec600a345447b0f49e3de9f13c1e96d9bbc272f982204b1c7ec71cb3805f5ff7821da3e7944e327c22e5eba6f3c94b08c66b6e241395e1ea133ed1
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
315cc419f6ec600a345447b0f49e3de9f13c1e96d9bbc272f982204b1c7ec71cb3805f5ff7821da3e7944e327c22e5eba6f3c94b08c66b6e241395e1ea133ed1
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
315cc419f6ec600a345447b0f49e3de9f13c1e96d9bbc272f982204b1c7ec71cb3805f5ff7821da3e7944e327c22e5eba6f3c94b08c66b6e241395e1ea133ed1
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
315cc419f6ec600a345447b0f49e3de9f13c1e96d9bbc272f982204b1c7ec71cb3805f5ff7821da3e7944e327c22e5eba6f3c94b08c66b6e241395e1ea133ed1
-
01185a4f21be653f13b885a655da2239
>> (related) >>
315cc419f6ec600a345447b0f49e3de9f13c1e96d9bbc272f982204b1c7ec71cb3805f5ff7821da3e7944e327c22e5eba6f3c94b08c66b6e241395e1ea133ed1
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
315cc419f6ec600a345447b0f49e3de9f13c1e96d9bbc272f982204b1c7ec71cb3805f5ff7821da3e7944e327c22e5eba6f3c94b08c66b6e241395e1ea133ed1
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
315cc419f6ec600a345447b0f49e3de9f13c1e96d9bbc272f982204b1c7ec71cb3805f5ff7821da3e7944e327c22e5eba6f3c94b08c66b6e241395e1ea133ed1
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
315cc419f6ec600a345447b0f49e3de9f13c1e96d9bbc272f982204b1c7ec71cb3805f5ff7821da3e7944e327c22e5eba6f3c94b08c66b6e241395e1ea133ed1
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
315cc419f6ec600a345447b0f49e3de9f13c1e96d9bbc272f982204b1c7ec71cb3805f5ff7821da3e7944e327c22e5eba6f3c94b08c66b6e241395e1ea133ed1
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
315cc419f6ec600a345447b0f49e3de9f13c1e96d9bbc272f982204b1c7ec71cb3805f5ff7821da3e7944e327c22e5eba6f3c94b08c66b6e241395e1ea133ed1
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
315cc419f6ec600a345447b0f49e3de9f13c1e96d9bbc272f982204b1c7ec71cb3805f5ff7821da3e7944e327c22e5eba6f3c94b08c66b6e241395e1ea133ed1
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
315cc419f6ec600a345447b0f49e3de9f13c1e96d9bbc272f982204b1c7ec71cb3805f5ff7821da3e7944e327c22e5eba6f3c94b08c66b6e241395e1ea133ed1
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
315cc419f6ec600a345447b0f49e3de9f13c1e96d9bbc272f982204b1c7ec71cb3805f5ff7821da3e7944e327c22e5eba6f3c94b08c66b6e241395e1ea133ed1
-
decfc792ded248587084a6329217380e
>> (related) >>
315cc419f6ec600a345447b0f49e3de9f13c1e96d9bbc272f982204b1c7ec71cb3805f5ff7821da3e7944e327c22e5eba6f3c94b08c66b6e241395e1ea133ed1
-
9475a59226943a3ad422e18169989f66
>> (related) >>
315cc419f6ec600a345447b0f49e3de9f13c1e96d9bbc272f982204b1c7ec71cb3805f5ff7821da3e7944e327c22e5eba6f3c94b08c66b6e241395e1ea133ed1
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
315cc419f6ec600a345447b0f49e3de9f13c1e96d9bbc272f982204b1c7ec71cb3805f5ff7821da3e7944e327c22e5eba6f3c94b08c66b6e241395e1ea133ed1
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
315cc419f6ec600a345447b0f49e3de9f13c1e96d9bbc272f982204b1c7ec71cb3805f5ff7821da3e7944e327c22e5eba6f3c94b08c66b6e241395e1ea133ed1
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
315cc419f6ec600a345447b0f49e3de9f13c1e96d9bbc272f982204b1c7ec71cb3805f5ff7821da3e7944e327c22e5eba6f3c94b08c66b6e241395e1ea133ed1
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
315cc419f6ec600a345447b0f49e3de9f13c1e96d9bbc272f982204b1c7ec71cb3805f5ff7821da3e7944e327c22e5eba6f3c94b08c66b6e241395e1ea133ed1
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
315cc419f6ec600a345447b0f49e3de9f13c1e96d9bbc272f982204b1c7ec71cb3805f5ff7821da3e7944e327c22e5eba6f3c94b08c66b6e241395e1ea133ed1
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
315cc419f6ec600a345447b0f49e3de9f13c1e96d9bbc272f982204b1c7ec71cb3805f5ff7821da3e7944e327c22e5eba6f3c94b08c66b6e241395e1ea133ed1
gnu7oimtlhyanf1bioenm2ek7mnousgpay8odcdcm7cisf4ro06lohgvjnuqo
References:
Titles (0)
Sentences (0)
Links:
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
gnu7oimtlhyanf1bioenm2ek7mnousgpay8odcdcm7cisf4ro06lohgvjnuqo
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
gnu7oimtlhyanf1bioenm2ek7mnousgpay8odcdcm7cisf4ro06lohgvjnuqo
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
gnu7oimtlhyanf1bioenm2ek7mnousgpay8odcdcm7cisf4ro06lohgvjnuqo
-
01185a4f21be653f13b885a655da2239
>> (related) >>
gnu7oimtlhyanf1bioenm2ek7mnousgpay8odcdcm7cisf4ro06lohgvjnuqo
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
gnu7oimtlhyanf1bioenm2ek7mnousgpay8odcdcm7cisf4ro06lohgvjnuqo
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
gnu7oimtlhyanf1bioenm2ek7mnousgpay8odcdcm7cisf4ro06lohgvjnuqo
-
decfc792ded248587084a6329217380e
>> (related) >>
gnu7oimtlhyanf1bioenm2ek7mnousgpay8odcdcm7cisf4ro06lohgvjnuqo
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
gnu7oimtlhyanf1bioenm2ek7mnousgpay8odcdcm7cisf4ro06lohgvjnuqo
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
gnu7oimtlhyanf1bioenm2ek7mnousgpay8odcdcm7cisf4ro06lohgvjnuqo
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
gnu7oimtlhyanf1bioenm2ek7mnousgpay8odcdcm7cisf4ro06lohgvjnuqo
-
9475a59226943a3ad422e18169989f66
>> (related) >>
gnu7oimtlhyanf1bioenm2ek7mnousgpay8odcdcm7cisf4ro06lohgvjnuqo
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
gnu7oimtlhyanf1bioenm2ek7mnousgpay8odcdcm7cisf4ro06lohgvjnuqo
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
gnu7oimtlhyanf1bioenm2ek7mnousgpay8odcdcm7cisf4ro06lohgvjnuqo
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
gnu7oimtlhyanf1bioenm2ek7mnousgpay8odcdcm7cisf4ro06lohgvjnuqo
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
gnu7oimtlhyanf1bioenm2ek7mnousgpay8odcdcm7cisf4ro06lohgvjnuqo
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
gnu7oimtlhyanf1bioenm2ek7mnousgpay8odcdcm7cisf4ro06lohgvjnuqo
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
gnu7oimtlhyanf1bioenm2ek7mnousgpay8odcdcm7cisf4ro06lohgvjnuqo
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
gnu7oimtlhyanf1bioenm2ek7mnousgpay8odcdcm7cisf4ro06lohgvjnuqo
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
gnu7oimtlhyanf1bioenm2ek7mnousgpay8odcdcm7cisf4ro06lohgvjnuqo
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
gnu7oimtlhyanf1bioenm2ek7mnousgpay8odcdcm7cisf4ro06lohgvjnuqo
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
gnu7oimtlhyanf1bioenm2ek7mnousgpay8odcdcm7cisf4ro06lohgvjnuqo
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
gnu7oimtlhyanf1bioenm2ek7mnousgpay8odcdcm7cisf4ro06lohgvjnuqo
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
gnu7oimtlhyanf1bioenm2ek7mnousgpay8odcdcm7cisf4ro06lohgvjnuqo
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
gnu7oimtlhyanf1bioenm2ek7mnousgpay8odcdcm7cisf4ro06lohgvjnuqo
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
gnu7oimtlhyanf1bioenm2ek7mnousgpay8odcdcm7cisf4ro06lohgvjnuqo
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
gnu7oimtlhyanf1bioenm2ek7mnousgpay8odcdcm7cisf4ro06lohgvjnuqo
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
gnu7oimtlhyanf1bioenm2ek7mnousgpay8odcdcm7cisf4ro06lohgvjnuqo
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
gnu7oimtlhyanf1bioenm2ek7mnousgpay8odcdcm7cisf4ro06lohgvjnuqo
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
gnu7oimtlhyanf1bioenm2ek7mnousgpay8odcdcm7cisf4ro06lohgvjnuqo
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
gnu7oimtlhyanf1bioenm2ek7mnousgpay8odcdcm7cisf4ro06lohgvjnuqo
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
gnu7oimtlhyanf1bioenm2ek7mnousgpay8odcdcm7cisf4ro06lohgvjnuqo
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
gnu7oimtlhyanf1bioenm2ek7mnousgpay8odcdcm7cisf4ro06lohgvjnuqo
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
gnu7oimtlhyanf1bioenm2ek7mnousgpay8odcdcm7cisf4ro06lohgvjnuqo
g4olhlzjenm2ek7mnousgpay8odcdcmt
References:
Titles (0)
Sentences (0)
Links:
-
decfc792ded248587084a6329217380e
>> (related) >>
g4olhlzjenm2ek7mnousgpay8odcdcmt
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
g4olhlzjenm2ek7mnousgpay8odcdcmt
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
g4olhlzjenm2ek7mnousgpay8odcdcmt
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
g4olhlzjenm2ek7mnousgpay8odcdcmt
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
g4olhlzjenm2ek7mnousgpay8odcdcmt
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
g4olhlzjenm2ek7mnousgpay8odcdcmt
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
g4olhlzjenm2ek7mnousgpay8odcdcmt
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
g4olhlzjenm2ek7mnousgpay8odcdcmt
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
g4olhlzjenm2ek7mnousgpay8odcdcmt
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
g4olhlzjenm2ek7mnousgpay8odcdcmt
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
g4olhlzjenm2ek7mnousgpay8odcdcmt
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
g4olhlzjenm2ek7mnousgpay8odcdcmt
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
g4olhlzjenm2ek7mnousgpay8odcdcmt
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
g4olhlzjenm2ek7mnousgpay8odcdcmt
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
g4olhlzjenm2ek7mnousgpay8odcdcmt
-
9475a59226943a3ad422e18169989f66
>> (related) >>
g4olhlzjenm2ek7mnousgpay8odcdcmt
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
g4olhlzjenm2ek7mnousgpay8odcdcmt
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
g4olhlzjenm2ek7mnousgpay8odcdcmt
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
g4olhlzjenm2ek7mnousgpay8odcdcmt
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
g4olhlzjenm2ek7mnousgpay8odcdcmt
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
g4olhlzjenm2ek7mnousgpay8odcdcmt
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
g4olhlzjenm2ek7mnousgpay8odcdcmt
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
g4olhlzjenm2ek7mnousgpay8odcdcmt
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
g4olhlzjenm2ek7mnousgpay8odcdcmt
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
g4olhlzjenm2ek7mnousgpay8odcdcmt
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
g4olhlzjenm2ek7mnousgpay8odcdcmt
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
g4olhlzjenm2ek7mnousgpay8odcdcmt
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
g4olhlzjenm2ek7mnousgpay8odcdcmt
-
01185a4f21be653f13b885a655da2239
>> (related) >>
g4olhlzjenm2ek7mnousgpay8odcdcmt
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
g4olhlzjenm2ek7mnousgpay8odcdcmt
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
g4olhlzjenm2ek7mnousgpay8odcdcmt
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
g4olhlzjenm2ek7mnousgpay8odcdcmt
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
g4olhlzjenm2ek7mnousgpay8odcdcmt
juikt
References:
Titles (0)
Sentences (0)
Links:
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
juikt
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
juikt
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
juikt
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
juikt
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
juikt
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
juikt
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
juikt
-
01185a4f21be653f13b885a655da2239
>> (related) >>
juikt
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
juikt
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
juikt
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
juikt
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
juikt
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
juikt
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
juikt
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
juikt
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
juikt
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
juikt
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
juikt
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
juikt
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
juikt
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
juikt
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
juikt
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
juikt
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
juikt
-
decfc792ded248587084a6329217380e
>> (related) >>
juikt
-
9475a59226943a3ad422e18169989f66
>> (related) >>
juikt
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
juikt
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
juikt
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
juikt
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
juikt
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
juikt
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
juikt
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
juikt
00028d131
References:
Titles (0)
Sentences (0)
Links:
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
00028d131
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
00028d131
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
00028d131
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
00028d131
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
00028d131
-
01185a4f21be653f13b885a655da2239
>> (related) >>
00028d131
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
00028d131
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
00028d131
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
00028d131
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
00028d131
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
00028d131
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
00028d131
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
00028d131
-
decfc792ded248587084a6329217380e
>> (related) >>
00028d131
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
00028d131
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
00028d131
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
00028d131
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
00028d131
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
00028d131
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
00028d131
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
00028d131
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
00028d131
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
00028d131
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
00028d131
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
00028d131
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
00028d131
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
00028d131
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
00028d131
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
00028d131
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
00028d131
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
00028d131
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
00028d131
-
9475a59226943a3ad422e18169989f66
>> (related) >>
00028d131
cisa_10376640_03
References:
Titles (0)
Sentences (0)
Links:
-
9475a59226943a3ad422e18169989f66
>> (related) >>
cisa_10376640_03
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
cisa_10376640_03
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
cisa_10376640_03
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
cisa_10376640_03
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
cisa_10376640_03
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
cisa_10376640_03
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
cisa_10376640_03
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
cisa_10376640_03
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
cisa_10376640_03
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
cisa_10376640_03
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
cisa_10376640_03
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
cisa_10376640_03
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
cisa_10376640_03
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
cisa_10376640_03
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
cisa_10376640_03
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
cisa_10376640_03
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
cisa_10376640_03
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
cisa_10376640_03
-
decfc792ded248587084a6329217380e
>> (related) >>
cisa_10376640_03
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
cisa_10376640_03
-
01185a4f21be653f13b885a655da2239
>> (related) >>
cisa_10376640_03
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
cisa_10376640_03
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
cisa_10376640_03
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
cisa_10376640_03
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
cisa_10376640_03
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
cisa_10376640_03
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
cisa_10376640_03
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
cisa_10376640_03
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
cisa_10376640_03
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
cisa_10376640_03
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
cisa_10376640_03
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
cisa_10376640_03
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
cisa_10376640_03
15-05
References:
Titles (0)
Sentences (0)
Links:
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
15-05
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
15-05
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
15-05
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
15-05
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
15-05
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
15-05
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
15-05
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
15-05
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
15-05
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
15-05
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
15-05
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
15-05
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
15-05
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
15-05
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
15-05
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
15-05
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
15-05
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
15-05
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
15-05
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
15-05
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
15-05
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
15-05
-
decfc792ded248587084a6329217380e
>> (related) >>
15-05
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
15-05
-
01185a4f21be653f13b885a655da2239
>> (related) >>
15-05
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
15-05
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
15-05
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
15-05
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
15-05
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
15-05
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
15-05
-
9475a59226943a3ad422e18169989f66
>> (related) >>
15-05
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
15-05
2d29f9ca1d
References:
Titles (0)
Sentences (0)
Links:
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
2d29f9ca1d
-
decfc792ded248587084a6329217380e
>> (related) >>
2d29f9ca1d
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
2d29f9ca1d
-
01185a4f21be653f13b885a655da2239
>> (related) >>
2d29f9ca1d
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
2d29f9ca1d
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
2d29f9ca1d
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
2d29f9ca1d
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
2d29f9ca1d
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
2d29f9ca1d
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
2d29f9ca1d
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
2d29f9ca1d
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
2d29f9ca1d
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
2d29f9ca1d
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
2d29f9ca1d
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
2d29f9ca1d
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
2d29f9ca1d
-
9475a59226943a3ad422e18169989f66
>> (related) >>
2d29f9ca1d
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
2d29f9ca1d
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
2d29f9ca1d
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
2d29f9ca1d
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
2d29f9ca1d
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
2d29f9ca1d
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
2d29f9ca1d
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
2d29f9ca1d
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
2d29f9ca1d
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
2d29f9ca1d
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
2d29f9ca1d
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
2d29f9ca1d
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
2d29f9ca1d
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
2d29f9ca1d
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
2d29f9ca1d
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
2d29f9ca1d
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
2d29f9ca1d
path
References:
Titles (0)
Sentences (0)
Links:
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
path
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
path
-
decfc792ded248587084a6329217380e
>> (related) >>
path
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
path
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
path
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
path
-
9475a59226943a3ad422e18169989f66
>> (related) >>
path
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
path
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
path
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
path
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
path
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
path
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
path
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
path
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
path
-
01185a4f21be653f13b885a655da2239
>> (related) >>
path
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
path
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
path
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
path
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
path
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
path
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
path
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
path
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
path
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
path
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
path
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
path
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
path
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
path
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
path
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
path
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
path
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
path
backdoortrojanworm
References:
Titles (0)
Sentences (0)
Links:
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
backdoortrojanworm
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
backdoortrojanworm
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
backdoortrojanworm
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
backdoortrojanworm
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
backdoortrojanworm
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
backdoortrojanworm
-
01185a4f21be653f13b885a655da2239
>> (related) >>
backdoortrojanworm
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
backdoortrojanworm
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
backdoortrojanworm
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
backdoortrojanworm
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
backdoortrojanworm
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
backdoortrojanworm
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
backdoortrojanworm
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
backdoortrojanworm
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
backdoortrojanworm
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
backdoortrojanworm
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
backdoortrojanworm
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
backdoortrojanworm
-
decfc792ded248587084a6329217380e
>> (related) >>
backdoortrojanworm
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
backdoortrojanworm
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
backdoortrojanworm
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
backdoortrojanworm
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
backdoortrojanworm
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
backdoortrojanworm
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
backdoortrojanworm
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
backdoortrojanworm
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
backdoortrojanworm
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
backdoortrojanworm
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
backdoortrojanworm
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
backdoortrojanworm
-
9475a59226943a3ad422e18169989f66
>> (related) >>
backdoortrojanworm
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
backdoortrojanworm
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
backdoortrojanworm
1de912f50b7f5cc2f4fcea7b6d3c84a39bd15d668122f50a9b11da66447ed99f456e86e006d0dfe7ab0fca7dc8e35efa7ff57959033463d94ef37e5705515430
References:
Titles (0)
Sentences (0)
Links:
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
1de912f50b7f5cc2f4fcea7b6d3c84a39bd15d668122f50a9b11da66447ed99f456e86e006d0dfe7ab0fca7dc8e35efa7ff57959033463d94ef37e5705515430
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
1de912f50b7f5cc2f4fcea7b6d3c84a39bd15d668122f50a9b11da66447ed99f456e86e006d0dfe7ab0fca7dc8e35efa7ff57959033463d94ef37e5705515430
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
1de912f50b7f5cc2f4fcea7b6d3c84a39bd15d668122f50a9b11da66447ed99f456e86e006d0dfe7ab0fca7dc8e35efa7ff57959033463d94ef37e5705515430
-
9475a59226943a3ad422e18169989f66
>> (related) >>
1de912f50b7f5cc2f4fcea7b6d3c84a39bd15d668122f50a9b11da66447ed99f456e86e006d0dfe7ab0fca7dc8e35efa7ff57959033463d94ef37e5705515430
-
01185a4f21be653f13b885a655da2239
>> (related) >>
1de912f50b7f5cc2f4fcea7b6d3c84a39bd15d668122f50a9b11da66447ed99f456e86e006d0dfe7ab0fca7dc8e35efa7ff57959033463d94ef37e5705515430
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
1de912f50b7f5cc2f4fcea7b6d3c84a39bd15d668122f50a9b11da66447ed99f456e86e006d0dfe7ab0fca7dc8e35efa7ff57959033463d94ef37e5705515430
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
1de912f50b7f5cc2f4fcea7b6d3c84a39bd15d668122f50a9b11da66447ed99f456e86e006d0dfe7ab0fca7dc8e35efa7ff57959033463d94ef37e5705515430
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
1de912f50b7f5cc2f4fcea7b6d3c84a39bd15d668122f50a9b11da66447ed99f456e86e006d0dfe7ab0fca7dc8e35efa7ff57959033463d94ef37e5705515430
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
1de912f50b7f5cc2f4fcea7b6d3c84a39bd15d668122f50a9b11da66447ed99f456e86e006d0dfe7ab0fca7dc8e35efa7ff57959033463d94ef37e5705515430
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
1de912f50b7f5cc2f4fcea7b6d3c84a39bd15d668122f50a9b11da66447ed99f456e86e006d0dfe7ab0fca7dc8e35efa7ff57959033463d94ef37e5705515430
-
decfc792ded248587084a6329217380e
>> (related) >>
1de912f50b7f5cc2f4fcea7b6d3c84a39bd15d668122f50a9b11da66447ed99f456e86e006d0dfe7ab0fca7dc8e35efa7ff57959033463d94ef37e5705515430
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
1de912f50b7f5cc2f4fcea7b6d3c84a39bd15d668122f50a9b11da66447ed99f456e86e006d0dfe7ab0fca7dc8e35efa7ff57959033463d94ef37e5705515430
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
1de912f50b7f5cc2f4fcea7b6d3c84a39bd15d668122f50a9b11da66447ed99f456e86e006d0dfe7ab0fca7dc8e35efa7ff57959033463d94ef37e5705515430
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
1de912f50b7f5cc2f4fcea7b6d3c84a39bd15d668122f50a9b11da66447ed99f456e86e006d0dfe7ab0fca7dc8e35efa7ff57959033463d94ef37e5705515430
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
1de912f50b7f5cc2f4fcea7b6d3c84a39bd15d668122f50a9b11da66447ed99f456e86e006d0dfe7ab0fca7dc8e35efa7ff57959033463d94ef37e5705515430
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
1de912f50b7f5cc2f4fcea7b6d3c84a39bd15d668122f50a9b11da66447ed99f456e86e006d0dfe7ab0fca7dc8e35efa7ff57959033463d94ef37e5705515430
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
1de912f50b7f5cc2f4fcea7b6d3c84a39bd15d668122f50a9b11da66447ed99f456e86e006d0dfe7ab0fca7dc8e35efa7ff57959033463d94ef37e5705515430
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
1de912f50b7f5cc2f4fcea7b6d3c84a39bd15d668122f50a9b11da66447ed99f456e86e006d0dfe7ab0fca7dc8e35efa7ff57959033463d94ef37e5705515430
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
1de912f50b7f5cc2f4fcea7b6d3c84a39bd15d668122f50a9b11da66447ed99f456e86e006d0dfe7ab0fca7dc8e35efa7ff57959033463d94ef37e5705515430
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
1de912f50b7f5cc2f4fcea7b6d3c84a39bd15d668122f50a9b11da66447ed99f456e86e006d0dfe7ab0fca7dc8e35efa7ff57959033463d94ef37e5705515430
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
1de912f50b7f5cc2f4fcea7b6d3c84a39bd15d668122f50a9b11da66447ed99f456e86e006d0dfe7ab0fca7dc8e35efa7ff57959033463d94ef37e5705515430
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
1de912f50b7f5cc2f4fcea7b6d3c84a39bd15d668122f50a9b11da66447ed99f456e86e006d0dfe7ab0fca7dc8e35efa7ff57959033463d94ef37e5705515430
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
1de912f50b7f5cc2f4fcea7b6d3c84a39bd15d668122f50a9b11da66447ed99f456e86e006d0dfe7ab0fca7dc8e35efa7ff57959033463d94ef37e5705515430
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
1de912f50b7f5cc2f4fcea7b6d3c84a39bd15d668122f50a9b11da66447ed99f456e86e006d0dfe7ab0fca7dc8e35efa7ff57959033463d94ef37e5705515430
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
1de912f50b7f5cc2f4fcea7b6d3c84a39bd15d668122f50a9b11da66447ed99f456e86e006d0dfe7ab0fca7dc8e35efa7ff57959033463d94ef37e5705515430
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
1de912f50b7f5cc2f4fcea7b6d3c84a39bd15d668122f50a9b11da66447ed99f456e86e006d0dfe7ab0fca7dc8e35efa7ff57959033463d94ef37e5705515430
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
1de912f50b7f5cc2f4fcea7b6d3c84a39bd15d668122f50a9b11da66447ed99f456e86e006d0dfe7ab0fca7dc8e35efa7ff57959033463d94ef37e5705515430
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
1de912f50b7f5cc2f4fcea7b6d3c84a39bd15d668122f50a9b11da66447ed99f456e86e006d0dfe7ab0fca7dc8e35efa7ff57959033463d94ef37e5705515430
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
1de912f50b7f5cc2f4fcea7b6d3c84a39bd15d668122f50a9b11da66447ed99f456e86e006d0dfe7ab0fca7dc8e35efa7ff57959033463d94ef37e5705515430
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
1de912f50b7f5cc2f4fcea7b6d3c84a39bd15d668122f50a9b11da66447ed99f456e86e006d0dfe7ab0fca7dc8e35efa7ff57959033463d94ef37e5705515430
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
1de912f50b7f5cc2f4fcea7b6d3c84a39bd15d668122f50a9b11da66447ed99f456e86e006d0dfe7ab0fca7dc8e35efa7ff57959033463d94ef37e5705515430
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
1de912f50b7f5cc2f4fcea7b6d3c84a39bd15d668122f50a9b11da66447ed99f456e86e006d0dfe7ab0fca7dc8e35efa7ff57959033463d94ef37e5705515430
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
1de912f50b7f5cc2f4fcea7b6d3c84a39bd15d668122f50a9b11da66447ed99f456e86e006d0dfe7ab0fca7dc8e35efa7ff57959033463d94ef37e5705515430
j4wctqjtbyjszrjiylkytnsg9hcr1dndh2irnl5tj1xungask4ctfvf1wz62pntr
References:
Titles (0)
Sentences (0)
Links:
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
j4wctqjtbyjszrjiylkytnsg9hcr1dndh2irnl5tj1xungask4ctfvf1wz62pntr
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
j4wctqjtbyjszrjiylkytnsg9hcr1dndh2irnl5tj1xungask4ctfvf1wz62pntr
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
j4wctqjtbyjszrjiylkytnsg9hcr1dndh2irnl5tj1xungask4ctfvf1wz62pntr
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
j4wctqjtbyjszrjiylkytnsg9hcr1dndh2irnl5tj1xungask4ctfvf1wz62pntr
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
j4wctqjtbyjszrjiylkytnsg9hcr1dndh2irnl5tj1xungask4ctfvf1wz62pntr
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
j4wctqjtbyjszrjiylkytnsg9hcr1dndh2irnl5tj1xungask4ctfvf1wz62pntr
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
j4wctqjtbyjszrjiylkytnsg9hcr1dndh2irnl5tj1xungask4ctfvf1wz62pntr
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
j4wctqjtbyjszrjiylkytnsg9hcr1dndh2irnl5tj1xungask4ctfvf1wz62pntr
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
j4wctqjtbyjszrjiylkytnsg9hcr1dndh2irnl5tj1xungask4ctfvf1wz62pntr
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
j4wctqjtbyjszrjiylkytnsg9hcr1dndh2irnl5tj1xungask4ctfvf1wz62pntr
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
j4wctqjtbyjszrjiylkytnsg9hcr1dndh2irnl5tj1xungask4ctfvf1wz62pntr
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
j4wctqjtbyjszrjiylkytnsg9hcr1dndh2irnl5tj1xungask4ctfvf1wz62pntr
-
01185a4f21be653f13b885a655da2239
>> (related) >>
j4wctqjtbyjszrjiylkytnsg9hcr1dndh2irnl5tj1xungask4ctfvf1wz62pntr
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
j4wctqjtbyjszrjiylkytnsg9hcr1dndh2irnl5tj1xungask4ctfvf1wz62pntr
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
j4wctqjtbyjszrjiylkytnsg9hcr1dndh2irnl5tj1xungask4ctfvf1wz62pntr
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
j4wctqjtbyjszrjiylkytnsg9hcr1dndh2irnl5tj1xungask4ctfvf1wz62pntr
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
j4wctqjtbyjszrjiylkytnsg9hcr1dndh2irnl5tj1xungask4ctfvf1wz62pntr
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
j4wctqjtbyjszrjiylkytnsg9hcr1dndh2irnl5tj1xungask4ctfvf1wz62pntr
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
j4wctqjtbyjszrjiylkytnsg9hcr1dndh2irnl5tj1xungask4ctfvf1wz62pntr
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
j4wctqjtbyjszrjiylkytnsg9hcr1dndh2irnl5tj1xungask4ctfvf1wz62pntr
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
j4wctqjtbyjszrjiylkytnsg9hcr1dndh2irnl5tj1xungask4ctfvf1wz62pntr
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
j4wctqjtbyjszrjiylkytnsg9hcr1dndh2irnl5tj1xungask4ctfvf1wz62pntr
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
j4wctqjtbyjszrjiylkytnsg9hcr1dndh2irnl5tj1xungask4ctfvf1wz62pntr
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
j4wctqjtbyjszrjiylkytnsg9hcr1dndh2irnl5tj1xungask4ctfvf1wz62pntr
-
decfc792ded248587084a6329217380e
>> (related) >>
j4wctqjtbyjszrjiylkytnsg9hcr1dndh2irnl5tj1xungask4ctfvf1wz62pntr
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
j4wctqjtbyjszrjiylkytnsg9hcr1dndh2irnl5tj1xungask4ctfvf1wz62pntr
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
j4wctqjtbyjszrjiylkytnsg9hcr1dndh2irnl5tj1xungask4ctfvf1wz62pntr
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
j4wctqjtbyjszrjiylkytnsg9hcr1dndh2irnl5tj1xungask4ctfvf1wz62pntr
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
j4wctqjtbyjszrjiylkytnsg9hcr1dndh2irnl5tj1xungask4ctfvf1wz62pntr
-
9475a59226943a3ad422e18169989f66
>> (related) >>
j4wctqjtbyjszrjiylkytnsg9hcr1dndh2irnl5tj1xungask4ctfvf1wz62pntr
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
j4wctqjtbyjszrjiylkytnsg9hcr1dndh2irnl5tj1xungask4ctfvf1wz62pntr
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
j4wctqjtbyjszrjiylkytnsg9hcr1dndh2irnl5tj1xungask4ctfvf1wz62pntr
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
j4wctqjtbyjszrjiylkytnsg9hcr1dndh2irnl5tj1xungask4ctfvf1wz62pntr
hgqrbrtnsehmhdh2irnl5tj1xungaskw
References:
Titles (0)
Sentences (0)
Links:
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
hgqrbrtnsehmhdh2irnl5tj1xungaskw
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
hgqrbrtnsehmhdh2irnl5tj1xungaskw
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
hgqrbrtnsehmhdh2irnl5tj1xungaskw
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
hgqrbrtnsehmhdh2irnl5tj1xungaskw
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
hgqrbrtnsehmhdh2irnl5tj1xungaskw
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
hgqrbrtnsehmhdh2irnl5tj1xungaskw
-
01185a4f21be653f13b885a655da2239
>> (related) >>
hgqrbrtnsehmhdh2irnl5tj1xungaskw
-
9475a59226943a3ad422e18169989f66
>> (related) >>
hgqrbrtnsehmhdh2irnl5tj1xungaskw
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
hgqrbrtnsehmhdh2irnl5tj1xungaskw
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
hgqrbrtnsehmhdh2irnl5tj1xungaskw
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
hgqrbrtnsehmhdh2irnl5tj1xungaskw
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
hgqrbrtnsehmhdh2irnl5tj1xungaskw
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
hgqrbrtnsehmhdh2irnl5tj1xungaskw
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
hgqrbrtnsehmhdh2irnl5tj1xungaskw
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
hgqrbrtnsehmhdh2irnl5tj1xungaskw
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
hgqrbrtnsehmhdh2irnl5tj1xungaskw
-
decfc792ded248587084a6329217380e
>> (related) >>
hgqrbrtnsehmhdh2irnl5tj1xungaskw
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
hgqrbrtnsehmhdh2irnl5tj1xungaskw
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
hgqrbrtnsehmhdh2irnl5tj1xungaskw
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
hgqrbrtnsehmhdh2irnl5tj1xungaskw
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
hgqrbrtnsehmhdh2irnl5tj1xungaskw
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
hgqrbrtnsehmhdh2irnl5tj1xungaskw
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
hgqrbrtnsehmhdh2irnl5tj1xungaskw
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
hgqrbrtnsehmhdh2irnl5tj1xungaskw
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
hgqrbrtnsehmhdh2irnl5tj1xungaskw
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
hgqrbrtnsehmhdh2irnl5tj1xungaskw
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
hgqrbrtnsehmhdh2irnl5tj1xungaskw
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
hgqrbrtnsehmhdh2irnl5tj1xungaskw
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
hgqrbrtnsehmhdh2irnl5tj1xungaskw
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
hgqrbrtnsehmhdh2irnl5tj1xungaskw
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
hgqrbrtnsehmhdh2irnl5tj1xungaskw
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
hgqrbrtnsehmhdh2irnl5tj1xungaskw
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
hgqrbrtnsehmhdh2irnl5tj1xungaskw
antiy
References:
Titles (0)
Sentences (0)
Links:
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
antiy
-
9475a59226943a3ad422e18169989f66
>> (related) >>
antiy
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
antiy
-
01185a4f21be653f13b885a655da2239
>> (related) >>
antiy
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
antiy
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
antiy
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
antiy
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
antiy
-
decfc792ded248587084a6329217380e
>> (related) >>
antiy
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
antiy
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
antiy
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
antiy
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
antiy
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
antiy
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
antiy
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
antiy
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
antiy
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
antiy
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
antiy
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
antiy
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
antiy
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
antiy
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
antiy
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
antiy
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
antiy
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
antiy
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
antiy
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
antiy
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
antiy
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
antiy
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
antiy
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
antiy
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
antiy
sejyu
References:
Titles (0)
Sentences (0)
Links:
-
9475a59226943a3ad422e18169989f66
>> (related) >>
sejyu
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
sejyu
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
sejyu
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
sejyu
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
sejyu
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
sejyu
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
sejyu
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
sejyu
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
sejyu
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
sejyu
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
sejyu
-
01185a4f21be653f13b885a655da2239
>> (related) >>
sejyu
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
sejyu
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
sejyu
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
sejyu
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
sejyu
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
sejyu
-
decfc792ded248587084a6329217380e
>> (related) >>
sejyu
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
sejyu
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
sejyu
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
sejyu
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
sejyu
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
sejyu
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
sejyu
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
sejyu
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
sejyu
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
sejyu
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
sejyu
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
sejyu
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
sejyu
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
sejyu
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
sejyu
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
sejyu
clamav
References:
Titles (0)
Sentences (0)
Links:
-
9475a59226943a3ad422e18169989f66
>> (related) >>
clamav
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
clamav
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
clamav
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
clamav
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
clamav
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
clamav
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
clamav
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
clamav
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
clamav
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
clamav
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
clamav
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
clamav
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
clamav
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
clamav
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
clamav
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
clamav
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
clamav
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
clamav
-
decfc792ded248587084a6329217380e
>> (related) >>
clamav
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
clamav
-
01185a4f21be653f13b885a655da2239
>> (related) >>
clamav
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
clamav
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
clamav
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
clamav
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
clamav
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
clamav
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
clamav
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
clamav
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
clamav
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
clamav
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
clamav
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
clamav
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
clamav
hermeticwizard-9941571-0
References:
Titles (0)
Sentences (0)
Links:
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
hermeticwizard-9941571-0
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
hermeticwizard-9941571-0
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
hermeticwizard-9941571-0
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
hermeticwizard-9941571-0
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
hermeticwizard-9941571-0
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
hermeticwizard-9941571-0
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
hermeticwizard-9941571-0
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
hermeticwizard-9941571-0
-
9475a59226943a3ad422e18169989f66
>> (related) >>
hermeticwizard-9941571-0
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
hermeticwizard-9941571-0
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
hermeticwizard-9941571-0
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
hermeticwizard-9941571-0
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
hermeticwizard-9941571-0
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
hermeticwizard-9941571-0
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
hermeticwizard-9941571-0
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
hermeticwizard-9941571-0
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
hermeticwizard-9941571-0
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
hermeticwizard-9941571-0
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
hermeticwizard-9941571-0
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
hermeticwizard-9941571-0
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
hermeticwizard-9941571-0
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
hermeticwizard-9941571-0
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
hermeticwizard-9941571-0
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
hermeticwizard-9941571-0
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
hermeticwizard-9941571-0
-
01185a4f21be653f13b885a655da2239
>> (related) >>
hermeticwizard-9941571-0
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
hermeticwizard-9941571-0
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
hermeticwizard-9941571-0
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
hermeticwizard-9941571-0
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
hermeticwizard-9941571-0
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
hermeticwizard-9941571-0
-
decfc792ded248587084a6329217380e
>> (related) >>
hermeticwizard-9941571-0
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
hermeticwizard-9941571-0
nanoav
References:
Titles (0)
Sentences (0)
Links:
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
nanoav
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
nanoav
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
nanoav
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
nanoav
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
nanoav
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
nanoav
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
nanoav
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
nanoav
-
9475a59226943a3ad422e18169989f66
>> (related) >>
nanoav
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
nanoav
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
nanoav
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
nanoav
-
decfc792ded248587084a6329217380e
>> (related) >>
nanoav
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
nanoav
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
nanoav
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
nanoav
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
nanoav
-
01185a4f21be653f13b885a655da2239
>> (related) >>
nanoav
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
nanoav
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
nanoav
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
nanoav
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
nanoav
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
nanoav
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
nanoav
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
nanoav
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
nanoav
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
nanoav
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
nanoav
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
nanoav
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
nanoav
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
nanoav
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
nanoav
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
nanoav
tachyon
References:
Titles (0)
Sentences (0)
Links:
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
tachyon
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
tachyon
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
tachyon
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
tachyon
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
tachyon
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
tachyon
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
tachyon
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
tachyon
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
tachyon
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
tachyon
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
tachyon
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
tachyon
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
tachyon
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
tachyon
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
tachyon
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
tachyon
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
tachyon
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
tachyon
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
tachyon
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
tachyon
-
9475a59226943a3ad422e18169989f66
>> (related) >>
tachyon
-
01185a4f21be653f13b885a655da2239
>> (related) >>
tachyon
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
tachyon
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
tachyon
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
tachyon
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
tachyon
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
tachyon
-
decfc792ded248587084a6329217380e
>> (related) >>
tachyon
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
tachyon
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
tachyon
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
tachyon
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
tachyon
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
tachyon
38d94ab0
References:
Titles (0)
Sentences (0)
Links:
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
38d94ab0
-
decfc792ded248587084a6329217380e
>> (related) >>
38d94ab0
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
38d94ab0
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
38d94ab0
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
38d94ab0
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
38d94ab0
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
38d94ab0
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
38d94ab0
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
38d94ab0
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
38d94ab0
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
38d94ab0
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
38d94ab0
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
38d94ab0
-
9475a59226943a3ad422e18169989f66
>> (related) >>
38d94ab0
-
01185a4f21be653f13b885a655da2239
>> (related) >>
38d94ab0
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
38d94ab0
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
38d94ab0
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
38d94ab0
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
38d94ab0
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
38d94ab0
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
38d94ab0
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
38d94ab0
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
38d94ab0
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
38d94ab0
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
38d94ab0
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
38d94ab0
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
38d94ab0
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
38d94ab0
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
38d94ab0
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
38d94ab0
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
38d94ab0
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
38d94ab0
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
38d94ab0
cisa_10376640_05
References:
Titles (0)
Sentences (0)
Links:
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
cisa_10376640_05
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
cisa_10376640_05
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
cisa_10376640_05
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
cisa_10376640_05
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
cisa_10376640_05
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
cisa_10376640_05
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
cisa_10376640_05
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
cisa_10376640_05
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
cisa_10376640_05
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
cisa_10376640_05
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
cisa_10376640_05
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
cisa_10376640_05
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
cisa_10376640_05
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
cisa_10376640_05
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
cisa_10376640_05
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
cisa_10376640_05
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
cisa_10376640_05
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
cisa_10376640_05
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
cisa_10376640_05
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
cisa_10376640_05
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
cisa_10376640_05
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
cisa_10376640_05
-
decfc792ded248587084a6329217380e
>> (related) >>
cisa_10376640_05
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
cisa_10376640_05
-
01185a4f21be653f13b885a655da2239
>> (related) >>
cisa_10376640_05
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
cisa_10376640_05
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
cisa_10376640_05
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
cisa_10376640_05
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
cisa_10376640_05
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
cisa_10376640_05
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
cisa_10376640_05
-
9475a59226943a3ad422e18169989f66
>> (related) >>
cisa_10376640_05
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
cisa_10376640_05
20220414_1037
References:
Titles (0)
Sentences (0)
Links:
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
20220414_1037
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
20220414_1037
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
20220414_1037
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
20220414_1037
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
20220414_1037
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
20220414_1037
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
20220414_1037
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
20220414_1037
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
20220414_1037
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
20220414_1037
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
20220414_1037
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
20220414_1037
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
20220414_1037
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
20220414_1037
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
20220414_1037
-
01185a4f21be653f13b885a655da2239
>> (related) >>
20220414_1037
-
9475a59226943a3ad422e18169989f66
>> (related) >>
20220414_1037
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
20220414_1037
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
20220414_1037
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
20220414_1037
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
20220414_1037
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
20220414_1037
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
20220414_1037
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
20220414_1037
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
20220414_1037
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
20220414_1037
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
20220414_1037
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
20220414_1037
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
20220414_1037
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
20220414_1037
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
20220414_1037
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
20220414_1037
-
decfc792ded248587084a6329217380e
>> (related) >>
20220414_1037
2000kb
References:
Titles (0)
Sentences (0)
Links:
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
2000kb
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
2000kb
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
2000kb
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
2000kb
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
2000kb
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
2000kb
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
2000kb
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
2000kb
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
2000kb
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
2000kb
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
2000kb
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
2000kb
-
01185a4f21be653f13b885a655da2239
>> (related) >>
2000kb
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
2000kb
-
decfc792ded248587084a6329217380e
>> (related) >>
2000kb
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
2000kb
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
2000kb
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
2000kb
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
2000kb
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
2000kb
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
2000kb
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
2000kb
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
2000kb
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
2000kb
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
2000kb
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
2000kb
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
2000kb
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
2000kb
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
2000kb
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
2000kb
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
2000kb
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
2000kb
-
9475a59226943a3ad422e18169989f66
>> (related) >>
2000kb
17-05
References:
Titles (0)
Sentences (0)
Links:
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
17-05
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
17-05
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
17-05
-
01185a4f21be653f13b885a655da2239
>> (related) >>
17-05
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
17-05
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
17-05
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
17-05
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
17-05
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
17-05
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
17-05
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
17-05
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
17-05
-
decfc792ded248587084a6329217380e
>> (related) >>
17-05
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
17-05
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
17-05
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
17-05
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
17-05
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
17-05
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
17-05
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
17-05
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
17-05
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
17-05
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
17-05
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
17-05
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
17-05
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
17-05
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
17-05
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
17-05
-
9475a59226943a3ad422e18169989f66
>> (related) >>
17-05
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
17-05
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
17-05
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
17-05
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
17-05
rsrc
References:
Titles (0)
Sentences (0)
Links:
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
rsrc
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
rsrc
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
rsrc
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
rsrc
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
rsrc
-
9475a59226943a3ad422e18169989f66
>> (related) >>
rsrc
-
01185a4f21be653f13b885a655da2239
>> (related) >>
rsrc
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
rsrc
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
rsrc
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
rsrc
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
rsrc
-
decfc792ded248587084a6329217380e
>> (related) >>
rsrc
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
rsrc
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
rsrc
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
rsrc
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
rsrc
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
rsrc
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
rsrc
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
rsrc
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
rsrc
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
rsrc
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
rsrc
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
rsrc
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
rsrc
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
rsrc
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
rsrc
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
rsrc
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
rsrc
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
rsrc
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
rsrc
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
rsrc
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
rsrc
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
rsrc
a259e9b0ac
References:
Titles (0)
Sentences (0)
Links:
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
a259e9b0ac
-
01185a4f21be653f13b885a655da2239
>> (related) >>
a259e9b0ac
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
a259e9b0ac
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
a259e9b0ac
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
a259e9b0ac
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
a259e9b0ac
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
a259e9b0ac
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
a259e9b0ac
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
a259e9b0ac
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
a259e9b0ac
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
a259e9b0ac
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
a259e9b0ac
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
a259e9b0ac
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
a259e9b0ac
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
a259e9b0ac
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
a259e9b0ac
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
a259e9b0ac
-
9475a59226943a3ad422e18169989f66
>> (related) >>
a259e9b0ac
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
a259e9b0ac
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
a259e9b0ac
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
a259e9b0ac
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
a259e9b0ac
-
decfc792ded248587084a6329217380e
>> (related) >>
a259e9b0ac
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
a259e9b0ac
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
a259e9b0ac
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
a259e9b0ac
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
a259e9b0ac
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
a259e9b0ac
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
a259e9b0ac
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
a259e9b0ac
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
a259e9b0ac
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
a259e9b0ac
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
a259e9b0ac
files--
References:
Titles (0)
Sentences (0)
Links:
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
files--
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
files--
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
files--
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
files--
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
files--
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
files--
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
files--
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
files--
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
files--
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
files--
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
files--
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
files--
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
files--
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
files--
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
files--
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
files--
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
files--
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
files--
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
files--
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
files--
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
files--
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
files--
-
01185a4f21be653f13b885a655da2239
>> (related) >>
files--
-
9475a59226943a3ad422e18169989f66
>> (related) >>
files--
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
files--
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
files--
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
files--
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
files--
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
files--
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
files--
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
files--
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
files--
-
decfc792ded248587084a6329217380e
>> (related) >>
files--
exec_x32
References:
Titles (0)
Sentences (0)
Links:
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
exec_x32
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
exec_x32
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
exec_x32
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
exec_x32
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
exec_x32
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
exec_x32
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
exec_x32
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
exec_x32
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
exec_x32
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
exec_x32
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
exec_x32
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
exec_x32
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
exec_x32
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
exec_x32
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
exec_x32
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
exec_x32
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
exec_x32
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
exec_x32
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
exec_x32
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
exec_x32
-
9475a59226943a3ad422e18169989f66
>> (related) >>
exec_x32
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
exec_x32
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
exec_x32
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
exec_x32
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
exec_x32
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
exec_x32
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
exec_x32
-
01185a4f21be653f13b885a655da2239
>> (related) >>
exec_x32
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
exec_x32
-
decfc792ded248587084a6329217380e
>> (related) >>
exec_x32
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
exec_x32
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
exec_x32
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
exec_x32
romance
References:
Titles (0)
Sentences (0)
Links:
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
romance
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
romance
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
romance
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
romance
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
romance
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
romance
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
romance
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
romance
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
romance
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
romance
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
romance
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
romance
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
romance
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
romance
-
decfc792ded248587084a6329217380e
>> (related) >>
romance
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
romance
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
romance
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
romance
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
romance
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
romance
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
romance
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
romance
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
romance
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
romance
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
romance
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
romance
-
9475a59226943a3ad422e18169989f66
>> (related) >>
romance
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
romance
-
01185a4f21be653f13b885a655da2239
>> (related) >>
romance
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
romance
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
romance
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
romance
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
romance
6
References:
Titles (0)
Sentences (0)
Links:
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
6
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
6
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
6
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
6
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
6
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
6
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
6
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
6
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
6
-
decfc792ded248587084a6329217380e
>> (related) >>
6
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
6
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
6
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
6
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
6
-
9475a59226943a3ad422e18169989f66
>> (related) >>
6
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
6
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
6
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
6
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
6
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
6
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
6
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
6
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
6
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
6
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
6
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
6
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
6
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
6
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
6
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
6
-
01185a4f21be653f13b885a655da2239
>> (related) >>
6
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
6
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
6
alphanumerical
References:
Titles (0)
Sentences (0)
Links:
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
alphanumerical
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
alphanumerical
-
9475a59226943a3ad422e18169989f66
>> (related) >>
alphanumerical
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
alphanumerical
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
alphanumerical
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
alphanumerical
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
alphanumerical
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
alphanumerical
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
alphanumerical
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
alphanumerical
-
01185a4f21be653f13b885a655da2239
>> (related) >>
alphanumerical
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
alphanumerical
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
alphanumerical
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
alphanumerical
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
alphanumerical
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
alphanumerical
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
alphanumerical
-
decfc792ded248587084a6329217380e
>> (related) >>
alphanumerical
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
alphanumerical
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
alphanumerical
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
alphanumerical
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
alphanumerical
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
alphanumerical
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
alphanumerical
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
alphanumerical
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
alphanumerical
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
alphanumerical
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
alphanumerical
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
alphanumerical
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
alphanumerical
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
alphanumerical
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
alphanumerical
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
alphanumerical
characters
References:
Titles (0)
Sentences (0)
Links:
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
characters
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
characters
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
characters
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
characters
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
characters
-
01185a4f21be653f13b885a655da2239
>> (related) >>
characters
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
characters
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
characters
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
characters
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
characters
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
characters
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
characters
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
characters
-
decfc792ded248587084a6329217380e
>> (related) >>
characters
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
characters
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
characters
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
characters
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
characters
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
characters
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
characters
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
characters
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
characters
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
characters
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
characters
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
characters
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
characters
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
characters
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
characters
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
characters
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
characters
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
characters
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
characters
-
9475a59226943a3ad422e18169989f66
>> (related) >>
characters
numbers--
References:
Titles (0)
Sentences (0)
Links:
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
numbers--
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
numbers--
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
numbers--
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
numbers--
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
numbers--
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
numbers--
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
numbers--
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
numbers--
-
9475a59226943a3ad422e18169989f66
>> (related) >>
numbers--
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
numbers--
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
numbers--
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
numbers--
-
decfc792ded248587084a6329217380e
>> (related) >>
numbers--
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
numbers--
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
numbers--
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
numbers--
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
numbers--
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
numbers--
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
numbers--
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
numbers--
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
numbers--
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
numbers--
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
numbers--
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
numbers--
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
numbers--
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
numbers--
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
numbers--
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
numbers--
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
numbers--
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
numbers--
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
numbers--
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
numbers--
-
01185a4f21be653f13b885a655da2239
>> (related) >>
numbers--
-s
References:
Titles (0)
Sentences (0)
Links:
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
-s
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
-s
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
-s
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
-s
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
-s
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
-s
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
-s
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
-s
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
-s
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
-s
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
-s
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
-s
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
-s
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
-s
-
01185a4f21be653f13b885a655da2239
>> (related) >>
-s
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
-s
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
-s
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
-s
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
-s
-
decfc792ded248587084a6329217380e
>> (related) >>
-s
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
-s
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
-s
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
-s
-
9475a59226943a3ad422e18169989f66
>> (related) >>
-s
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
-s
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
-s
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
-s
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
-s
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
-s
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
-s
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
-s
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
-s
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
-s
path
References:
Titles (0)
Sentences (0)
Links:
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
path
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
path
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
path
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
path
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
path
-
01185a4f21be653f13b885a655da2239
>> (related) >>
path
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
path
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
path
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
path
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
path
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
path
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
path
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
path
-
decfc792ded248587084a6329217380e
>> (related) >>
path
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
path
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
path
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
path
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
path
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
path
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
path
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
path
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
path
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
path
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
path
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
path
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
path
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
path
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
path
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
path
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
path
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
path
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
path
-
9475a59226943a3ad422e18169989f66
>> (related) >>
path
reachable
References:
Titles (0)
Sentences (0)
Links:
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
reachable
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
reachable
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
reachable
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
reachable
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
reachable
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
reachable
-
decfc792ded248587084a6329217380e
>> (related) >>
reachable
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
reachable
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
reachable
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
reachable
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
reachable
-
01185a4f21be653f13b885a655da2239
>> (related) >>
reachable
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
reachable
-
9475a59226943a3ad422e18169989f66
>> (related) >>
reachable
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
reachable
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
reachable
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
reachable
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
reachable
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
reachable
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
reachable
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
reachable
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
reachable
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
reachable
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
reachable
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
reachable
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
reachable
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
reachable
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
reachable
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
reachable
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
reachable
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
reachable
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
reachable
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
reachable
address
References:
Titles (0)
Sentences (0)
Links:
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
address
-
9475a59226943a3ad422e18169989f66
>> (related) >>
address
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
address
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
address
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
address
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
address
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
address
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
address
-
01185a4f21be653f13b885a655da2239
>> (related) >>
address
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
address
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
address
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
address
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
address
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
address
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
address
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
address
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
address
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
address
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
address
-
decfc792ded248587084a6329217380e
>> (related) >>
address
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
address
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
address
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
address
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
address
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
address
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
address
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
address
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
address
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
address
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
address
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
address
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
address
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
address
wipe
References:
Titles (0)
Sentences (0)
Links:
-
9475a59226943a3ad422e18169989f66
>> (related) >>
wipe
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
wipe
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
wipe
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
wipe
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
wipe
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
wipe
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
wipe
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
wipe
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
wipe
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
wipe
-
01185a4f21be653f13b885a655da2239
>> (related) >>
wipe
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
wipe
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
wipe
-
decfc792ded248587084a6329217380e
>> (related) >>
wipe
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
wipe
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
wipe
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
wipe
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
wipe
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
wipe
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
wipe
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
wipe
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
wipe
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
wipe
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
wipe
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
wipe
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
wipe
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
wipe
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
wipe
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
wipe
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
wipe
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
wipe
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
wipe
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
wipe
5549bdb658736c187c2d6493c82f46461dda728a0ec365833bf1987e9436a5f9e1a42cab68082af2640b5a10ab92aa9251095d3b453934d3ebeb211bfd42b212
References:
Titles (0)
Sentences (0)
Links:
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
5549bdb658736c187c2d6493c82f46461dda728a0ec365833bf1987e9436a5f9e1a42cab68082af2640b5a10ab92aa9251095d3b453934d3ebeb211bfd42b212
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
5549bdb658736c187c2d6493c82f46461dda728a0ec365833bf1987e9436a5f9e1a42cab68082af2640b5a10ab92aa9251095d3b453934d3ebeb211bfd42b212
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
5549bdb658736c187c2d6493c82f46461dda728a0ec365833bf1987e9436a5f9e1a42cab68082af2640b5a10ab92aa9251095d3b453934d3ebeb211bfd42b212
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
5549bdb658736c187c2d6493c82f46461dda728a0ec365833bf1987e9436a5f9e1a42cab68082af2640b5a10ab92aa9251095d3b453934d3ebeb211bfd42b212
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
5549bdb658736c187c2d6493c82f46461dda728a0ec365833bf1987e9436a5f9e1a42cab68082af2640b5a10ab92aa9251095d3b453934d3ebeb211bfd42b212
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
5549bdb658736c187c2d6493c82f46461dda728a0ec365833bf1987e9436a5f9e1a42cab68082af2640b5a10ab92aa9251095d3b453934d3ebeb211bfd42b212
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
5549bdb658736c187c2d6493c82f46461dda728a0ec365833bf1987e9436a5f9e1a42cab68082af2640b5a10ab92aa9251095d3b453934d3ebeb211bfd42b212
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
5549bdb658736c187c2d6493c82f46461dda728a0ec365833bf1987e9436a5f9e1a42cab68082af2640b5a10ab92aa9251095d3b453934d3ebeb211bfd42b212
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
5549bdb658736c187c2d6493c82f46461dda728a0ec365833bf1987e9436a5f9e1a42cab68082af2640b5a10ab92aa9251095d3b453934d3ebeb211bfd42b212
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
5549bdb658736c187c2d6493c82f46461dda728a0ec365833bf1987e9436a5f9e1a42cab68082af2640b5a10ab92aa9251095d3b453934d3ebeb211bfd42b212
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
5549bdb658736c187c2d6493c82f46461dda728a0ec365833bf1987e9436a5f9e1a42cab68082af2640b5a10ab92aa9251095d3b453934d3ebeb211bfd42b212
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
5549bdb658736c187c2d6493c82f46461dda728a0ec365833bf1987e9436a5f9e1a42cab68082af2640b5a10ab92aa9251095d3b453934d3ebeb211bfd42b212
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
5549bdb658736c187c2d6493c82f46461dda728a0ec365833bf1987e9436a5f9e1a42cab68082af2640b5a10ab92aa9251095d3b453934d3ebeb211bfd42b212
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
5549bdb658736c187c2d6493c82f46461dda728a0ec365833bf1987e9436a5f9e1a42cab68082af2640b5a10ab92aa9251095d3b453934d3ebeb211bfd42b212
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
5549bdb658736c187c2d6493c82f46461dda728a0ec365833bf1987e9436a5f9e1a42cab68082af2640b5a10ab92aa9251095d3b453934d3ebeb211bfd42b212
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
5549bdb658736c187c2d6493c82f46461dda728a0ec365833bf1987e9436a5f9e1a42cab68082af2640b5a10ab92aa9251095d3b453934d3ebeb211bfd42b212
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
5549bdb658736c187c2d6493c82f46461dda728a0ec365833bf1987e9436a5f9e1a42cab68082af2640b5a10ab92aa9251095d3b453934d3ebeb211bfd42b212
-
01185a4f21be653f13b885a655da2239
>> (related) >>
5549bdb658736c187c2d6493c82f46461dda728a0ec365833bf1987e9436a5f9e1a42cab68082af2640b5a10ab92aa9251095d3b453934d3ebeb211bfd42b212
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
5549bdb658736c187c2d6493c82f46461dda728a0ec365833bf1987e9436a5f9e1a42cab68082af2640b5a10ab92aa9251095d3b453934d3ebeb211bfd42b212
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
5549bdb658736c187c2d6493c82f46461dda728a0ec365833bf1987e9436a5f9e1a42cab68082af2640b5a10ab92aa9251095d3b453934d3ebeb211bfd42b212
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
5549bdb658736c187c2d6493c82f46461dda728a0ec365833bf1987e9436a5f9e1a42cab68082af2640b5a10ab92aa9251095d3b453934d3ebeb211bfd42b212
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
5549bdb658736c187c2d6493c82f46461dda728a0ec365833bf1987e9436a5f9e1a42cab68082af2640b5a10ab92aa9251095d3b453934d3ebeb211bfd42b212
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
5549bdb658736c187c2d6493c82f46461dda728a0ec365833bf1987e9436a5f9e1a42cab68082af2640b5a10ab92aa9251095d3b453934d3ebeb211bfd42b212
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
5549bdb658736c187c2d6493c82f46461dda728a0ec365833bf1987e9436a5f9e1a42cab68082af2640b5a10ab92aa9251095d3b453934d3ebeb211bfd42b212
-
9475a59226943a3ad422e18169989f66
>> (related) >>
5549bdb658736c187c2d6493c82f46461dda728a0ec365833bf1987e9436a5f9e1a42cab68082af2640b5a10ab92aa9251095d3b453934d3ebeb211bfd42b212
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
5549bdb658736c187c2d6493c82f46461dda728a0ec365833bf1987e9436a5f9e1a42cab68082af2640b5a10ab92aa9251095d3b453934d3ebeb211bfd42b212
-
decfc792ded248587084a6329217380e
>> (related) >>
5549bdb658736c187c2d6493c82f46461dda728a0ec365833bf1987e9436a5f9e1a42cab68082af2640b5a10ab92aa9251095d3b453934d3ebeb211bfd42b212
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
5549bdb658736c187c2d6493c82f46461dda728a0ec365833bf1987e9436a5f9e1a42cab68082af2640b5a10ab92aa9251095d3b453934d3ebeb211bfd42b212
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
5549bdb658736c187c2d6493c82f46461dda728a0ec365833bf1987e9436a5f9e1a42cab68082af2640b5a10ab92aa9251095d3b453934d3ebeb211bfd42b212
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
5549bdb658736c187c2d6493c82f46461dda728a0ec365833bf1987e9436a5f9e1a42cab68082af2640b5a10ab92aa9251095d3b453934d3ebeb211bfd42b212
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
5549bdb658736c187c2d6493c82f46461dda728a0ec365833bf1987e9436a5f9e1a42cab68082af2640b5a10ab92aa9251095d3b453934d3ebeb211bfd42b212
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
5549bdb658736c187c2d6493c82f46461dda728a0ec365833bf1987e9436a5f9e1a42cab68082af2640b5a10ab92aa9251095d3b453934d3ebeb211bfd42b212
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
5549bdb658736c187c2d6493c82f46461dda728a0ec365833bf1987e9436a5f9e1a42cab68082af2640b5a10ab92aa9251095d3b453934d3ebeb211bfd42b212
bqslxiv3bdnhxrvb8wzvpsprgssst7ncphjhlhmjz5e
References:
Titles (0)
Sentences (0)
Links:
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
bqslxiv3bdnhxrvb8wzvpsprgssst7ncphjhlhmjz5e
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
bqslxiv3bdnhxrvb8wzvpsprgssst7ncphjhlhmjz5e
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
bqslxiv3bdnhxrvb8wzvpsprgssst7ncphjhlhmjz5e
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
bqslxiv3bdnhxrvb8wzvpsprgssst7ncphjhlhmjz5e
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
bqslxiv3bdnhxrvb8wzvpsprgssst7ncphjhlhmjz5e
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
bqslxiv3bdnhxrvb8wzvpsprgssst7ncphjhlhmjz5e
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
bqslxiv3bdnhxrvb8wzvpsprgssst7ncphjhlhmjz5e
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
bqslxiv3bdnhxrvb8wzvpsprgssst7ncphjhlhmjz5e
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
bqslxiv3bdnhxrvb8wzvpsprgssst7ncphjhlhmjz5e
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
bqslxiv3bdnhxrvb8wzvpsprgssst7ncphjhlhmjz5e
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
bqslxiv3bdnhxrvb8wzvpsprgssst7ncphjhlhmjz5e
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
bqslxiv3bdnhxrvb8wzvpsprgssst7ncphjhlhmjz5e
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
bqslxiv3bdnhxrvb8wzvpsprgssst7ncphjhlhmjz5e
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
bqslxiv3bdnhxrvb8wzvpsprgssst7ncphjhlhmjz5e
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
bqslxiv3bdnhxrvb8wzvpsprgssst7ncphjhlhmjz5e
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
bqslxiv3bdnhxrvb8wzvpsprgssst7ncphjhlhmjz5e
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
bqslxiv3bdnhxrvb8wzvpsprgssst7ncphjhlhmjz5e
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
bqslxiv3bdnhxrvb8wzvpsprgssst7ncphjhlhmjz5e
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
bqslxiv3bdnhxrvb8wzvpsprgssst7ncphjhlhmjz5e
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
bqslxiv3bdnhxrvb8wzvpsprgssst7ncphjhlhmjz5e
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
bqslxiv3bdnhxrvb8wzvpsprgssst7ncphjhlhmjz5e
-
9475a59226943a3ad422e18169989f66
>> (related) >>
bqslxiv3bdnhxrvb8wzvpsprgssst7ncphjhlhmjz5e
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
bqslxiv3bdnhxrvb8wzvpsprgssst7ncphjhlhmjz5e
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
bqslxiv3bdnhxrvb8wzvpsprgssst7ncphjhlhmjz5e
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
bqslxiv3bdnhxrvb8wzvpsprgssst7ncphjhlhmjz5e
-
decfc792ded248587084a6329217380e
>> (related) >>
bqslxiv3bdnhxrvb8wzvpsprgssst7ncphjhlhmjz5e
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
bqslxiv3bdnhxrvb8wzvpsprgssst7ncphjhlhmjz5e
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
bqslxiv3bdnhxrvb8wzvpsprgssst7ncphjhlhmjz5e
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
bqslxiv3bdnhxrvb8wzvpsprgssst7ncphjhlhmjz5e
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
bqslxiv3bdnhxrvb8wzvpsprgssst7ncphjhlhmjz5e
-
01185a4f21be653f13b885a655da2239
>> (related) >>
bqslxiv3bdnhxrvb8wzvpsprgssst7ncphjhlhmjz5e
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
bqslxiv3bdnhxrvb8wzvpsprgssst7ncphjhlhmjz5e
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
bqslxiv3bdnhxrvb8wzvpsprgssst7ncphjhlhmjz5e
dnyx5rvyw3mqphjhvmjc
References:
Titles (0)
Sentences (0)
Links:
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
dnyx5rvyw3mqphjhvmjc
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
dnyx5rvyw3mqphjhvmjc
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
dnyx5rvyw3mqphjhvmjc
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
dnyx5rvyw3mqphjhvmjc
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
dnyx5rvyw3mqphjhvmjc
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
dnyx5rvyw3mqphjhvmjc
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
dnyx5rvyw3mqphjhvmjc
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
dnyx5rvyw3mqphjhvmjc
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
dnyx5rvyw3mqphjhvmjc
-
decfc792ded248587084a6329217380e
>> (related) >>
dnyx5rvyw3mqphjhvmjc
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
dnyx5rvyw3mqphjhvmjc
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
dnyx5rvyw3mqphjhvmjc
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
dnyx5rvyw3mqphjhvmjc
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
dnyx5rvyw3mqphjhvmjc
-
9475a59226943a3ad422e18169989f66
>> (related) >>
dnyx5rvyw3mqphjhvmjc
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
dnyx5rvyw3mqphjhvmjc
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
dnyx5rvyw3mqphjhvmjc
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
dnyx5rvyw3mqphjhvmjc
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
dnyx5rvyw3mqphjhvmjc
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
dnyx5rvyw3mqphjhvmjc
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
dnyx5rvyw3mqphjhvmjc
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
dnyx5rvyw3mqphjhvmjc
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
dnyx5rvyw3mqphjhvmjc
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
dnyx5rvyw3mqphjhvmjc
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
dnyx5rvyw3mqphjhvmjc
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
dnyx5rvyw3mqphjhvmjc
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
dnyx5rvyw3mqphjhvmjc
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
dnyx5rvyw3mqphjhvmjc
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
dnyx5rvyw3mqphjhvmjc
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
dnyx5rvyw3mqphjhvmjc
-
01185a4f21be653f13b885a655da2239
>> (related) >>
dnyx5rvyw3mqphjhvmjc
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
dnyx5rvyw3mqphjhvmjc
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
dnyx5rvyw3mqphjhvmjc
killmbr
References:
Titles (0)
Sentences (0)
Links:
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
killmbr
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
killmbr
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
killmbr
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
killmbr
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
killmbr
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
killmbr
-
01185a4f21be653f13b885a655da2239
>> (related) >>
killmbr
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
killmbr
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
killmbr
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
killmbr
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
killmbr
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
killmbr
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
killmbr
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
killmbr
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
killmbr
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
killmbr
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
killmbr
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
killmbr
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
killmbr
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
killmbr
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
killmbr
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
killmbr
-
decfc792ded248587084a6329217380e
>> (related) >>
killmbr
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
killmbr
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
killmbr
-
9475a59226943a3ad422e18169989f66
>> (related) >>
killmbr
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
killmbr
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
killmbr
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
killmbr
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
killmbr
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
killmbr
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
killmbr
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
killmbr
nhp
References:
Titles (0)
Sentences (0)
Links:
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
nhp
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
nhp
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
nhp
-
01185a4f21be653f13b885a655da2239
>> (related) >>
nhp
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
nhp
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
nhp
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
nhp
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
nhp
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
nhp
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
nhp
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
nhp
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
nhp
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
nhp
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
nhp
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
nhp
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
nhp
-
9475a59226943a3ad422e18169989f66
>> (related) >>
nhp
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
nhp
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
nhp
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
nhp
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
nhp
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
nhp
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
nhp
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
nhp
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
nhp
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
nhp
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
nhp
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
nhp
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
nhp
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
nhp
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
nhp
-
decfc792ded248587084a6329217380e
>> (related) >>
nhp
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
nhp
9faba348
References:
Titles (0)
Sentences (0)
Links:
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
9faba348
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
9faba348
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
9faba348
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
9faba348
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
9faba348
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
9faba348
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
9faba348
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
9faba348
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
9faba348
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
9faba348
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
9faba348
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
9faba348
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
9faba348
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
9faba348
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
9faba348
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
9faba348
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
9faba348
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
9faba348
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
9faba348
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
9faba348
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
9faba348
-
9475a59226943a3ad422e18169989f66
>> (related) >>
9faba348
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
9faba348
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
9faba348
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
9faba348
-
decfc792ded248587084a6329217380e
>> (related) >>
9faba348
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
9faba348
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
9faba348
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
9faba348
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
9faba348
-
01185a4f21be653f13b885a655da2239
>> (related) >>
9faba348
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
9faba348
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
9faba348
cisa_10376640_01
References:
Titles (0)
Sentences (0)
Links:
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
cisa_10376640_01
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
cisa_10376640_01
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
cisa_10376640_01
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
cisa_10376640_01
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
cisa_10376640_01
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
cisa_10376640_01
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
cisa_10376640_01
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
cisa_10376640_01
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
cisa_10376640_01
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
cisa_10376640_01
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
cisa_10376640_01
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
cisa_10376640_01
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
cisa_10376640_01
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
cisa_10376640_01
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
cisa_10376640_01
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
cisa_10376640_01
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
cisa_10376640_01
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
cisa_10376640_01
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
cisa_10376640_01
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
cisa_10376640_01
-
9475a59226943a3ad422e18169989f66
>> (related) >>
cisa_10376640_01
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
cisa_10376640_01
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
cisa_10376640_01
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
cisa_10376640_01
-
decfc792ded248587084a6329217380e
>> (related) >>
cisa_10376640_01
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
cisa_10376640_01
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
cisa_10376640_01
-
01185a4f21be653f13b885a655da2239
>> (related) >>
cisa_10376640_01
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
cisa_10376640_01
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
cisa_10376640_01
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
cisa_10376640_01
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
cisa_10376640_01
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
cisa_10376640_01
20220418_1900
References:
Titles (0)
Sentences (0)
Links:
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
20220418_1900
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
20220418_1900
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
20220418_1900
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
20220418_1900
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
20220418_1900
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
20220418_1900
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
20220418_1900
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
20220418_1900
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
20220418_1900
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
20220418_1900
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
20220418_1900
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
20220418_1900
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
20220418_1900
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
20220418_1900
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
20220418_1900
-
9475a59226943a3ad422e18169989f66
>> (related) >>
20220418_1900
-
01185a4f21be653f13b885a655da2239
>> (related) >>
20220418_1900
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
20220418_1900
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
20220418_1900
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
20220418_1900
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
20220418_1900
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
20220418_1900
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
20220418_1900
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
20220418_1900
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
20220418_1900
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
20220418_1900
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
20220418_1900
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
20220418_1900
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
20220418_1900
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
20220418_1900
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
20220418_1900
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
20220418_1900
-
decfc792ded248587084a6329217380e
>> (related) >>
20220418_1900
isacc
References:
Titles (0)
Sentences (0)
Links:
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
isacc
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
isacc
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
isacc
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
isacc
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
isacc
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
isacc
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
isacc
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
isacc
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
isacc
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
isacc
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
isacc
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
isacc
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
isacc
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
isacc
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
isacc
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
isacc
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
isacc
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
isacc
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
isacc
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
isacc
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
isacc
-
9475a59226943a3ad422e18169989f66
>> (related) >>
isacc
-
decfc792ded248587084a6329217380e
>> (related) >>
isacc
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
isacc
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
isacc
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
isacc
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
isacc
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
isacc
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
isacc
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
isacc
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
isacc
-
01185a4f21be653f13b885a655da2239
>> (related) >>
isacc
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
isacc
md5_2
References:
Titles (0)
Sentences (0)
Links:
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
md5_2
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
md5_2
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
md5_2
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
md5_2
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
md5_2
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
md5_2
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
md5_2
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
md5_2
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
md5_2
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
md5_2
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
md5_2
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
md5_2
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
md5_2
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
md5_2
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
md5_2
-
9475a59226943a3ad422e18169989f66
>> (related) >>
md5_2
-
01185a4f21be653f13b885a655da2239
>> (related) >>
md5_2
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
md5_2
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
md5_2
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
md5_2
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
md5_2
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
md5_2
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
md5_2
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
md5_2
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
md5_2
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
md5_2
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
md5_2
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
md5_2
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
md5_2
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
md5_2
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
md5_2
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
md5_2
-
decfc792ded248587084a6329217380e
>> (related) >>
md5_2
sha256_2
References:
Titles (0)
Sentences (0)
Links:
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
sha256_2
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
sha256_2
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
sha256_2
-
9475a59226943a3ad422e18169989f66
>> (related) >>
sha256_2
-
01185a4f21be653f13b885a655da2239
>> (related) >>
sha256_2
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
sha256_2
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
sha256_2
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
sha256_2
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
sha256_2
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
sha256_2
-
decfc792ded248587084a6329217380e
>> (related) >>
sha256_2
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
sha256_2
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
sha256_2
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
sha256_2
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
sha256_2
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
sha256_2
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
sha256_2
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
sha256_2
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
sha256_2
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
sha256_2
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
sha256_2
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
sha256_2
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
sha256_2
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
sha256_2
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
sha256_2
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
sha256_2
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
sha256_2
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
sha256_2
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
sha256_2
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
sha256_2
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
sha256_2
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
sha256_2
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
sha256_2
md5_3
References:
Titles (0)
Sentences (0)
Links:
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
md5_3
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
md5_3
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
md5_3
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
md5_3
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
md5_3
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
md5_3
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
md5_3
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
md5_3
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
md5_3
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
md5_3
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
md5_3
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
md5_3
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
md5_3
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
md5_3
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
md5_3
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
md5_3
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
md5_3
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
md5_3
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
md5_3
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
md5_3
-
9475a59226943a3ad422e18169989f66
>> (related) >>
md5_3
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
md5_3
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
md5_3
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
md5_3
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
md5_3
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
md5_3
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
md5_3
-
01185a4f21be653f13b885a655da2239
>> (related) >>
md5_3
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
md5_3
-
decfc792ded248587084a6329217380e
>> (related) >>
md5_3
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
md5_3
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
md5_3
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
md5_3
sha256_3
References:
Titles (0)
Sentences (0)
Links:
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
sha256_3
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
sha256_3
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
sha256_3
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
sha256_3
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
sha256_3
-
9475a59226943a3ad422e18169989f66
>> (related) >>
sha256_3
-
decfc792ded248587084a6329217380e
>> (related) >>
sha256_3
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
sha256_3
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
sha256_3
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
sha256_3
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
sha256_3
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
sha256_3
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
sha256_3
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
sha256_3
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
sha256_3
-
01185a4f21be653f13b885a655da2239
>> (related) >>
sha256_3
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
sha256_3
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
sha256_3
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
sha256_3
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
sha256_3
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
sha256_3
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
sha256_3
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
sha256_3
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
sha256_3
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
sha256_3
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
sha256_3
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
sha256_3
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
sha256_3
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
sha256_3
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
sha256_3
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
sha256_3
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
sha256_3
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
sha256_3
30-04
References:
Titles (0)
Sentences (0)
Links:
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
30-04
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
30-04
-
9475a59226943a3ad422e18169989f66
>> (related) >>
30-04
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
30-04
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
30-04
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
30-04
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
30-04
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
30-04
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
30-04
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
30-04
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
30-04
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
30-04
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
30-04
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
30-04
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
30-04
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
30-04
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
30-04
-
decfc792ded248587084a6329217380e
>> (related) >>
30-04
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
30-04
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
30-04
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
30-04
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
30-04
-
01185a4f21be653f13b885a655da2239
>> (related) >>
30-04
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
30-04
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
30-04
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
30-04
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
30-04
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
30-04
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
30-04
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
30-04
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
30-04
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
30-04
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
30-04
corrupting
References:
Titles (0)
Sentences (0)
Links:
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
corrupting
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
corrupting
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
corrupting
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
corrupting
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
corrupting
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
corrupting
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
corrupting
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
corrupting
-
01185a4f21be653f13b885a655da2239
>> (related) >>
corrupting
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
corrupting
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
corrupting
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
corrupting
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
corrupting
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
corrupting
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
corrupting
-
9475a59226943a3ad422e18169989f66
>> (related) >>
corrupting
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
corrupting
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
corrupting
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
corrupting
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
corrupting
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
corrupting
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
corrupting
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
corrupting
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
corrupting
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
corrupting
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
corrupting
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
corrupting
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
corrupting
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
corrupting
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
corrupting
-
decfc792ded248587084a6329217380e
>> (related) >>
corrupting
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
corrupting
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
corrupting
data--
References:
Titles (0)
Sentences (0)
Links:
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
data--
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
data--
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
data--
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
data--
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
data--
-
decfc792ded248587084a6329217380e
>> (related) >>
data--
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
data--
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
data--
-
9475a59226943a3ad422e18169989f66
>> (related) >>
data--
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
data--
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
data--
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
data--
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
data--
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
data--
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
data--
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
data--
-
01185a4f21be653f13b885a655da2239
>> (related) >>
data--
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
data--
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
data--
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
data--
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
data--
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
data--
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
data--
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
data--
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
data--
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
data--
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
data--
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
data--
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
data--
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
data--
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
data--
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
data--
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
data--
--
References:
Titles (0)
Sentences (0)
Links:
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
--
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
--
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
--
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
--
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
--
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
--
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
--
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
--
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
--
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
--
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
--
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
--
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
--
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
--
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
--
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
--
-
9475a59226943a3ad422e18169989f66
>> (related) >>
--
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
--
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
--
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
--
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
--
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
--
-
01185a4f21be653f13b885a655da2239
>> (related) >>
--
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
--
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
--
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
--
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
--
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
--
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
--
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
--
-
decfc792ded248587084a6329217380e
>> (related) >>
--
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
--
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
--
physicaldrive0
References:
Titles (0)
Sentences (0)
Links:
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
physicaldrive0
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
physicaldrive0
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
physicaldrive0
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
physicaldrive0
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
physicaldrive0
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
physicaldrive0
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
physicaldrive0
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
physicaldrive0
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
physicaldrive0
-
01185a4f21be653f13b885a655da2239
>> (related) >>
physicaldrive0
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
physicaldrive0
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
physicaldrive0
-
decfc792ded248587084a6329217380e
>> (related) >>
physicaldrive0
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
physicaldrive0
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
physicaldrive0
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
physicaldrive0
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
physicaldrive0
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
physicaldrive0
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
physicaldrive0
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
physicaldrive0
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
physicaldrive0
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
physicaldrive0
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
physicaldrive0
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
physicaldrive0
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
physicaldrive0
-
9475a59226943a3ad422e18169989f66
>> (related) >>
physicaldrive0
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
physicaldrive0
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
physicaldrive0
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
physicaldrive0
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
physicaldrive0
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
physicaldrive0
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
physicaldrive0
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
physicaldrive0
logical
References:
Titles (0)
Sentences (0)
Links:
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
logical
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
logical
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
logical
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
logical
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
logical
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
logical
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
logical
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
logical
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
logical
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
logical
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
logical
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
logical
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
logical
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
logical
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
logical
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
logical
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
logical
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
logical
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
logical
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
logical
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
logical
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
logical
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
logical
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
logical
-
9475a59226943a3ad422e18169989f66
>> (related) >>
logical
-
01185a4f21be653f13b885a655da2239
>> (related) >>
logical
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
logical
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
logical
-
decfc792ded248587084a6329217380e
>> (related) >>
logical
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
logical
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
logical
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
logical
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
logical
erasing
References:
Titles (0)
Sentences (0)
Links:
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
erasing
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
erasing
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
erasing
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
erasing
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
erasing
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
erasing
-
01185a4f21be653f13b885a655da2239
>> (related) >>
erasing
-
9475a59226943a3ad422e18169989f66
>> (related) >>
erasing
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
erasing
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
erasing
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
erasing
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
erasing
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
erasing
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
erasing
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
erasing
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
erasing
-
decfc792ded248587084a6329217380e
>> (related) >>
erasing
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
erasing
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
erasing
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
erasing
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
erasing
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
erasing
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
erasing
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
erasing
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
erasing
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
erasing
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
erasing
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
erasing
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
erasing
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
erasing
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
erasing
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
erasing
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
erasing
corrupt
References:
Titles (0)
Sentences (0)
Links:
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
corrupt
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
corrupt
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
corrupt
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
corrupt
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
corrupt
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
corrupt
-
9475a59226943a3ad422e18169989f66
>> (related) >>
corrupt
-
01185a4f21be653f13b885a655da2239
>> (related) >>
corrupt
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
corrupt
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
corrupt
-
decfc792ded248587084a6329217380e
>> (related) >>
corrupt
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
corrupt
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
corrupt
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
corrupt
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
corrupt
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
corrupt
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
corrupt
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
corrupt
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
corrupt
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
corrupt
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
corrupt
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
corrupt
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
corrupt
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
corrupt
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
corrupt
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
corrupt
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
corrupt
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
corrupt
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
corrupt
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
corrupt
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
corrupt
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
corrupt
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
corrupt
overwriting
References:
Titles (0)
Sentences (0)
Links:
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
overwriting
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
overwriting
-
01185a4f21be653f13b885a655da2239
>> (related) >>
overwriting
-
9475a59226943a3ad422e18169989f66
>> (related) >>
overwriting
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
overwriting
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
overwriting
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
overwriting
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
overwriting
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
overwriting
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
overwriting
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
overwriting
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
overwriting
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
overwriting
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
overwriting
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
overwriting
-
decfc792ded248587084a6329217380e
>> (related) >>
overwriting
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
overwriting
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
overwriting
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
overwriting
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
overwriting
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
overwriting
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
overwriting
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
overwriting
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
overwriting
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
overwriting
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
overwriting
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
overwriting
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
overwriting
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
overwriting
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
overwriting
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
overwriting
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
overwriting
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
overwriting
mersenne
References:
Titles (0)
Sentences (0)
Links:
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
mersenne
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
mersenne
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
mersenne
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
mersenne
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
mersenne
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
mersenne
-
9475a59226943a3ad422e18169989f66
>> (related) >>
mersenne
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
mersenne
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
mersenne
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
mersenne
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
mersenne
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
mersenne
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
mersenne
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
mersenne
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
mersenne
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
mersenne
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
mersenne
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
mersenne
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
mersenne
-
decfc792ded248587084a6329217380e
>> (related) >>
mersenne
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
mersenne
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
mersenne
-
01185a4f21be653f13b885a655da2239
>> (related) >>
mersenne
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
mersenne
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
mersenne
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
mersenne
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
mersenne
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
mersenne
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
mersenne
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
mersenne
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
mersenne
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
mersenne
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
mersenne
twister
References:
Titles (0)
Sentences (0)
Links:
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
twister
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
twister
-
01185a4f21be653f13b885a655da2239
>> (related) >>
twister
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
twister
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
twister
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
twister
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
twister
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
twister
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
twister
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
twister
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
twister
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
twister
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
twister
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
twister
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
twister
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
twister
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
twister
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
twister
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
twister
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
twister
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
twister
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
twister
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
twister
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
twister
-
9475a59226943a3ad422e18169989f66
>> (related) >>
twister
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
twister
-
decfc792ded248587084a6329217380e
>> (related) >>
twister
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
twister
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
twister
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
twister
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
twister
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
twister
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
twister
relationship
References:
Titles (0)
Sentences (0)
Links:
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
relationship
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
relationship
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
relationship
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
relationship
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
relationship
-
decfc792ded248587084a6329217380e
>> (related) >>
relationship
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
relationship
-
9475a59226943a3ad422e18169989f66
>> (related) >>
relationship
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
relationship
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
relationship
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
relationship
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
relationship
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
relationship
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
relationship
-
01185a4f21be653f13b885a655da2239
>> (related) >>
relationship
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
relationship
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
relationship
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
relationship
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
relationship
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
relationship
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
relationship
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
relationship
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
relationship
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
relationship
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
relationship
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
relationship
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
relationship
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
relationship
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
relationship
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
relationship
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
relationship
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
relationship
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
relationship
posture
References:
Titles (0)
Sentences (0)
Links:
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
posture
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
posture
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
posture
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
posture
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
posture
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
posture
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
posture
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
posture
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
posture
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
posture
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
posture
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
posture
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
posture
-
decfc792ded248587084a6329217380e
>> (related) >>
posture
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
posture
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
posture
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
posture
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
posture
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
posture
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
posture
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
posture
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
posture
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
posture
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
posture
-
01185a4f21be653f13b885a655da2239
>> (related) >>
posture
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
posture
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
posture
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
posture
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
posture
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
posture
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
posture
-
9475a59226943a3ad422e18169989f66
>> (related) >>
posture
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
posture
reviewed
References:
Titles (0)
Sentences (0)
Links:
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
reviewed
-
decfc792ded248587084a6329217380e
>> (related) >>
reviewed
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
reviewed
-
01185a4f21be653f13b885a655da2239
>> (related) >>
reviewed
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
reviewed
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
reviewed
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
reviewed
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
reviewed
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
reviewed
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
reviewed
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
reviewed
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
reviewed
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
reviewed
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
reviewed
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
reviewed
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
reviewed
-
9475a59226943a3ad422e18169989f66
>> (related) >>
reviewed
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
reviewed
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
reviewed
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
reviewed
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
reviewed
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
reviewed
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
reviewed
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
reviewed
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
reviewed
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
reviewed
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
reviewed
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
reviewed
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
reviewed
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
reviewed
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
reviewed
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
reviewed
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
reviewed
unwanted
References:
Titles (0)
Sentences (0)
Links:
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
unwanted
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
unwanted
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
unwanted
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
unwanted
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
unwanted
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
unwanted
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
unwanted
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
unwanted
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
unwanted
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
unwanted
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
unwanted
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
unwanted
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
unwanted
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
unwanted
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
unwanted
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
unwanted
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
unwanted
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
unwanted
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
unwanted
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
unwanted
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
unwanted
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
unwanted
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
unwanted
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
unwanted
-
decfc792ded248587084a6329217380e
>> (related) >>
unwanted
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
unwanted
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
unwanted
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
unwanted
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
unwanted
-
01185a4f21be653f13b885a655da2239
>> (related) >>
unwanted
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
unwanted
-
9475a59226943a3ad422e18169989f66
>> (related) >>
unwanted
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
unwanted
up-to-date
References:
Titles (0)
Sentences (0)
Links:
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
up-to-date
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
up-to-date
-
9475a59226943a3ad422e18169989f66
>> (related) >>
up-to-date
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
up-to-date
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
up-to-date
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
up-to-date
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
up-to-date
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
up-to-date
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
up-to-date
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
up-to-date
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
up-to-date
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
up-to-date
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
up-to-date
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
up-to-date
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
up-to-date
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
up-to-date
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
up-to-date
-
decfc792ded248587084a6329217380e
>> (related) >>
up-to-date
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
up-to-date
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
up-to-date
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
up-to-date
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
up-to-date
-
01185a4f21be653f13b885a655da2239
>> (related) >>
up-to-date
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
up-to-date
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
up-to-date
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
up-to-date
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
up-to-date
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
up-to-date
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
up-to-date
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
up-to-date
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
up-to-date
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
up-to-date
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
up-to-date
printer
References:
Titles (0)
Sentences (0)
Links:
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
printer
-
01185a4f21be653f13b885a655da2239
>> (related) >>
printer
-
9475a59226943a3ad422e18169989f66
>> (related) >>
printer
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
printer
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
printer
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
printer
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
printer
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
printer
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
printer
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
printer
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
printer
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
printer
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
printer
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
printer
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
printer
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
printer
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
printer
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
printer
-
decfc792ded248587084a6329217380e
>> (related) >>
printer
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
printer
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
printer
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
printer
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
printer
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
printer
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
printer
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
printer
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
printer
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
printer
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
printer
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
printer
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
printer
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
printer
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
printer
unless
References:
Titles (0)
Sentences (0)
Links:
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
unless
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
unless
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
unless
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
unless
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
unless
-
decfc792ded248587084a6329217380e
>> (related) >>
unless
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
unless
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
unless
-
9475a59226943a3ad422e18169989f66
>> (related) >>
unless
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
unless
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
unless
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
unless
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
unless
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
unless
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
unless
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
unless
-
01185a4f21be653f13b885a655da2239
>> (related) >>
unless
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
unless
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
unless
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
unless
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
unless
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
unless
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
unless
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
unless
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
unless
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
unless
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
unless
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
unless
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
unless
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
unless
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
unless
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
unless
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
unless
exercise
References:
Titles (0)
Sentences (0)
Links:
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
exercise
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
exercise
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
exercise
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
exercise
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
exercise
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
exercise
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
exercise
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
exercise
-
01185a4f21be653f13b885a655da2239
>> (related) >>
exercise
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
exercise
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
exercise
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
exercise
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
exercise
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
exercise
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
exercise
-
9475a59226943a3ad422e18169989f66
>> (related) >>
exercise
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
exercise
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
exercise
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
exercise
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
exercise
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
exercise
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
exercise
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
exercise
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
exercise
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
exercise
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
exercise
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
exercise
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
exercise
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
exercise
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
exercise
-
decfc792ded248587084a6329217380e
>> (related) >>
exercise
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
exercise
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
exercise
deny
References:
Titles (0)
Sentences (0)
Links:
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
deny
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
deny
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
deny
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
deny
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
deny
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
deny
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
deny
-
9475a59226943a3ad422e18169989f66
>> (related) >>
deny
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
deny
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
deny
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
deny
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
deny
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
deny
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
deny
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
deny
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
deny
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
deny
-
decfc792ded248587084a6329217380e
>> (related) >>
deny
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
deny
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
deny
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
deny
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
deny
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
deny
-
01185a4f21be653f13b885a655da2239
>> (related) >>
deny
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
deny
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
deny
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
deny
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
deny
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
deny
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
deny
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
deny
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
deny
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
deny
unsolicited
References:
Titles (0)
Sentences (0)
Links:
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
unsolicited
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
unsolicited
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
unsolicited
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
unsolicited
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
unsolicited
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
unsolicited
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
unsolicited
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
unsolicited
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
unsolicited
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
unsolicited
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
unsolicited
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
unsolicited
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
unsolicited
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
unsolicited
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
unsolicited
-
01185a4f21be653f13b885a655da2239
>> (related) >>
unsolicited
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
unsolicited
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
unsolicited
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
unsolicited
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
unsolicited
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
unsolicited
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
unsolicited
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
unsolicited
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
unsolicited
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
unsolicited
-
9475a59226943a3ad422e18169989f66
>> (related) >>
unsolicited
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
unsolicited
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
unsolicited
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
unsolicited
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
unsolicited
-
decfc792ded248587084a6329217380e
>> (related) >>
unsolicited
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
unsolicited
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
unsolicited
scanned
References:
Titles (0)
Sentences (0)
Links:
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
scanned
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
scanned
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
scanned
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
scanned
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
scanned
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
scanned
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
scanned
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
scanned
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
scanned
-
01185a4f21be653f13b885a655da2239
>> (related) >>
scanned
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
scanned
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
scanned
-
decfc792ded248587084a6329217380e
>> (related) >>
scanned
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
scanned
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
scanned
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
scanned
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
scanned
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
scanned
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
scanned
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
scanned
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
scanned
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
scanned
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
scanned
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
scanned
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
scanned
-
9475a59226943a3ad422e18169989f66
>> (related) >>
scanned
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
scanned
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
scanned
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
scanned
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
scanned
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
scanned
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
scanned
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
scanned
habits
References:
Titles (0)
Sentences (0)
Links:
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
habits
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
habits
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
habits
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
habits
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
habits
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
habits
-
9475a59226943a3ad422e18169989f66
>> (related) >>
habits
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
habits
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
habits
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
habits
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
habits
-
decfc792ded248587084a6329217380e
>> (related) >>
habits
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
habits
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
habits
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
habits
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
habits
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
habits
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
habits
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
habits
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
habits
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
habits
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
habits
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
habits
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
habits
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
habits
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
habits
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
habits
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
habits
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
habits
-
01185a4f21be653f13b885a655da2239
>> (related) >>
habits
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
habits
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
habits
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
habits
unfavorable
References:
Titles (0)
Sentences (0)
Links:
-
9475a59226943a3ad422e18169989f66
>> (related) >>
unfavorable
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
unfavorable
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
unfavorable
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
unfavorable
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
unfavorable
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
unfavorable
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
unfavorable
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
unfavorable
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
unfavorable
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
unfavorable
-
01185a4f21be653f13b885a655da2239
>> (related) >>
unfavorable
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
unfavorable
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
unfavorable
-
decfc792ded248587084a6329217380e
>> (related) >>
unfavorable
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
unfavorable
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
unfavorable
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
unfavorable
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
unfavorable
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
unfavorable
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
unfavorable
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
unfavorable
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
unfavorable
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
unfavorable
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
unfavorable
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
unfavorable
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
unfavorable
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
unfavorable
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
unfavorable
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
unfavorable
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
unfavorable
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
unfavorable
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
unfavorable
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
unfavorable
cds
References:
Titles (0)
Sentences (0)
Links:
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
cds
-
01185a4f21be653f13b885a655da2239
>> (related) >>
cds
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
cds
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
cds
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
cds
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
cds
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
cds
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
cds
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
cds
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
cds
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
cds
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
cds
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
cds
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
cds
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
cds
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
cds
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
cds
-
9475a59226943a3ad422e18169989f66
>> (related) >>
cds
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
cds
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
cds
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
cds
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
cds
-
decfc792ded248587084a6329217380e
>> (related) >>
cds
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
cds
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
cds
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
cds
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
cds
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
cds
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
cds
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
cds
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
cds
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
cds
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
cds
situational
References:
Titles (0)
Sentences (0)
Links:
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
situational
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
situational
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
situational
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
situational
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
situational
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
situational
-
9475a59226943a3ad422e18169989f66
>> (related) >>
situational
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
situational
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
situational
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
situational
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
situational
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
situational
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
situational
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
situational
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
situational
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
situational
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
situational
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
situational
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
situational
-
decfc792ded248587084a6329217380e
>> (related) >>
situational
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
situational
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
situational
-
01185a4f21be653f13b885a655da2239
>> (related) >>
situational
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
situational
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
situational
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
situational
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
situational
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
situational
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
situational
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
situational
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
situational
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
situational
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
situational
acls
References:
Titles (0)
Sentences (0)
Links:
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
acls
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
acls
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
acls
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
acls
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
acls
-
01185a4f21be653f13b885a655da2239
>> (related) >>
acls
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
acls
-
9475a59226943a3ad422e18169989f66
>> (related) >>
acls
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
acls
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
acls
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
acls
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
acls
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
acls
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
acls
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
acls
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
acls
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
acls
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
acls
-
decfc792ded248587084a6329217380e
>> (related) >>
acls
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
acls
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
acls
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
acls
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
acls
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
acls
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
acls
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
acls
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
acls
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
acls
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
acls
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
acls
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
acls
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
acls
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
acls
nist
References:
Titles (0)
Sentences (0)
Links:
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
nist
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
nist
-
01185a4f21be653f13b885a655da2239
>> (related) >>
nist
-
9475a59226943a3ad422e18169989f66
>> (related) >>
nist
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
nist
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
nist
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
nist
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
nist
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
nist
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
nist
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
nist
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
nist
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
nist
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
nist
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
nist
-
decfc792ded248587084a6329217380e
>> (related) >>
nist
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
nist
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
nist
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
nist
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
nist
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
nist
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
nist
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
nist
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
nist
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
nist
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
nist
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
nist
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
nist
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
nist
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
nist
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
nist
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
nist
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
nist
800-83
References:
Titles (0)
Sentences (0)
Links:
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
800-83
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
800-83
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
800-83
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
800-83
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
800-83
-
decfc792ded248587084a6329217380e
>> (related) >>
800-83
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
800-83
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
800-83
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
800-83
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
800-83
-
01185a4f21be653f13b885a655da2239
>> (related) >>
800-83
-
9475a59226943a3ad422e18169989f66
>> (related) >>
800-83
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
800-83
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
800-83
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
800-83
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
800-83
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
800-83
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
800-83
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
800-83
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
800-83
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
800-83
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
800-83
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
800-83
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
800-83
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
800-83
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
800-83
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
800-83
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
800-83
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
800-83
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
800-83
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
800-83
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
800-83
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
800-83
1-888-282-0870
References:
Titles (0)
Sentences (0)
Links:
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
1-888-282-0870
-
decfc792ded248587084a6329217380e
>> (related) >>
1-888-282-0870
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
1-888-282-0870
-
01185a4f21be653f13b885a655da2239
>> (related) >>
1-888-282-0870
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
1-888-282-0870
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
1-888-282-0870
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
1-888-282-0870
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
1-888-282-0870
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
1-888-282-0870
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
1-888-282-0870
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
1-888-282-0870
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
1-888-282-0870
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
1-888-282-0870
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
1-888-282-0870
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
1-888-282-0870
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
1-888-282-0870
-
9475a59226943a3ad422e18169989f66
>> (related) >>
1-888-282-0870
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
1-888-282-0870
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
1-888-282-0870
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
1-888-282-0870
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
1-888-282-0870
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
1-888-282-0870
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
1-888-282-0870
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
1-888-282-0870
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
1-888-282-0870
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
1-888-282-0870
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
1-888-282-0870
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
1-888-282-0870
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
1-888-282-0870
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
1-888-282-0870
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
1-888-282-0870
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
1-888-282-0870
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
1-888-282-0870
desk
References:
Titles (0)
Sentences (0)
Links:
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
desk
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
desk
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
desk
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
desk
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
desk
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
desk
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
desk
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
desk
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
desk
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
desk
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
desk
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
desk
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
desk
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
desk
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
desk
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
desk
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
desk
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
desk
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
desk
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
desk
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
desk
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
desk
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
desk
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
desk
-
decfc792ded248587084a6329217380e
>> (related) >>
desk
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
desk
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
desk
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
desk
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
desk
-
01185a4f21be653f13b885a655da2239
>> (related) >>
desk
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
desk
-
9475a59226943a3ad422e18169989f66
>> (related) >>
desk
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
desk
unclass
References:
Titles (0)
Sentences (0)
Links:
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
unclass
-
9475a59226943a3ad422e18169989f66
>> (related) >>
unclass
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
unclass
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
unclass
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
unclass
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
unclass
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
unclass
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
unclass
-
01185a4f21be653f13b885a655da2239
>> (related) >>
unclass
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
unclass
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
unclass
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
unclass
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
unclass
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
unclass
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
unclass
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
unclass
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
unclass
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
unclass
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
unclass
-
decfc792ded248587084a6329217380e
>> (related) >>
unclass
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
unclass
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
unclass
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
unclass
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
unclass
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
unclass
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
unclass
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
unclass
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
unclass
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
unclass
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
unclass
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
unclass
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
unclass
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
unclass
sipr
References:
Titles (0)
Sentences (0)
Links:
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
sipr
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
sipr
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
sipr
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
sipr
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
sipr
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
sipr
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
sipr
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
sipr
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
sipr
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
sipr
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
sipr
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
sipr
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
sipr
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
sipr
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
sipr
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
sipr
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
sipr
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
sipr
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
sipr
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
sipr
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
sipr
-
decfc792ded248587084a6329217380e
>> (related) >>
sipr
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
sipr
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
sipr
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
sipr
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
sipr
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
sipr
-
01185a4f21be653f13b885a655da2239
>> (related) >>
sipr
-
9475a59226943a3ad422e18169989f66
>> (related) >>
sipr
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
sipr
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
sipr
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
sipr
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
sipr
siprnet
References:
Titles (0)
Sentences (0)
Links:
-
9475a59226943a3ad422e18169989f66
>> (related) >>
siprnet
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
siprnet
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
siprnet
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
siprnet
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
siprnet
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
siprnet
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
siprnet
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
siprnet
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
siprnet
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
siprnet
-
01185a4f21be653f13b885a655da2239
>> (related) >>
siprnet
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
siprnet
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
siprnet
-
decfc792ded248587084a6329217380e
>> (related) >>
siprnet
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
siprnet
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
siprnet
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
siprnet
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
siprnet
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
siprnet
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
siprnet
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
siprnet
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
siprnet
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
siprnet
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
siprnet
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
siprnet
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
siprnet
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
siprnet
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
siprnet
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
siprnet
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
siprnet
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
siprnet
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
siprnet
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
siprnet
jwics
References:
Titles (0)
Sentences (0)
Links:
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
jwics
-
01185a4f21be653f13b885a655da2239
>> (related) >>
jwics
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
jwics
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
jwics
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
jwics
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
jwics
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
jwics
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
jwics
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
jwics
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
jwics
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
jwics
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
jwics
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
jwics
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
jwics
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
jwics
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
jwics
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
jwics
-
9475a59226943a3ad422e18169989f66
>> (related) >>
jwics
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
jwics
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
jwics
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
jwics
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
jwics
-
decfc792ded248587084a6329217380e
>> (related) >>
jwics
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
jwics
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
jwics
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
jwics
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
jwics
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
jwics
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
jwics
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
jwics
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
jwics
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
jwics
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
jwics
strives
References:
Titles (0)
Sentences (0)
Links:
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
strives
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
strives
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
strives
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
strives
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
strives
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
strives
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
strives
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
strives
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
strives
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
strives
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
strives
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
strives
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
strives
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
strives
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
strives
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
strives
-
9475a59226943a3ad422e18169989f66
>> (related) >>
strives
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
strives
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
strives
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
strives
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
strives
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
strives
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
strives
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
strives
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
strives
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
strives
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
strives
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
strives
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
strives
-
01185a4f21be653f13b885a655da2239
>> (related) >>
strives
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
strives
-
decfc792ded248587084a6329217380e
>> (related) >>
strives
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
strives
answering
References:
Titles (0)
Sentences (0)
Links:
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
answering
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
answering
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
answering
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
answering
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
answering
-
9475a59226943a3ad422e18169989f66
>> (related) >>
answering
-
decfc792ded248587084a6329217380e
>> (related) >>
answering
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
answering
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
answering
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
answering
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
answering
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
answering
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
answering
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
answering
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
answering
-
01185a4f21be653f13b885a655da2239
>> (related) >>
answering
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
answering
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
answering
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
answering
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
answering
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
answering
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
answering
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
answering
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
answering
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
answering
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
answering
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
answering
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
answering
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
answering
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
answering
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
answering
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
answering
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
answering
faq
References:
Titles (0)
Sentences (0)
Links:
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
faq
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
faq
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
faq
-
9475a59226943a3ad422e18169989f66
>> (related) >>
faq
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
faq
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
faq
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
faq
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
faq
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
faq
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
faq
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
faq
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
faq
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
faq
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
faq
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
faq
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
faq
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
faq
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
faq
-
decfc792ded248587084a6329217380e
>> (related) >>
faq
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
faq
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
faq
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
faq
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
faq
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
faq
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
faq
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
faq
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
faq
-
01185a4f21be653f13b885a655da2239
>> (related) >>
faq
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
faq
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
faq
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
faq
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
faq
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
faq
mifr
References:
Titles (0)
Sentences (0)
Links:
-
decfc792ded248587084a6329217380e
>> (related) >>
mifr
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
mifr
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
mifr
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
mifr
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
mifr
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
mifr
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
mifr
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
mifr
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
mifr
-
9475a59226943a3ad422e18169989f66
>> (related) >>
mifr
-
01185a4f21be653f13b885a655da2239
>> (related) >>
mifr
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
mifr
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
mifr
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
mifr
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
mifr
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
mifr
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
mifr
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
mifr
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
mifr
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
mifr
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
mifr
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
mifr
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
mifr
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
mifr
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
mifr
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
mifr
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
mifr
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
mifr
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
mifr
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
mifr
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
mifr
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
mifr
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
mifr
timely
References:
Titles (0)
Sentences (0)
Links:
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
timely
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
timely
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
timely
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
timely
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
timely
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
timely
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
timely
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
timely
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
timely
-
01185a4f21be653f13b885a655da2239
>> (related) >>
timely
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
timely
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
timely
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
timely
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
timely
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
timely
-
decfc792ded248587084a6329217380e
>> (related) >>
timely
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
timely
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
timely
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
timely
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
timely
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
timely
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
timely
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
timely
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
timely
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
timely
-
9475a59226943a3ad422e18169989f66
>> (related) >>
timely
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
timely
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
timely
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
timely
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
timely
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
timely
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
timely
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
timely
edited
References:
Titles (0)
Sentences (0)
Links:
-
decfc792ded248587084a6329217380e
>> (related) >>
edited
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
edited
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
edited
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
edited
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
edited
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
edited
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
edited
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
edited
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
edited
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
edited
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
edited
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
edited
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
edited
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
edited
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
edited
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
edited
-
9475a59226943a3ad422e18169989f66
>> (related) >>
edited
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
edited
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
edited
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
edited
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
edited
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
edited
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
edited
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
edited
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
edited
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
edited
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
edited
-
01185a4f21be653f13b885a655da2239
>> (related) >>
edited
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
edited
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
edited
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
edited
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
edited
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
edited
anonymous
References:
Titles (0)
Sentences (1)
- We recently updated our anonymous product survey; we'd welcome your feedback.
Links:
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
anonymous
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
anonymous
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
anonymous
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
anonymous
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
anonymous
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
anonymous
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
anonymous
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
anonymous
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
anonymous
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
anonymous
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
anonymous
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
anonymous
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
anonymous
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
anonymous
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
anonymous
-
9475a59226943a3ad422e18169989f66
>> (related) >>
anonymous
-
01185a4f21be653f13b885a655da2239
>> (related) >>
anonymous
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
anonymous
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
anonymous
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
anonymous
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
anonymous
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
anonymous
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
anonymous
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
anonymous
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
anonymous
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
anonymous
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
anonymous
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
anonymous
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
anonymous
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
anonymous
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
anonymous
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
anonymous
-
decfc792ded248587084a6329217380e
>> (related) >>
anonymous
homepage
References:
Titles (0)
Sentences (0)
Links:
-
5ed93c823af444567d6fac7c5b868db8,
worm.hermetic
>> (related) >>
homepage
-
decfc792ded248587084a6329217380e
>> (related) >>
homepage
-
023be81d5f495e7428cde5d930ecf8ce,
trojan.killdisk
>> (related) >>
homepage
-
8156382b4b0f02a7467108b32103b82a
>> (related) >>
homepage
-
b63a5c496bdfc65b0a87074ddb5ea3ea
>> (related) >>
homepage
-
d2ceb15c0042bf0981352c5e7af10677,
regsvr32.exe
>> (related) >>
homepage
-
d7ed7d880b3eed5eae7787055766502c
>> (related) >>
homepage
-
cd29db9b4e978a706ddf3195b7a6b9b9
>> (related) >>
homepage
-
e099d3524b6906cf8460b4e6db0b11f2
>> (related) >>
homepage
-
87728459f7938f00f8d53d0bd6e6a337
>> (related) >>
homepage
-
01185a4f21be653f13b885a655da2239
>> (related) >>
homepage
-
0efd6cfc0613f20a06fa0746b2d5b8bc,
trojan.gen.mbt
>> (related) >>
homepage
-
c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.dll also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 5 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 6 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a tags trojan details name cleaner.exe size 11264 bytes type pe32 executable (gui) intel 80386, for ms windows md5 8061889aaebd955ba6fb493abe7a4de1 sha1 e9b96e9b86fad28d950ca428879168e0894d854f sha256 afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a sha512 27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09 ssdeep 192:9clgiv30i+0kxn+rgrvb865vpkmsuw089mnceflggo4c6z5c:gmyly5rvy6xw0zqslggpc6 entropy 5.628275 antivirus avira tr/crypt.xpack.gen8 eset a variant of win32/killmbr.nhp trojan trend micro trojan.9faba348 trend micro housecall trojan.9faba348 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-24 04:48:46-05:00 import hash fd8214e8ca810e64eb947f522acbead7 pe sections md5 name raw size entropy c1ecc108a6c84989eb4102d2d387c3cb header 1024 2.235812 12bbe2ed84c503c161528eb9c65e06b7 .text 7680 6.297084 a84958d0a1ba6ccf7f68b0f082a1c656 .rdata 1536 3.901725 9475a59226943a3ad422e18169989f66 .data 512 0.020393 4c8100d03804167a977995936cfbf536 .reloc 512 2.937988 description cleaner.exe is a 32-bit executable file (exe) which has been identified as another variant of the isaacwiper. it can be executed immediately or has a sleep function for 15 minutes. when executed, it attempts to overwrite the first 65536 bytes of data contained on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random data that is generated via the mersenne twister algorithm. cleaner.exe also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. the filename created will begin with the letters "tmf" and the remaining part of the filename will be randomly generated alphanumerical characters. displayed below is the format of the file installed: --begin file-- filename: "c:\'tmd[4 randomly generated characters]\tmf[4 randomly generated alphanumerical characters].tmp" sample: "c:\tmd21d9.tmp\tmf1e9e.tmp" --end file-- analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine. screenshots figure 7 - this screenshot illustrates the malware overwriting the first 65536 bytes of the c:\ drive, or attached storage disk, using random encrypted data generated via the mersenne twister algorithm. figure 8 - this screenshot illustrates a sample file created by the malware. this malware will write random encrypted data to this file until the c:\ drive and attached storage devices runs out of space. this is just one method the malware utilizes in an attempt to corrupt the victim user's machine. figure 9 - this screenshot show the executable's sleep function. 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 tags backdoortrojanviruswiper details name cleaner.dll size 224768 bytes type pe32 executable (dll) (console) intel 80386, for ms windows md5 ecce8845921a91854ab34bff2623151e sha1 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950 sha256 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 sha512 36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0 ssdeep 6144:pju6yx1p7lver8spd/xzl0russbaofyv:ju1pzvpudf0russbkv entropy 6.612476 antivirus ahnlab trojan/win.isaacwiper avira tr/killmbr.hlwrn bitdefender trojan.generickd.39120112 clamav win.malware.isaacwiper-9940626-0 cyren w32/killmbr.gbhg-3949 eset win32/killmbr.nhq trojan emsisoft trojan.generickd.39120112 (b) ikarus virus.wiper.isaac k7 trojan ( 0058efff1 ) lavasoft trojan.generickd.39120112 mcafee rdn/generic.dx quick heal apexcfc.backdoor.gen sophos troj/wiper-f symantec trojan.gen.mbt trend micro trojan.6050981d trend micro housecall trojan.6050981d virusblokada trojan.agentb zillya! trojan.killmbr.win32.666 yara rules rule cisa_10376640_01 : trojan wiper isaacwiper { meta: author = "cisa code & media analysis" incident = "10376640" date = "2022-03-14" last_modified = "20220418_1900" actor = "n/a" category = "trojan wiper" family = "isaacwiper" description = "detects isacc wiper samples" md5_1 = "aa98b92e3320af7a1639de1bac6c17cc" sha256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f" md5_2 = "8061889aaebd955ba6fb493abe7a4de1" sha256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a" md5_3 = "ecce8845921a91854ab34bff2623151e" sha256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" strings: $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6e 00 67 } $s1 = { 6c 00 6f 00 67 00 69 00 63 00 61 00 6c } $s2 = { 46 00 41 00 49 00 4c 00 45 00 44 } $s3 = { 5c 00 6c 00 6f 00 67 00 2e 00 74 00 78 00 74 } $s4 = { 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f } $s5 = {53 74 61 72 74 40 34} $s6 = {3b 57 34 74 2d 6a} $s7 = {43 6c 65 61 6e 65 72 2e} condition: all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7) } ssdeep matches no matches found. pe metadata compile date 2022-02-25 10:48:07-05:00 import hash a4b162717c197e11b76a4d9bc58ea25d pe sections md5 name raw size entropy 28378e0c1da3cce94aa72585f5559fc6 header 1024 2.656680 06d63fddf89fae3948764028712c36d6 .text 150528 6.676976 48f101db632bb445c21a10fd5501e343 .rdata 60416 5.634639 5efc98798d0979e69e2a667fc20e3f24 .data 4096 3.256171 9676f7c827fb9388358aaba3e4bd0cc6 .reloc 8704 6.433076 packers/compilers/cryptors borland delphi 3.0 (???) description this application is a 32-bit dll which has been identified as another variant of the isaacwiper. it attempts to overwrite the first 65536 bytes of data on the c:\ drive and on attached storage disks in order to render them useless to the victim user. the malware also overwrites the victim user's files so they cannot be recovered. the data used to overwrite the disk drives and user files is random encrypted data that is generated via the mersenne twister algorithm. the malware also attempts to create a directory in the root directory of attached storage disks. the malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the mersenne twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. the name of the folder created will begin with the letters "tmd" and the remaining part of the folder name will be random. the filename created will begin with the letters "tmf" and the remaining part of the folder name will be random. this malware creates a log file in the location c:\programdata\log.txt.
>> (related) >>
homepage
-
abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f,
wizard.dll
>> (related) >>
homepage
-
5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48,
0959bf541d52b6e2915420442bf44ce8,
afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a,
e9b96e9b86fad28d950ca428879168e0894d854f,
ac5b6f16fc5115f0e2327a589246ba00b41439c2,
worm.win32.agent,
exec_x32.dll,
cleaner.exe,
malcert-s.oe
>> (related) >>
homepage
-
99ec3d78dee2e180fa53da106a9a7540
>> (related) >>
homepage
-
6ca6e4584fdfe512c2567bc3df334540,
apexcfc.backdoor.gen
>> (related) >>
homepage
-
0802be27b58612f1b2648b8a57d1acfd,
exploit-dcomrpc.c.gen
>> (related) >>
homepage
-
90d5fe0b84e27aef0c20e1f645feb2b0,
bscope.trojan.agent
>> (related) >>
homepage
-
9475a59226943a3ad422e18169989f66
>> (related) >>
homepage
-
1e9e616d75f50f562b0d56edc472a8ea
>> (related) >>
homepage
-
d77cbf49cf473a8235a67912f0edd78f
>> (related) >>
homepage
-
6e7013478def0b223ed6acb0a52fad70,
log.txt
>> (related) >>
homepage
-
463a2a119664cff0f6ea5941379a7700
>> (related) >>
homepage
-
32ec2dc9dc4b9fc8f96ac18835fea101
>> (related) >>
homepage
-
84a3f07cc1f758d0993531a1da9e3f6a,
trojan.agent
>> (related) >>
homepage
-
60a3ce8706953c03b2a4f22e43dccb26
>> (related) >>
homepage
-
ecce8845921a91854ab34bff2623151e,
13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033,
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950,
mar-10376640-1.v1.stix
>> (related) >>
homepage
-
aa98b92e3320af7a1639de1bac6c17cc,
ad602039c6f0237d4a997d5640e92ce5e2b3bba3,
2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b,
cleaner.dll
>> (related) >>
homepage
-
8061889aaebd955ba6fb493abe7a4de1,
e9b96e9b86fad28d950ca428879168e0894d854f
>> (related) >>
homepage
-
31b2ae0f6a40196c4bce89d36302d545
>> (related) >>
homepage
-
3c54c9a49a8ddca02189fe15fea52fe24f41a86f,
6b5958bfabfe7c731193adb96880b225c8505b73,
a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec,
517d2b385b846d6ea13b75b8adceb061,
58d71fff346017cf8311120c69c9946a,
trojan.wh,
romance.dll,
trojan.win32.trjgen.jngwij
>> (related) >>
homepage
-
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
>> (related) >>
homepage
27874dca36c2ebe3ac240c3c6592093ef8cd09611ede1e16de22357bea35dfb70065c2545b6381a19198139b9591e2f4fe0f882483f418a9bd2e0c2f126a0b09
References:
Titles (0)
Sentences (0)
Links:
36fda34df70629d054a55823a3cc83f9599446b36576fbc86a6aac6564460789e8b141eeb168d3e4578f28182da874dd840e57b642af1a1a315dfe08a17b53e0
References:
Titles (0)
Sentences (0)
Links:
survey
References:
Titles (0)
Sentences (1)
- We recently updated our anonymous product survey; we'd welcome your feedback.
Links:
welcome
References:
Titles (0)
Sentences (1)
- We recently updated our anonymous product survey; we'd welcome your feedback.
Links:
Resources
Links
Github (0)
Pastebin (0)
Text_files (0)
Other (15)
- https://twitter.com/share?url=https%3A%2F%2Fus-cert.cisa.gov%2Fncas%2Fanalysis-reports%2Far22-115b
- https://www.facebook.com/sharer.php?u=https%3A%2F%2Fus-cert.cisa.gov%2Fncas%2Fanalysis-reports%2Far22-115b
- http://www.addthis.com/bookmark.php?url=https%3A%2F%2Fus-cert.cisa.gov%2Fncas%2Fanalysis-reports%2Far22-115b
- https://urldefense.com/v3/__http://www.cisa.gov/tlp__;!!JNdenfMLDA!LNXHZ4Rf3AihcgBNvFgLO9AtNz2IgnpTFGSw-lLAVqnujsXN2azjHR4Kr_ZHtGtlgouUYw%24
- https://us-cert.cisa.gov/uscert/sites/default/files/publications/MAR-10376640.r1.v1.WHITE_stix.xml
- mailto:CISAservicedesk@cisa.dhs.gov
- mailto:NCCIC@dhs.sgov.gov
- mailto:NCCIC@dhs.ic.gov
- https://urldefense.com/v3/__https://us-cert.cisa.gov/forms/feedback/__;!!JNdenfMLDA!LNXHZ4Rf3AihcgBNvFgLO9AtNz2IgnpTFGSw-lLAVqnujsXN2azjHR4Kr_ZHtGuwDhcnyw%24
- https://malware.us-cert.gov
- mailto:submit@malware.us-cert.gov
- https://urldefense.com/v3/__http://www.cisa.gov__;!!JNdenfMLDA!LNXHZ4Rf3AihcgBNvFgLO9AtNz2IgnpTFGSw-lLAVqnujsXN2azjHR4Kr_ZHtGunTXTRhA%24
- https://us-cert.cisa.gov/uscert/privacy/notification
- https://www.dhs.gov/privacy-policy
- https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/analysis-reports/ar22-115b
Images
Expand (16)
- https://us-cert.cisa.gov/sites/default/files/icons/print-button.png
- https://us-cert.cisa.gov/sites/default/files/icons/tweet-button.png
- https://us-cert.cisa.gov/sites/default/files/icons/facebook-send-button.png
- https://us-cert.cisa.gov/sites/default/files/icons/share-button.png
- data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAasAAADoCAYAAABRqssbAAAK5WlDQ1BJQ0MgUHJvZmlsZQAAeJyVlwdUU9kWhs+96Y0WiICU0Jv0FkBK6AGkd1EJSUhCCSEFFRsqgyM4FlREUBnQEREFR0faWBALtkGwgH1ABhV1HCzYUJkLPMLMvPXeW2+vdXK+7LvPPnvfdc5a/wWAksIWi7NgFQCyRTJJdJAvPTEpmY57DGBAA3igAYhsjlTMjIwMA4hNz3+3d70AmphvWE/k+vfn/9XUuDwpBwAoBeE0rpSTjXA7Mr5yxBIZACiEgdFimXiCf0NYXYIUiPCHCeZPMpo8wWlTTJ+MiY32Q9gJADyZzZbwASD7IH56HoeP5CGnImwn4gpFCG9G2IsjYHMR7kZ4TnZ2zgR/RtgciRcDQDFGmJH2l5z8v+VPU+Rns/kKnupr0vD+Qqk4i730/3w1/9uys+TTe5gigyyQBEdPMXQ7MydUwaK08IhpFnKn46HbAnlw3DRzpH7J08xl+4cq1maFh01zujCQpcgjY8VOM08aEDPNkpxoxV7pEj/mNLMlM/vKM+MUfgGPpcifL4hNmOY8YXz4NEszY0JnYvwUfok8WlE/TxTkO7NvoKL3bOlf+hWyFGtlgthgRe/smfp5IuZMTmmiojYuzz9gJiZOES+W+Sr2EmdFKuJ5WUEKvzQvRrFWhhzOmbWRineYwQ6JnGYQCwRADkSAC3hAAtJADsgCMkAH/kAIpECM/GMD5DjJeEtkE8355YiXSoR8gYzORG4gj84ScWzm0B3sHBwAmLjPU0fkDW3ynkK0yzO+3HYA3IoRJ3/GxzYCoPUxANR3Mz6j11N35WQ3Ry7Jm/KhJ34wgAiUgTrQAnrACJgDa+AAXIAH8AEBIAREIJ0kgYWAg/STjXSyGCwHq0ERKAGbwXZQAarAXnAAHAZHQTM4Ac6AC+AK6Aa3wD3QD4bAczAC3oExCIJwEAWiQlqQPmQCWUEOEAPyggKgMCgaSoJSIT4kguTQcmgtVAKVQhVQNVQH/Qi1QmegS1APdAcagIah19AnGAWTYXVYFzaFbWEGzIRD4Vh4AcyHc+F8uBDeCJfDNfAhuAk+A1+Bb8H98HN4FAVQJBQNZYCyRjFQfqgIVDIqHSVBrUQVo8pQNagGVBuqE3UD1Y96gfqIxqKpaDraGu2BDkbHoTnoXPRK9AZ0BfoAugl9Dn0DPYAeQX/FUDA6GCuMO4aFScTwMYsxRZgyzH7Mccx5zC3MEOYdFoulYc2wrthgbBI2A7sMuwG7G9uIbcf2YAexozgcTgtnhfPEReDYOBmuCLcTdwh3GncdN4T7gCfh9fEO+EB8Ml6EX4Mvwx/En8Jfxz/BjxFUCCYEd0IEgUtYSthE2EdoI1wjDBHGiKpEM6InMZaYQVxNLCc2EM8T7xPfkEgkQ5IbKYokJBWQyklHSBdJA6SPZDWyJdmPnEKWkzeSa8nt5DvkNxQKxZTiQ0mmyCgbKXWUs5SHlA9KVCUbJZYSV2mVUqVSk9J1pZfKBGUTZabyQuV85TLlY8rXlF+oEFRMVfxU2CorVSpVWlX6VEZVqar2qhGq2aobVA+qXlJ9qoZTM1ULUOOqFartVTurNkhFUY2oflQOdS11H/U8dUgdq26mzlLPUC9RP6zepT6ioabhpBGvsUSjUuOkRj8NRTOlsWhZtE20o7Re2qdZurOYs3iz1s9qmHV91nvN2Zo+mjzNYs1GzVuan7ToWgFamVpbtJq1HmijtS21o7QXa+/RPq/9Yrb6bI/ZnNnFs4/OvqsD61jqROss09mrc1VnVFdPN0hXrLtT96zuCz2ano9eht42vVN6w/pUfS99of42/dP6z+gadCY9i15OP0cfMdAxCDaQG1QbdBmMGZoZxhmuMWw0fGBENGIYpRttM+owGjHWN55nvNy43viuCcGEYSIw2WHSafLe1Mw0wXSdabPpUzNNM5ZZvlm92X1zirm3ea55jflNC6wFwyLTYrdFtyVs6WwpsKy0vGYFW7lYCa12W/XMwcxxmyOaUzOnz5pszbTOs663HrCh2YTZrLFptnlpa2ybbLvFttP2q52zXZbdPrt79mr2IfZr7NvsXztYOnAcKh1uOlIcAx1XObY4vnKycuI57XG67Ux1nue8zrnD+YuLq4vEpcFl2NXYNdV1l2sfQ50RydjAuOiGcfN1W+V2wu2ju4u7zP2o+x8e1h6ZHgc9ns41m8ubu2/uoKehJ9uz2rPfi+6V6vW9V7+3gTfbu8b7kY+RD9dnv88TpgUzg3mI+dLXzlfie9z3vZ+73wq/dn+Uf5B/sX9XgFpAXEBFwMNAw0B+YH3gSJBz0LKg9mBMcGjwluA+li6Lw6pjjYS4hqwIORdKDo0JrQh9FGYZJglrmwfPC5m3dd79cJNwUXhzBIhgRWyNeBBpFpkb+XMUNioyqjLqcbR99PLozhhqzKKYgzHvYn1jN8XeizOPk8d1xCvHp8TXxb9P8E8oTehPtE1ckXglSTtJmNSSjEuOT96fPDo/YP72+UMpzilFKb0LzBYsWXBpofbCrIUnFykvYi86lopJTUg9mPqZHcGuYY+msdJ2pY1w/Dg7OM+5Ptxt3GGeJ6+U9yTdM700/Snfk7+VPyzwFpQJXgj9hBXCVxnBGVUZ7zMjMmszx7MSshqz8dmp2a0iNVGm6FyOXs6SnB6xlbhI3J/rnrs9d0QSKtkvhaQLpC0ydUQ4XZWby7+RD+R55VXmfVgcv/jYEtUloiVXl1ouXb/0SX5g/g/L0Ms4yzqWGyxfvXxgBXNF9UpoZdrKjlVGqwpXDRUEFRxYTVydufqXNXZrSte8XZuwtq1Qt7CgcPCboG/qi5SKJEV96zzWVX2L/lb4bdd6x/U7138t5hZfLrErKSv5vIGz4fJ39t+Vfze+MX1j1yaXTXs2YzeLNvdu8d5yoFS1NL90cOu8rU3b6NuKt73dvmj7pTKnsqodxB3yHf3lYeUtO413bt75uUJQcavSt7Jxl86u9bve7+buvr7HZ09DlW5VSdWn74Xf364Oqm6qMa0p24vdm7f38b74fZ0/MH6o26+9v2T/l1pRbf+B6APn6lzr6g7qHNxUD9fL64cPpRzqPux/uKXBuqG6kdZYcgQckR959mPqj71HQ492HGMca/jJ5Kddx6nHi5ugpqVNI82C5v6WpJae1pDWjjaPtuM/2/xce8LgROVJjZObThFPFZ4aP51/erRd3P7iDP/MYMeijntnE8/ePBd1rut86PmLFwIvnO1kdp6+6HnxxCX3S62XGZebr7hcabrqfPX4L86/HO9y6Wq65nqtpdutu61nbs+p697Xz9zwv3HhJuvmlVvht3p643pv96X09d/m3n56J+vOq7t5d8fuFdzH3C9+oPKg7KHOw5pfLX5t7HfpPzngP3D1Ucyje4Ocwee/SX/7PFT4mPK47In+k7qnDk9PDAcOdz+b/2zoufj52Iui31V/3/XS/OVPf/j8cXUkcWToleTV+OsNb7Te1L51etsxGjn68F32u7H3xR+0Phz4yPjY+Snh05OxxZ9xn8u/WHxp+xr69f549vi4mC1hT0oBFDLg9HQAXtciejkJ0Q6IlibOn9LbkwZNfSNMEvhPPKXJJ80FgFofAOIKAAhDNMoeZJggTEbmCZkU6wNgR0fF+JdJ0x0dpnKREbWJ+TA+/kYXAFwbAF8k4+Nju8fHv+xDir0DQHvulM6fMCzy9VNqpqVMsugJzS0A/7Cpb4C/9PjPGUxU4AT+Of8JizUh8jnksS0AADtFSURBVHic7d17fBNV/jfwTxpMEEiktReEspQWf9CLqyBS0EcFFwqyFH/uKopWcbcKLijWy/P6ubqPFV8qeC3UH7pIvUDl566uu9JILZRnUVdpg1JctK1c0qIttyYUmyCPGU3m+WOY6SSZmSSTaZk03/fr5etlezoz50zCnJwzk/MxsCzLghBCCNGxpLNdAUIIISQc6qwIIYToHnVWhBBCdI86K0IIIbpHnRUhhBDdi6izam11Ysy459HR0RNVWbQYxoeZRW/CaCmH0VKO+x/8MKIyQoi+MAzw8jof3G562FgPfD6gts4Pr/ds10S9QWe7AmIff3IIx7o8OHn4EVit5ojL1GAYH+bOq8bNNxXgztLJEW1Tv92B+x+qxc5PFsNqNavaRzTqtzsw5/qNWL54KipeuLbPjzfQtbWzeOt//MLPZhPwhyVJsFoNIX9TOMWA2bO4z3L2XX5srQ+96Ir/Rmo7JfZdfnz0MSsc3+cDNr3tQ1ISsOAGI15Z50OPm/tbYxJw68IkZGVx9bRt8WPPl731EbdDqSxe8Ofi0LfAvLkGTJrYez5dLhavveGHlwk9L2rLgMD3RmoqUHqHEWaz/Ll2nUDAe4k3b64Bw4cbZMvEbYmm7dG8d4PbAHAd1Z4vWXR3+1Byi1GxDnqlq86qpaULmSOtkp2RUtlAlplhwa7PO+F2ezF4sK5errgk/kds3+XHK+v8Af/o9+1nce1sA/Z+xcLrBcxmoHBKEgqncKOFqjd8KFkYevGX2k5J4ZQkdDn9qPnAj5JbjPhitx+nfuDqBgBGI3D7rdwF1b7Lj9qt/oCLj9KFL5KLol4xDPBqlQ/XzkkC4A8p2/S2H7Nmcu1zubiL8+/vSMLgwQZVZVYrd35372HxXw8ZJV83qfNptQKPPdp70efrnZJsQFaWQbZM/Lvg95JS2wHl965SG9raWXR1sUhNBQwGoGmPPy7fH7I1bm11IuWCp2G0lKNgyn/DfYqJqEyJeDujpRxVr30BAFhT2QCjpRwPPFqH+n+1wWgpR/KIp9HR0aNYJrVP8fSg0vHOPf8J7Ghox5IyG4yWcgw5/wns+Kg9+jOo0L5I6gIAi+/ejAf/d51QLm6fZZgZc4ouxDvvfhVyvMV3bxb2F9y+Oxe/j6wLX0DBJS/h5lveCShXqks8aWtn8cRTPjTtCf2HHYnJlybhgguABjv3yZlhgBMnWOTnJWHwYODo0cimsNRuN3tWEk6cALZt9+PTz1jMnZ0kebHMyTaA8QJeb+xTamrOmcvF4pnnfHjiKe6/rfXctsFTfS4Xi9WVgVN/jjY2ZDslJhNwz1IjssaEjgQ7D7M4xwTk5yUJ+3Z7gIMOVnUZwwCffyF/7iO150s/hg9HwGgtkrJI2x5M/N5VaoPPB+z63I/587i2F81MQksrK0wH2rb4sW27X3h9n3lOv1O3kh/VPR4G187fiGefLMKdpZPR2urEnOINYcuUtLY6MWP263jv7YWYMX2s8HNOzvm4b/k03Ld8GtZUNuDDuv2oq10kbKdUBgAVa3YKdQluw4KFf8W/dy3D6NHnweNhcGnhy8Lx/nD3FM2n1NTUZcb0sQCArfUHcGjfg7BazVh892Zs3XYAY8YkAwBmzczBCxU7cfttEwP2++qfr8Orf75OOL9zijdgdtGFAID3alrw2T/vxNzrqnHBBRa8+NQcNLc4I6pLojAagWTRp93OwyzS0gwYMgQYl2PAvgNs2AtMLNuZTMDUQgO21rMonGKQ3abBzn0qFo/mPqhl8UGtD0DolI9SmRoNdlYYlUTjJwZobmHx2KNGuFwsNlT7Mf7CyM6NFKeThdUCYXquo5NFXi7gdAE//aSuzO1mce65wHcdLDZu4jrT4KnccOeT7yzmzQ09P0plsRC/d5XaYDQCNy8wgjkznjCbETINeNDBomx577TnQQeLSRP1N20s2Vk12jswbKgJC268KKoyJdvqD+KSghHCBTE3Nw3z506Aw3Eipotkfl46lpTZ8Lf3mgM6ss7OHhw+7kZW3ovC78ymvp2rjaUuZfdOE6Y4+Q6ofrsDAJCXl44RI4aFjPz4e1o869Def0GFk0Zh9OjhMJ1jxPziCdi791jEdYkX2WMDp1ti4fMBn37mR0E+9480J9uAzTZ/2Ck9tdsFczoDP836fBAuPPwFUkztNKCac5aexl2wW1qju99xjgnCJ/rkZAPS0oDuk+o7K55tix89PSyWLjHCtsUfc5nLBWRmctN6/FScuFMNN60azagq+P7n6pekO8hohWuDkqlTDMJ7tfjX+p0ejPubIPzIq367A0ZLOWZdmY262kXoPOzGyAyLMFqJ97rML56Ap1d+DKORezN5PAyWLbdhu+0OYaQayQj3bJwXvfL5gJMnWRTkG3DyJIujR4FD3/Z+ijYmcVN6Sv/g1W4HcNNmn37G3ev65w424F4Cf89q2DDgtTf8+OgTf0wXs1jw9+z4KcTssaGfzvtDWho/CuWOL379hg9XVwZwHwamX8WdW5MJGDPGEHGnyr+Gv70+9LWRKovk/mcktGxDvJB892eOssLVfRq7m46AYXy4974twn0ppTIlRbPG4cuvjwmjg9ZWJ2pqv0FOzvmaNGTWzBx8vesetO53oqOjB1MLR+PUD4zkvR4AMJmMyM5ORnOLM+JjiNsOAA5HNw60uYSpN7V1icTVV2VhyJBz0HH4ewDcCMl9qvc51Io1OyN6HbSoi17wF89I7oVIqa3z4+hRburO0cZi1Cjukyn/38xfcVN6StRuxz9KXFBgwGWTkzD9agMad7Ehjxanphow/WoDvvyS1eReQiz3+bLHGrB0SRJcZ6bPAMDvA7q7wz8a/e13rHCu1cocZUBKMjD+QkPIPtWWJScbcM45QHMLdz5cLhb797MBD0MoabCzyMiQHlUplcVK/N6NtQ3xQnJklZubhj8+dBVmFr8JAHjuiSIc7zoVtkxJbm4aql+/QdjObDJiy3u3xTQFyD/KvaOhd3ps3epijB59HgDgw5rbccU167GkzMbVISdVeOwcAO6/73Jccc16VL7aGFF9gtvObzN69Hkx1yUck8mIsvsuF6b9+GlUvi6/WzgRmSOsYfdjsZhiroteWC3cI7zBU2hKXC7gmed77z+ULTdi0CBg3/7eqTxeWpoBH33sx7RCVvLTr8/HPQUY7XYAd7E59QNw05lPwxMvSUKj3Yd33/NhwQ2Boxa+rMHOYvYsbn/i+yh9+Xi6+FFq3ry5BuFYl002CNOVl1xswKkfel+Ln5jeaS7+cfFwdWQYBDy2z49Y+am4mxckhTyCzu9TbdncOVwZfz7nzQ28fyh3rvlOQW5UJVempu3Dhxsk37v89F24NgwEBooIIfGKv5BmZMQ2308I0b+4v2dFEhN/ozrWG9OEkPhAIytCSL8JnuoSk1pZghAedVaEEEJ0j+ZPCCGE6B51VoQQQnSPOitCyFkxEGIrSP+hpwEJOYN/FL4gX7tVy9Xusz9jMqQeehAfUyl2RO0+gYERW0H6D3VWhOhMf8dkDB5swDkmoOxergNqa2fx7t/8GJfT+6VmqfXxwtVFaZ8DJbaC9B/qrEjc4sPmtMhvEi8wyq8cIB4piEcQQO/FO7gO/IhiwgQDhp8HxX3KtYGPivD5gM92BtZTKe5i+HCoKgtegQMALFbAbFZ+hFypLkr7FMdWvPt3P4pmJmFrvR/5eb0ro5vNwJ49LLxMfAZIEu1RZ0UIuAVGJ18qPWXHMMA77/UG3fWG6bHIHmtAyS1Jwqjh43+xmDCh94vKcvtUqy9iMgDppZHEq8ZLxWQo1SXcPgdKbAXpP9RZkbilZUSIErebhcfde+EFuIuvuB7TrzZg9Uv+qFckV9sGrWMyxFN2fPbUb69PiigmQ+0+lcRLbAXpP/QuICQMt4ebwvqvh3pXVn/0j8aQi25qat/XJS3NgLZ2bqpQHHeRlqq+LFhysgEjRsRWF7X7JEQOdVYkbqmNCJGLyeDTV/lpLF7mKMOZ1Fvp47S1s9i9h8Udtxnh9yOgPnL7DFcXOX0RkxHs5EkWTieQkqK+Lmr3GSul86m2jOgDTQOSuKUmIgRQ/vtphQa89oYf9l2BD0PcujAwgoG/b3P4CIu3/+LHrQuTMGRIb1QD0BuWKLdPOf0dk8Ew6uI8TCbt9xkrpddWbRnRB1obkMQtigghJHHQyIrEJYoIISSx0MiKEEKI7tFHUkIIIbpHnRUhhBDdo86KEEKI7kXUWbW2OjFm3PPo6OiJqixaDOPDzKI3YbSUw2gpx/0PfhhRGSGRstvtWLVqFZxOJ1avXo2tW7cOqOMRMlDp6mnAjz85hGNdHpw8/AisVnPEZWowjA9z51Xj5psKcGfp5Jj3J97njoZ2rFtdHLDf1lYnrrhmPXpOeWE2GbHlvdswY/pYAMDiuzfjtU1NABBSRrSVlpYGABg0aBBSgr6h6vP5sGnTJrS3t6O4uBiTJk0SylwuF6qqquD1emE0GlFSUoKsrCwAgM1mQ1MT9/oFlykdjxASOV11Vi0tXcgcaZXsjJTK9MDjYXBp4ct4afU84PnAMobx4ZE/1ePfu5Zh9OjzsKayAfeWfYCdnyyG1WrGq3++Dq/++ToACCkj2rNarTCfWXiO70wYhsG6deswd+7ckL/3+XzYvn07li5dCqvVCrvdjtraWpSWlsJsNqO4uBjFxcUAEFImdzxCSHRkOyvxSAAArEPNEZUpCd6OH32sqWzAA4/WCX9ntJTDOtSMvZ8vw9//0SJbNnr0eSH7XL54KipeuDbi4+1oaMeSMlvEIxrxKEi8T4vFhP0tZWAYH557/tOAbUwmI/7x3i3Cz3l56Th8zIOenh8lOyQ9d8p60tbWhurq6pBRkJLs7GwsXboUAHD77bcLvzeZTLj33nvh8/nw2WefBWxjNBpx8803Cz+npaXB7XbD6/UKnZCYuHOSOx4hJEqsBLfby44Z9zy7vupzlmVZtqWli/1FznPsd999r1impKWli80YvYr95442yZ9ZlmVXr9nJzr72Tcnt5cruWvK+UJfgNhRc/JJQL7fby16YWyEcz+v9mf3VrDckt42UVNsj2W9wW/hzmjTsMTb/4kq2p+dH1XVKJA6Hg3388cfZ3bt3a7bPn3/+md2wYYPiPhsbG9nq6mrhZ6/Xy1ZUVLCPP/44u3btWvbHH+n1I0RrkiOrRnsHhg01YcGNF0VVpmRb/UFcUjBCGLnk5qZh/twJcDhOxHR/Jj8vHUvKbPjbe82oq10k/L6zsweHj7uRlfei8DuzKfY4ifrtDsy5fqPwc6SjSvH2jz+9A3s/Xyb8zmIx4dCBB4XyMf/xgjByJPKys7NRXl7er8dsa2vDjh07hNESwI3KysrKhPKKigphypAQog1d3bNS477l03Df8mmo3+6A0VKOWVdmo652EToPuzEyw4JD+x7UbErN42GwbLkN2213YMb0sWhtdWJO8YaIt19T2SB0VHId0dTC0UhLGYKDjm7qrHTGbrcLHZVcR5SZmYmhQ4eiu7ubOitCNCT56HrmKCtc3aexu+kIGMaHe+/bAvcpJmyZkqJZ4/Dl18ew46N2ANz9pJrab5CTc74mDZk1Mwdf77oHrfud6OjowdTC0Tj1A4N33v1K8u9NJiOys5PR3OKM+BidnT1wn7n/BQAVa3ZG1HYgso4K4EauJpMRl04aGXG9ElVbWxtWrFjRL4+DR9JRAUBnZyeMRiMuuOCCPq8TIYlEcmSVm5uGPz50FWYWvwkAeO6JIhzvOhW2TElubhqqX79B2E6LR7TFj4rz1q0uFjqDD2tuxxXXrMeSMhtXh5zUgKfs7r/vclxxzXpUvtoYUX34qUu+Db9bOBGZI7gLl8fD4KJJL6HjGJfrwD+4sW51Ma64fAxWrNwB9w/egGnJdauLcdOCXwZsF1xHIo9/kMHpjPwDhxyGYfDyyy+jp4f7vmB7eztsNhuKi4vxi1/8Ajt27IDX60VFRYWwTXFxMQoKCgK2S0tLC3gSkBCiDVrIlsQt/ntRGRkZmD179tmuDiGkD8X9PSuSmOx2O+rq6jB16lTqqAhJADSyIoQQonu0kC0hhBDdo86KEEKI7lFnRQghRPcoIoQklIEQ2TEQ2kBItHT1NGC8R4TILZwbC4od0ZZSZIc4BgRAVAvkyqHYEUK0oavOKt4jQq6dvxHPPlmEO0sno7XViRmzX0dOzvmqOwmKHekbchEhb731FoqKijBp0iS4XC68+eabSElJETqJaFHsCCHaoYgQjSJCXn9jd8ACv/xqFzW2bzBj+ljZ7aRW4RC3j2JH5GkZEbJnzx6YTCbk5+cDAFJTUzF+/Hjs27cPWVlZASMdoHfUJR458cxms9AJUewIIRqRWoqdIkIiI277XUveD6mfXJ2Vztk9yz8IOCeR1jURY0e0jAipqakJiP1g2dAoEJ7T6WRffPFFtqenJ6SstraWbW9vD/gdxY4QEjuKCImS2oiQSLZbU9mAi3+ZEfX5SNTYkf6MCOFHcTyp0Y/dbkdGRkbU04YUO0JIeLq6Z6WGXiJC8vPSsbPxO7jdXuF4zS1dyM1NjyhapH67Ax/W7Q/ocCNBsSPaSE9PR0dHR8A0XFdXF9LS0sAwDLZs2YJFixYhKysLLpcroOMCuA7lwIEDKCkpieq4FDtCSGQoIkSjiJCiWeNw5LhHOF79dgfeevffmF88IWy0iMfD4MWKT/HOX3rvYUQi0WNHtIwIycnJgdvtRnNzs7Dvf//73xg/frxwL4nX0NAQ8DPDMNi5cyduvPHGqI5JsSOERI4iQjSKCMnNTcNfq2/CnOs3Sj6wIbcdw/hw/W//Bzsa2pE86umAczP50lEUO6JAy4iQ1NRULFiwANXV1bDZbCGPi48fPx4bNnCj4YkTJwqdi8/nw1/+8he0t7dj1apVAHofNR85ciTFjhCiEVrIVmP84+brXr6OvtfUx/oiIoR/3Ly4uFj1I+uEEO1RZ9UHxA9TiB9DJ9rpy4gQ8cMU4sfQCSFnD3VWhBBCdI8WsiWEEKJ71FkRQgjRPeqsCCGE6B5FhJCEQvEa0ui8EL3T1QoWFBESHbVtSOTYkf6OCFHCP3pfUFAQ1XEodoQkIl11VhQR0vcodqT/IkL6AsWOkEQl++i6VAyIXCxHpN8lijQiRLzP4IiQcHWJNiKEF2tEyJrKBqx//YuAi/fiuzdj8OBBaGlxhox+6rc7cP9Dtdj5yWIcPuyWHZEtvnszLBYz3nirCT2nvIrnhW/D3r3HAurCj6QuuihDODeRjMrqtzuwoOSvkq/tmsoGVWsZaklNRIgcu92O3bt3B1y8bTYbBg0aBKfTGTL6aWtrQ11dHUpLS+HxeGRHZDabDWazGU1NTcK6g0uXLkVrayvq6gJfP360c/z48YC6SH35OZJRWVtbG9555x3J74nZ7XZVaxkSctZILcVOESGRiTQi5K4l77NlD9QG1IkvC1fPu5a8HxDxIW6vXBuC9yH1Gg2E2JH+igipqalh6+rqWK/Xy65du5bt6ekRysS/Y1ku2qOyslKICampqQmI+KipqRHqKxcdErwPqUgSih0hiYYiQqKkJiIkPy8dh779Ho32DgDA1m0HAAC5uekR1bPs3mnCaI2fhlNisZgw/aqxQvDjtvqD+M11+VGtohEPsSP9FRGSnp6O77//Hp2dnQCAgwcPAugNTHS73QHr+xmNga/f1KlThdEaPw2nxGQyISsrSwh+dDgcyMvLi2oVDYodIQONru5ZqREPESF5een4sG4/xv/H+fjDksuwdZsDycmDMeWyUX1ST4BbpPfOJe+js7MHVa/vRq3ttoi3TcTYEaWIkLS0NBw4cADnn38+LrvsMjgcDgwePBijRo2C2+2G1WrVfKHZadOmYfPmzXC73di9e3dU03UUO0IGIooI6YeIkMxRVrhO/D98trMDN95wEYYPH4yWVidycs4PW08lSm3IzU3DpIkj8cq6zzFqpCXiDiWeYkf6KyLEarXi9OnT6OjoQH5+PgYPHgyn04mUlBRkZmaCYRhhu2gYjUYkJydLrhqfmpqKkSNH4osvvoDVao24Q6HYETJQUURIP0SEeDwMXN0/IDV1DNLShqAgPx1/29yMcTkpsFhMYeupRKkN84snYM71G7Fude/Uk8fDDJjYkf6KCGEYBqdPn8aQIUMwZMgQpKeno7m5GSkpKTCZTCgpKUFVVRVsNu71iybSY9q0aaiqqkJjY6NkLAn/AAmPYRiKHSEJiRay1ZieIkLETxzG2+PlkRjoESHiJw6pUyGJLu7vWemNxWLC2spiYfR1tiJCPB4Gd/3hffzp4asHZEfVVxEhJpMJv/71r4WgxbMVEcIwDGpqanDVVVdRR0UIaGQ1IPHfBRN/54zED36lib7I6iIkXlFnRQghRPdo1XVCCCG6R50VIYQQ3aOIEEKI5hgGeHmdD2433WXQA58PqK3zw+sN/7d6paunAeM9IkTue199FRPSF20YyNraWbz1P37hZ7MJ+MOSJFithpC/KZxiwOxZ3Gc5+y4/ttaHXnTFfyO1nRL7Lj8++pgVju/zAZve9iEpCVhwgxGvrPOhh/tKG4xJwK0Lk5CVxdXTtsWPPV/21kfcDqWyeMGfi0PfAvPmGjBpYu/5dLlYvPaGH14m9LyoLQMC3xupqUDpHUaYzfLn2nUCAe8l3ry5BgwfbpAtE7cl2rYDgfURt0Ncf6nXvLaO266724eSW2Jfdu5s0FVnFc8RIXzHMWiQAT7PirNdHSJDfCGy7/LjlXX+gH/Y+/azuHa2AXu/YuH1AmYzUDglCYVTuNFC1Rs+lCwMvfhLbaekcEoSupx+1HzgR8ktRnyx249TP3B1AwCjEbj9Vu5CZN/lR+1Wv1BvQPnCF8lFUa8YBni1yodr5yQB8IeUbXrbj1kzufa5XNwF+vd3JGHwYIOqMquVO7+797D4r4eMkq+b1Pm0WoHHHu296PP1Tkk2ICvLIFsm/l3we0mp7eIPM+J9A1xHXGPzo+xebl9t7Szeerv3/dLWzqKri0VqKmAwAE17/HH5/pCtcWurEykXPA2jpRwFU/47YEklpTIl4u2MlnJUvfYFAG6JH6OlHA88Wof6f7XBaClH8oin0dHRo1gmtU/x9KDS8c49/wlh9QajpRxDzn9CWApKyeK7Nwv7E+/z408OYffeI1i/7j9DtvF4GFx0yX8H1Fk8dSpXT6X2xdKGgaKtncUTT/nQtCf0U2wkJl+ahAsuABrs3CdVhgFOnGCRn5eEwYOBo0cjm8JSu93sWUk4cQLYtt2PTz9jMXd2kuTFMifbAMYLeL2xT6mpOWcuF4tnnvPhiae4/7bWc9sGT/W5XCxWVwZO/Tna2JDtlJhMwD1LjcgaEzoS7DzM4hwTkJ+XJOzb7QEOOljVZQwDfP6F/LmP1J4v/Rg+HAGjtUjKIm37yZMsuruB+fNCL9luD/chjO/0MkcZ4Pdx70OfD9j1uV/YrmhmElpaWWE60LbFj23b/cLr+8xz+p26lRxZSQUJ8gu2KpUp4cMI33t7obAILB9OyC9GK5WRpFQGcOvz8XUJbsOChX8VggT5lSX44/3h7imqptDEAYR822cXXYiWli4UTholhBbyWVP8UkVylOo5Y/pY2fbF0gbCMRqBZNGn3c7DLNLSDBgyBBiXY8C+A2zYC0ws25lMwNRCA7bWsyicYpDdpsHOBlyMAOCDWhYf1PoABI4Ww5Wp0WBnhVFJNH5igOYWFo89aoTLxWJDtR/jL4zs3EhxOllYLRCm5zo6WeTlAk4X8NNP6srcbhbnngt818Fi4yauMw2eyg13PvkOb97c0POjVBYNRxsLkxkwm6XP3eHDXFusVgP2fOnHmVW1YDQCNy8wgjkznjCbETINeNDBomx577TnQQeLSRP1N21MESFRiiQiRNyRhBOunnLtI0D2WEPIlIhaPh/w6Wd+FORz/0hzsg3YbPOHndJTu10wpzPw06zPB+HiyV8gxdROA6o5Z+lp3AW7pTW6+x3nmHpHAsnJBqSlAd0n1XdWPNsWP3p6WCxdYoRtiz/mMpcLyMzkptf4qThxpxpuWjWaUVXw/c/VL0l3kNHIHmvA9KsNwr4uudiA86JYMGfqFIPwXi3+tX6nB3V1z0oNvUSE5OWlY/3rXwREhEQiXD3l2kdi5/Nx0ysF+QacPMni6FHg0Le9n6KNSdxUitLFVe12ADdt9uln3L2uf+5gA+4l8Peshg0DXnvDj48+8au+mMWKv2fHTyFmjw39dN4f0tL4USh3fPHrN3y4ujKA+zAw/Sru3JpMwJgxhog7Vf41/O31oa+NVFkk9z/l2u5xs/B6WcnRFb9f/rhtbSxSUsLuNq5QRIhGESH88cpX/FNyWy/zMw46ukPOWaQRIcHtU9uGgYS/eEZyL0RKbZ0fR49yU3eONhajRnGfrvn/Zv6Km9JTonY7/lHiggIDLpuchOlXG9C4iw15tDg1lfvU/OWXrCb3EmK5z5c91oClS5LgOjN9BgB+H9DdHf7R6G+/Y4VzrVbmKANSkoHxFxpC9qm2LDnZgHPOAZpbuPPhcrHYv58NeBhCSYOdRUaG9KhKqSxaY35hwAUXADUfKL9u/OuQm2uIqydAI0ERIRpFhFgsJnzVdC8umvQSKl9tFNr46CNXw2IxYdndhQHb8edMKSJk8OBBiu1T04aBxGrhHtMNnkJT4nIBzzzfe/+hbLkRgwYB+/b3TuXx0tIM+OhjP6YVspL/8H0+7inAaLcDuAvKqR+Am858op94SRIa7T68+54PC24IHLXwZQ12FrNncfsT30fpy8fTxY9S8+bN7b0QXjbZIExXXnKxAad+6H0tfmJ6p7n4x6zD1ZFhEPDYPj9i5afibl6QFPIIOr9PtWVz53Bl/PmcNzfw/qHcueY7NrlRlVyZ+rZzX2l44qneEfytC5MwerQh4DWK56dBldDagCRu8RfSjAz18/2EkPgQ9/esSGLib1THcmOaEBI/aGRFCOk3wVNdYlIrSxDCo86KEEKI7tH8CSGEEN2jzooQQojuUWdFCDkrBkJsBek/9DQgIWfwj8IX5Gv3PRW1++zPmAyphx7Ex4wlkkQpOmUgxFaQ/kOdFSE6098xGYMHG3COCQERE+/+zY9xOb1fala7FqFcdMpAia0g/Yc6KxK3+E/tWnxjX7zAKL9ygHj0IR6VAL0X6OA68KOUCRMMGH4eFPcp1wY+KsLnAz7bGVhPpbiL4cOhqix4BQ4AsFjlV/iOFB+dcvWVRuw/4BPWSxTHVrz7dz+KZiZha70f+Xm9K6ObzcCePSy8THwGSBLtUWdFCLiFQCdfKj1lxzDAO+/1hjT2humxyB5rQMktScJI5ON/sZgwoXfKS26favVFTAYgvTSSeNV4NZEkctEpAym2gvQf6qxI3NIyIkSJ283C4+69mAPcBV1cDz6iIdoVydW2QeuYDPE0IJ899dvrkyKKyZAqizU6JV5iK0j/oc6KkDDcHm5arCxMiGFqat/Xpa9iMsSSkw0YMSK2esYSnUKIFPrIQuKW2ogQuZgMPjmYnxrjZY4ynEm9lT5OWzuL3XtY3HGbEX4/Auojt89wdZHTFzEZwU6eZOF0IqY8JLXRKbFSOp9qy4g+0MiKxC01ESGA8t9PKzTgtTf8sO8KfBji1oWBMRL8vZnDR1i8/Rc/bl2YhCFDeuMmgN6wRLl9yunvmAyGCR/noRRJEly25K4k1dEpsVJ6bdWWEX2gtQFJ3KKIEEISB42sSFyiiBBCEguNrAghhOgefSQlhBCie9RZEUII0T3qrAghhOgedVYkodjtdqxatQpOpxOrV6/G1q1bz3aVJMVLPQnpL9RZkYSSlpYGABg0aBBSYvnWqwZ8Ph82btyIpqamkDI91ZMQPaDOiiQcq9UK85l1k/hOQY/ipZ6E9Ad6dJ3Erba2NlRXV6O4uBiTJk3SbH9iU6dOxYwZM1BVVYWSkhJYrVa4XC5UV1ejtLRU+LmqqgreM5G34voEl02dOhWzZ8+G3W5HXV1dwLGMRiNKSkqQlZUVc1sIGWjoS8GEAGAYBlu2bMGiRYuQlZWFtrY21NXVYfr06WG3e+edd7B06VJYrVYwDIN169YhJSUFWVlZaGhoQFFRUUhnWlhYiMmTJ2PTpk0oKCjQpLMlZCCjzorErezsbJSXl5/VOrjdbrjdblRUVAi/Mxp7Iz/S09Nhs9nQ0tKCkpKSs1FFQgYE6qwIAWAymZCVlYUNGzYA6J2SM5vNYPiUQAlutxtWqxWlpaXC/SWxwsJCFBYWoq2tDStWrEBOTg51WoSoQJ0ViVv8PSb+PlAsXC4Xurq68PDDD0t2Oj6fD93d3Rg6dChqa2uFe1CZmZlgGAbNzc2KU3nZ2dlYtmwZqqurhQ7OaDQiOTkZTqczproTkgiosyJxi39aTouLfWpqKtLT07Fq1Srhd2azWbgXNWXKFGHUNXHiRJw6dQoANyIrKSlBVVUVbDYbAO7JvdLSUgwaNAibNm1Ce3u7sM/i4mJYrVbh52nTpqGqqgqNjY30gAUhCuhpQBK3fD4fNm3ahIyMjJhHVm1tbQEPSgCAzWaDyWSKed+EkNjR96xIXLLb7XjyySc16aikMAwDh8NB328iRCdoZEUIekdp4ik7Le6FEUK0QZ0VIYQQ3aNpQEIIIbpHnRUhhBDdi6izam11Ysy459HR0RNVWbQYxoeZRW/CaCmH0VKO+x/8MKIyQiKlp+gNPdWFEL3T1fesPv7kEI51eXDy8COwWs0Rl6nBMD7MnVeNm28qwJ2lk2Pe35rKBjzwaF3I75cvnoqKF65VvV+t65nolKI3+IcstFyrT2mfFANCSOR01Vm1tHQhc6RVsjNSKtOD+5ZPw33Lp8HjYXD5la+i1nYbRo8+72xXi0jQU/SGnupCiJ7JPg3Y2urEFdesR88pblkZ61Az9n6+DKNHn6dYpiR4u3Wri3Fn6WTJUQm/z7//o0W2TKou4pFMNMczm4zY8t5tmDF9rGIbFt+9Ga9t6g3L4/fJk+us5OoiVca3IZZ6JgItI0LCRXZQDAghZxkrwe32smPGPc+ur/qcZVmWbWnpYn+R8xz73XffK5YpaWnpYjNGr2L/uaNN8meWZdnVa3ays699U3J7ubK7lrwv1CW4DQUXvyTUy+32shfmVgjH83p/Zn816w3JbSMl1fbg40ZSF7k2aFXPgcrhcLCPP/44u3v3bk329/PPP7MbNmwI2Z/X62XXrl3L9vT0CD9XVlay7e3tLMuybE1NjWwd5PZJCImO5DRgo70Dw4aasODGi6IqU7Kt/iAuKRghjAhyc9Mwf+4EOBwnYhol5OelY0mZDX97rxl1tYuE33d29uDwcTey8l4Ufmc2GaV2EZX67Q7MuX6j8LN1aPhpyXB1kWsDUdZfESEUA0LI2aere1Zq8PeK6rc7YLSUY9aV2airXYTOw26MzLDg0L4HNbvP5fEwWLbchu22OzBj+li0tjoxp3hD2O3C1UWuDUQfKAaEkLNP8tH1zFFWuLpPY3fTETCMD/fetwXuU0zYMiVFs8bhy6+PYcdH3HI2ra1O1NR+g5yc8zVpyKyZOfh61z1o3e9ER0cPphaOxqkfGLzz7leSf28yGZGdnYzmlshX7O7s7IH7zH0lAKhYszOitoeri1wb1NYzUfCdg1aPfMtFdohjQJTwMSBOpxNut1txn4SQ6EiOrHJz0/DHh67CzOI3AQDPPVGE412nwpYpyc1NQ/XrNwjbafGgAP9Y946G3vXc1q0uFh5s+LDmdlxxzXosKeOiG3JzUrHzk8XC6Ob++y7HFdesR+WrjRHVh5+65Nvwu4UTkTnCKvv3PIvFJFuXwYMHKbZBTT0ThZYRITy5yA6KASHk7KK1AUnc0jIihBCib3F/z4okJv6xcFoZnZDEQCMrQgghukcL2RJCCNE96qwIIYToHnVWhBBCdI8iQs6CaM9Za6sTKRc8jarXvujjmg18WsRyuFwuVFRUCN+liuTvV61ahaampvB/rGE9CRlIdPU0YDxHhPD45ZhijQbpS+KFcxPte1vxEssRL/UkpL/oqrOK54gQXo3tG7z07Fxsensv3G6vJvXNzU1D99FHNKgdt2TUtfM34tkni3Bn6WRhyahPd9yVMJEm/R3LkZqaiocffjjq7Sg+hJBesp2VVAxIJGVKIo3sMFrKZSNCxGVaRITsaGjHkjKbJhEhHg+DgwddeOxPM7Cldj92Nx0R9id3ztZUNuCrr49j+w4Hhg01oSAvA+/amoX9io8XfKzLr3wVs4vGoeKVhpC2ywleiHhb/UF0Hvdg67YDcRfuqCYiJDs7G0uXLgUA3H777QFlNpstYKpOKQaE70TsdjuOHz+OtrY2mEwmpKeno7m5WdhWvE/x/hiGQVVVFcaNG4eGBu71E39nTKmehCQkqaXYKSIkMsFt31Z/kC17oFaoL///Suds9Zqd7PCMp9jm5uPsmHHPs2UP1AZsK1dXfp/8OdlWf5AdnvFU2NdBfB7vWvI+m39xJXvTwr8GHC9eaB0RIuZ0OtkXX3yR7enpYb1eL1tRUSEcR1zW2NjIrly5ku3q6mIrKirYuro6trGxka2rqxP2JRUTwu+zurpaaMvKlSuFGBJCSCCKCImSXEQIw/jwzLP/ws03FQDgFu69c8n7cLu9sO/qVDxnhZNGYfTo4TCdY8T84gnYu/dYRHWxDDVj/br/BMAtMGwdZoq4HYvv3ozvvvseX395LxbfvTni7fRE64gQfqTG40dPnZ2dMJlMyM/Pl9wuMzMT5513HoxGI8aPH4/jx49HdDyTyYT58+cDCJzyI4SE0tU9KzX0EhHicHSj6asjwrQiwHWOu5uOaHJsreTlpeOBR+uwfPFU1NUuAsP40NZ2UuhkExXDMNiyZQsWLVokJAOLOy5CyNlFESEaRYRsqz+IKRNHwedZIfy3snwWamzfqD5nfWFq4WjkjE7G/OIJALinLHfvPYLZRReelfrEQsuIELfbLdyPAoCGhgbhZ6vVitOnT+Po0aPw+Xyora0N+FtCSN+jiBANIkJ++skP2wf7QkYneXnpePzpHXig7HJV5yy4ffyobd3qYty04JeRnaQgFosJm9+7NeTR9Xh8ElDLiJDU1FSMHz8eGzZwI+WJEycKMR+pqam48sorhbKioiKcOhX+9eNXhefjQ9rb22Gz2VBcXIyCgsQeyRISLVrIlsQtigghJHHE/T0rkpgoIoSQxEIjqwHG42Fw0aSX0HEsdCmgRFutghAycFBnRQghRPdo1XVCCCG6R50VIYQQ3aOIEJJQ9BS9oae6EKJ3unoaMJ4jQuq3O3D/Q7XC97j6KoKExEZP0Rt6qgsheqeracCBEBFC9E9P0Rt6qgsheib7NKBUpIVcLIe4TEmkESHifQZHhISrS7QRIbxYI0LCjazU1JM/nsVixhtvNaHnlDfic50I1ESEyOEjO0pKSmC1WoW1AUtLS4WfxREh4u93BZeJ62Oz2WA2m9HU1ASv1wuz2YylS5cKq2MQQiIktRQ7RYRERtz2bfUH2fyLK9menh8l96+2nnyMB79fuf0kIi0jQrxeL7t27VohokMcA8KyLFtTUyN5nODtvF4vW1lZyba3twvbrV27lv3xxx8V90MIUUYRIVGSiwjpy3qW3TtNmP589c/XxVL9AUXriBAl6enpsNlsaGlpQUlJifB7t9sNt9uNiooK4XdGY+DrN3XqVGGqr7i4uF/qS8hAo6sHLNTQS0SInupJtFdYWIjCwkJhpfecnByUlJTA7XbDarWitLSU8qgI6UMUEaJRRIj4vABcvtWBNldI9Ea09STytIwIAbiFcbu7uxVjQLKzs7Fs2TI4nU643W5kZmaCYRg0NzdrUgdCiDSKCNEgIoQvE58XcfRGrPUk0rSMCDGZTJgyZUpARAgfAxIc9QFw03n8QxIlJSWoqqqCzca9fmlpaTTSIkRjtDYgiVsUEUJI4oj7e1YkMVFECCGJhUZWhBBCdE9XK1gQQgghUqizIoQQonvUWRFCCNE9igghCUVPsRx6qgsheqerpwHjOSLE42Fw0aSX0HHMDUCb75H1RT0TXX/HcvCP1xcUFIQstksRIYRETlfTgPEeEWI6x4jttjvg86zAyvJZuLfsA7jdoasgkLNLT7EceqoLIXpGESFnxBoR4vEwuLTwZax7+bqAdQM/3XGXZD3FMSB9Uc9EoGVECKAc56EUAyJXxn8XTMxoNKKkpARZWVkx15eQhCK1FDtFhEQm+LwER3vw9VVqe7jzokU9ByotI0JYVj7Ow+l0ss8995wQ+yH+WamMZVn2559/Zjds2ECxIITEiCJCoqQUEcL85BPWBuTX9wOU275377E+OS+JoC8iQqTiPOx2O0aMGCGMhlJTUzF+/Hh0d3fj+PHjsmU0eiJEO7q6Z6XGfcunwedZgQcf+F8wWsoxZy63ECkfvXHy8CPweVbA51mB0ycei6kDEEeE+Dwr8PWue2AdZhLK+XtWX++6B0eOe1C+4p8xt48QQghFhGgWESKWm5uG8j/OwJub9qCjo0ex7eHOi5p6JgqtI0Lk5OTk4NixYzh06BAA7h7Vvn37kJKSolgGcPeokpOTNVkZnpBERhEhGkWEBPv97y5FxUs78eLqnah44VrFtoc7L9HWM1FoGRGiJDU1Fb/5zW+E+JDghySUygBg2rRpqKqqQmNjIz1gQYhKtJAtiVsUEUJI4tDVl4IJiRRFhBCSWGhkRQghRPfi/mlAQgghAx91VoQQQnSPOitCCCG6RxEhZ0G056y11YmUC55G1WtfRH0cNdslKi0iO1wuFyoqKuB2uyP++1WrVqGpqSn8H2uwXTyg6BQiRVcjK3EMiM+zQliQNlyZGnznp/WFvH67I6470744L311rrU20CM7fD4fNm7cqGkH1xf7HOivA1FHV4+ux3tECADU2L7BS8/Oxaa398Lt9mpS39zcNHQffaTftktk/R3ZkZqaiocffrjftosXFJ1CglFEyBmxRoQA3NqBC25+GxvfvBF3/P49PPTg/xL2J3fO/v6PFnz19XFs3+HAsKEmFORl4F1bs7Bf8fGCj3X5la9idtE4VLzSENJ2ue2k6sJvF+68LL57MywWM954qwk9p7wBr4PceQm3T6XoFKXjhdMX8SHi0YNSRAgfLdLa2orjx4+jra0NJpMJ6enpaG5uFrYV71O8P4ZhUFVVhXHjxqGhgXttxd8nk9tOqi78duHiSpTiUeTaHm6fSrEqSscjRJLUUuwUERKZ4LZvqz/Ilj1QK9SX/3+lc7Z6zU52eMZTbHPzcXbMuOfZsgdqA7aVqyu/T/6cbKs/yA7PeCrgdZBro9w5C3de7lryPpt/cSXb0/Oj4n6Cz4vcPsO9JyI9nhSt40PEnE4n++KLL7I9PT2s1+tlKyoqhOOIyxobG9mVK1eyXV1dbEVFBVtXV8c2NjaydXV1wr6kIkT4fVZXVwttWblyJdvT06O4Hcv2xppIUYorkYtHUWq70j7DRadEejxCeBQREiW5iBCG8eGZZ/+Fm28qAMAt3Hvnkvfhdnth39WpeM4KJ43C6NHDYTrHiPnFE7B377GI6mIZasb6df8JgFtgWLwCvBK5cxaJsnunCVObr/75OuH3StEpciJ5T8gdLxyt40P4kRqPn6Lq7OyEyWRCfn6+5HaZmZk477zzYDQaMX78eBw/fjyi45lMJsyfPx9A4JRYOOnp6bDZbGhpaUFJSUlE2/Ck4lEA+bYrcTgcYaNT5I5HiBRd3bNS477l03Df8mnCgw2zrsxGXe0iISLk0L4HNbvPJY4IEacBA4DD0Y2mr45gR0O7sHCu2WTE7qYjmhxbS3LnTC2l8zIQMAyDLVu2YNGiRcL0lvjirSeFhYUoLCwUVqTPycmJutMSi6e2k4GNIkI0igjZVn8QUyaOErKzfJ4VWFk+CzW2b1Sfs74WfM6AvolOkdtnX74ntIwPcbvdwn0XAGhoaBB+tlqtOH36NI4ePQqfz4fa2tqAvz1bsrOzsWzZMjidTuExejVxJUptV9pnuOgUQqJFESEaRIT89JMftg/2CVOAvLy8dDz+9A48UHa5qnMW3D5+1LZudTFuWvBLVdvdfttExXOm5XkRk9un1u8JnpbxIfwUFh8DMnHiROFBgNTUVFx55ZVCWVFREU6dCv/a8ivGt7dzr0N7eztsNhuKi4tRUFCgaruLL744oAzgptfEDy1EG1ei1PZw+wwXnUJINGghWzIgUXwIIQNL3N+zIiQYxYcQMvDQyIoQQoju6Wq5JUIIIUQKdVaEEEJ0jzorQgghukcRISShDPT4iYHePpK4dDWyiueIkPrtDgw5/4mAL7hSlpT+DPT4iYHePpK4dNVZxXNESEtLF3JGp6DG9g0A4ONP2nH15VlRrQRB+sdAj58Y6O0jiYkiQs6INSJkTWUD9h84AYMBKP8/1+C117/Aueeeg0Pffo+KF66V3S6aqA/xdkDo4rHibfsqekNPtIwBsdvtEcd5AL1xF9HEeYi3E9dfjN+W4jUICSK1FDtFhEQmOOpjfdXn7Ct/trOP/KmeXV/1eUjUh9R2kUR9yG0nbs+2+oNCnEa4tscSvaEnWsaARBLnwZOKCFGK85DbrrKyUojMcDgcQmSG1+tl165dK+wj+G8pXoMkIooIiZJcFEZzSxemXDYKV181FnOKN+DTHXfh7/9oCbsdoBz1oSZ6I5K2q43e0BOtY0CU4jyUYjKU4jzUxGu43W643W5UVFQIvzMaA18/itcgiSbul1vSS0QILzc3Dd8efAgAt5Dth3X7VUdoKG1nsZgw/aqxIYvAWq1m2Hdp3/ZEpjYmQ2k7k8mErKyskIVezWYzDh8+DKvVitLS0ohzrAgZ6CgiRMMojP7crrXVieaWLuHpyNMnHhNGqOHaPlBoGQOiJFxMhprtXC4Xurq68PDDD6O8vBx/+tOfhBXJMzMzwTAMmpubtW0IIXGMIkI0ighpazuJKZeNimq7cJS2y81NQ35eOpJHPS38vfhBiXBtHwi0jAFREklMRrTbpaamIj09HatWrRL+XvygRElJCaqqqmCzca9fWloajbRIQqOFbONU/XYHFpT8NeApvsV3b8bQoaaYv4MWL+I5BqStrQ3vvPNOwFN8NpsNJpMp7tpCSH/Q1fesiHoeD4Nt//cg8vMS43s1drsdTz75ZFx2VFIYhoHD4aDvRREig0ZWcUpqClT8/Syib8GJvwAof4sQBdRZEUII0T2aBiSEEKJ71FkRQgjRPYoIIQklkSM0ErntJP7pamQVzxEhQG8sCN+hns14kL5oXyTHO9vtDideIjR8Ph82btwYsAhurOKl7YRI0dVyS/EcEeLxMLh2/kY8+2QR7iydjNZWJ2bMfh05OefH9MXneODxMLi08GW8tHoe8PzZrk14iRyhkchtJ/GNIkLO0CIi5MO6/QGL6fJf0n3i8V8pxoCojfNQqotS+/oqPoR/nP7mmwqE/fUlLSNCAMjGcoSLAVEb5yEXH2K321FXF/j68WsH8msMUnwISThSS7FTREhkxG2/a8n7IXEgfJ2DY0DEbdcqziP4dZBrX7jXIZb4EC3OaTS0jAhxOp3sc889J8RwiH8OjgEJLtMizkMcH8KyLPvzzz+zGzZsCPlbpXpGczxC4g1FhERJTWQHEBgDkpOTgoIJGXA4TmBExjDVcR5q6hLJ6xAv8SFaRoQ4HA6MGDFCWEyWX9evu7sbI0eODIgBSU5ORnp6Orq7uzFs2DDVcR5q4kOU6sn/juJDyECkq3tWauglIiT/TByIWHNLF3Jz0xX3qbaeamNHiLbcbreqOA+1sSOEJCqKCNEoIkSuffOLJ4Ts5+NPDmH33iOYXXSh6jiPcLEjcu3r69ehP2kZEZKTk4Njx47h0KFDALj7UPv27ZN8au7bb7/FkSNHMG7cONVxHuFiR4xGI5KTk0NWlI+mnoQMJBQRokFESLj2eTwMPD94hak+vizSekZbF55c+7R+HTweBhdNegkdx9wAgB0N7VhSZgt4cKMvaBkRkpqait/85jchYYhZWVlgGAYMwwhTfXwZ/9CCmjiPSGJHpk2bhqqqKjQ2NgbUR66ehAxktDZgP/B4GFx+5auotd0W0VN1JDL9FRHCPw0o7qAIIf0r7u9ZkcTEP95NK5UTkhiosyJhBU/ziWkxjahGYWEhCgsL+/WYhJCzh6YBCSGE6J6u1gYkhBBCpFBnRQghRPdijgjpax7mNCatLUWHu6vfj00IUYdhgJfX+eB2012G/uLzAbV1foi+rjeg/H8Jg+eFOlynXAAAAABJRU5ErkJggg==
- data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAUAAAAGxCAYAAAATXm8WAAAK5mlDQ1BJQ0MgUHJvZmlsZQAAeJyVlwdUU9kWhs+96SGhJBABKaE3QToBpIQeQOlVVEISklBCSEHFhsjgCIwFFREsAzrSFBwdARkLYsE2CFasAzKoqONgQVRU5gKPMDNvvffW22udnC/77rPP3neds9Z/ASAnscXiDFgVgEyRTBIZ6EOPT0ik454ACGABBVgCwOZIxczw8FCA2PT8d3t/G4lG7Ib1RK5/f/5fjcLlSTkAQEkIp3ClnEyE25HxlSOWyABAIQyMlsrEE/wbwuoSpECEP0wwf5LRpAlOmWL6ZEx0pC/CjgDgSWy2hA8AyRvx03M4fCQPKRlhWxFXKEJ4M8KeHAGbi3A3wnMyM7Mm+DPC5ki8GACyMcKMlL/k5P8tf4oiP5vNV/BUX5OG9xNKxRns5f/nq/nflpkhn97DFBkkgSQocoqh3vSsEAWLUhaETbOQOx0P9QrkQTHTzJH6Jk4zl+0XolibsSB0mlOFASxFHhkrepp5Uv+oaZZkRSr2SpX4MqeZLZnZV54eo/ALeCxF/lxBdNw05whjF0yzND0qZCbGV+GXyCMV9fNEgT4z+wYoes+U/qVfIUuxViaIDlL0zp6pnydizuSUxitq4/L8/GdiYhTxYpmPYi9xRrginpcRqPBLc6IUa2XI4ZxZG654h2ns4PBpBtFAAORABLiAByQgBWSBDCADdOAHhEAKxMg/NkCOk4y3TDbRnG+WeLlEyBfI6EzkBvLoLBHHZg7d3tbeHoCJ+zx1RN7SJu8pRLs848tuB8C1CHHyZ3xsIwCOPwGA+n7GZ/Rm6q6c7ObIJTlTPvTEDwYQgQpQB1pADxgBc2AN7IEzcAfewB8EgzCkkwSwGHCQfjKRTpaClWAtKATFYDPYDirAXrAP1IJD4AhoASfAGXABXAHd4Ba4D/rAIHgBhsF7MAZBEA4iQ1RIC9KHTCAryB5iQJ6QPxQKRUIJUDLEh0SQHFoJrYOKoVKoAqqC6qAfoePQGegS1APdhfqhIegN9AlGwSRYHdaFTeG5MANmwiFwNLwI5sPZcC5cAG+Ey+Fq+CDcDJ+Br8C34D74BTyCAiglFA1lgLJGMVC+qDBUIioVJUGtRhWhylDVqEZUG6oTdQPVh3qJ+ojGoqloOtoa7Y4OQsegOehs9Gp0CboCXYtuRp9D30D3o4fRXzFkjA7GCuOGYWHiMXzMUkwhpgxzAHMMcx5zCzOIeY/FYmlYM6wLNgibgE3DrsCWYHdjm7Dt2B7sAHYEh8Np4axwHrgwHBsnwxXiduIO4k7jruMGcR/wSnh9vD0+AJ+IF+Hz8WX4evwp/HX8U/wYQZVgQnAjhBG4hOWETYT9hDbCNcIgYYyoRjQjehCjiWnEtcRyYiPxPPEB8a2SkpKhkqtShJJQKU+pXOmw0kWlfqWPJArJkuRLSiLJSRtJNaR20l3SWzKZbEr2JieSZeSN5DryWfIj8gdlqrKNMkuZq7xGuVK5Wfm68isVgoqJClNlsUquSpnKUZVrKi9VCaqmqr6qbNXVqpWqx1XvqI6oUdXs1MLUMtVK1OrVLqk9o+AophR/CpdSQNlHOUsZoKKoRlRfKoe6jrqfep46qI5VN1NnqaepF6sfUu9SH9agaDhqxGos06jUOKnRR0PRTGksWgZtE+0I7Tbt0yzdWcxZvFkbZjXOuj5rVHO2prcmT7NIs0nzluYnLbqWv1a61hatFq2H2mhtS+0I7aXae7TPa7+crT7bfTZndtHsI7Pv6cA6ljqROit09ulc1RnR1dMN1BXr7tQ9q/tSj6bnrZemt03vlN6QPlXfU1+ov03/tP5zugadSc+gl9PP0YcNdAyCDOQGVQZdBmOGZoYxhvmGTYYPjYhGDKNUo21GHUbDxvrG841XGjcY3zMhmDBMBCY7TDpNRk3NTONM15u2mD4z0zRjmeWaNZg9MCebe5lnm1eb37TAWjAs0i12W3RbwpZOlgLLSstrVrCVs5XQardVzxzMHNc5ojnVc+5Yk6yZ1jnWDdb9NjSbUJt8mxabV3ON5ybO3TK3c+5XWyfbDNv9tvftKHbBdvl2bXZv7C3tOfaV9jcdyA4BDmscWh1eO1o58hz3OPY6UZ3mO6136nD64uziLHFudB5yMXZJdtnlcoehzghnlDAuumJcfVzXuJ5w/ejm7CZzO+L2h7u1e7p7vfuzeWbzePP2zxvwMPRge1R59HnSPZM9v/fs8zLwYntVez32NvLmeh/wfsq0YKYxDzJf+dj6SHyO+Yz6uvmu8m33Q/kF+hX5dflT/GP8K/wfBRgG8AMaAoYDnQJXBLYHYYJCgrYE3WHpsjisOtZwsEvwquBzIaSQqJCKkMehlqGS0Lb58Pzg+VvnP1hgskC0oCUMhLHCtoY9DDcLzw7/OQIbER5RGfEk0i5yZWRnFDVqSVR91Pton+hN0fdjzGPkMR2xKrFJsXWxo3F+caVxffFz41fFX0nQThAmtCbiEmMTDySOLPRfuH3hYJJTUmHS7UVmi5YturRYe3HG4pNLVJawlxxNxiTHJdcnf2aHsavZIymslF0pwxxfzg7OC643dxt3iOfBK+U9TfVILU19xvfgb+UPCbwEZYKXQl9hhfB1WlDa3rTR9LD0mvTxjLiMpkx8ZnLmcRFFlC46l6WXtSyrR2wlLhT3Zbtlb88eloRIDkgh6SJpq0wdEU5X5ebyb+T9OZ45lTkflsYuPbpMbZlo2dXllss3LH+aG5D7wwr0Cs6KjpUGK9eu7F/FXFW1GlqdsrpjjdGagjWDeYF5tWuJa9PX/pJvm1+a/25d3Lq2At2CvIKBbwK/aShULpQU3lnvvn7vt+hvhd92bXDYsHPD1yJu0eVi2+Ky4s8lnJLL39l9V/7d+MbUjV2bnDft2YzdLNp8e4vXltpStdLc0oGt87c2b6NvK9r2bvuS7ZfKHMv27iDukO/oKw8tb91pvHPzzs8VgopblT6VTbt0dm3YNbqbu/v6Hu89jXt19xbv/fS98PveqsCq5mrT6rJ92H05+57sj93f+QPjh7oD2geKD3ypEdX01UbWnqtzqaur16nf1AA3yBuGDiYd7D7kd6i10bqxqonWVHwYHJYffv5j8o+3j4Qc6TjKONr4k8lPu45RjxU1Q83Lm4dbBC19rQmtPceDj3e0ubcd+9nm55oTBicqT2qc3HSKeKrg1Pjp3NMj7eL2l2f4ZwY6lnTcPxt/9ua5iHNd50POX7wQcOFsJ7Pz9EWPiycuuV06fplxueWK85Xmq05Xj/3i9MuxLueu5msu11q7Xbvbeub1nLrudf3MDb8bF26ybl65teBWz+2Y2713ku709XJ7n93NuPv6Xs69sft5DzAPih6qPix7pPOo+leLX5v6nPtO9vv1X30c9fj+AGfgxW/S3z4PFjwhPyl7qv+07pn9sxNDAUPdzxc+H3whfjH2svB3td93vTJ/9dMf3n9cHY4fHnwteT3+puSt1tuad47vOkbCRx69z3w/Nlr0QetD7UfGx85PcZ+eji39jPtc/sXiS9vXkK8PxjPHx8VsCXtSCqCQAaemAvCmBtHLCYh2QLQ0ceGU3p40aOobYZLAf+IpTT5pzgDUeAMQkwdAKKJR9iDDBGESMk/IpGhvADs4KMa/TJrqYD+Vi4SoTcyH8fG3ugDg2gD4IhkfH9s9Pv5lP1LsXQDas6d0/oRhka+fUjMtFZjZE5KdB/5hU98Af+nxnzOYqMAR/HP+E8R9IgX6GUmeAABWPElEQVR4nO3deVgUV7o/8G+LdqPQDWpwARpC0ERQ71WJcckykEdxSdA4MWa8d8w2+alcjbhEZyaLoma50bii4zZxTJyZTKLeRImGSOdqTCKi0eQq2kbtYADXFgUKEAqa+v3RVtlr9d5d3f1+nocn0qer+hTGl3Oq6nxLxrRyHJzw3jdLwYHDn36z0Jm3u0XZXgbOue4QQrxEJpMh79X5SEpKhjopCerkZCQlJUMVExPorrnM1TrVzsf9IYQQyaICSAgJW+2dnXByFv8lhIQWzsZXsHG1TtEIkBAStqgAEkLClmQLIMOw6D9gHV5dUIQI5SJEKBdhzrwvhXatVo8uPd8R2v76wQ9ObScl9o6BN3X6bqGtc493UFlZi2KNzup47+29QrLHSIiUtQ90B8QwDc0oK7sGA7MYWq0eWaO2YlxOH/ToHo2sUVux6+PJyMpMEdpSU7viwYwEu9tlZaYE+pAEDMNi0uRP8H9HZ0CtjgHDsMgY8hekpnZFVmYKpk7fjYqKGhiYxWbbqdUxKPrsOUz6/ScYld0bS98+iAnj0rFqxZgAHQkhwUvSBVAZpcCWTU8BAFJTu6Bfn+7Q6apx8uRVDOjXQyhoaWlxGDe2D3S6ajyYkWB3OykVwKqqWly6Vod701cKrynkEQCMxfHgoXJs+st4m9uOHJGK/NeycG/6Sox89D4U7XveL30mJNRIugCGsqpLdYjvrsTFn+dBpVKYtTEM69Q+0lPjfNE1QsKGZM8BWvrm0EUcP3kZo7J7I3tkL/xUdhUHDpYDMJ5L27PvLFJTu4puJyVDh6hR38Di0x2nrNoUiggkJcbivWWHbG5brNFhy9Yf8L/FL6G1laPzf4S4SdIjQKahWZgiKuQR2LtrCtRq4/Kc7VsnYkTONrO2rMwUMAwrup1UKJVyfLnnOTz8+BZMm10IAEhLvQeHD02FSqXAvi+mYOyT2xGhXAQAUEUpcPLYDJz9+QbGP/sP7N01BXFxnVCw5gk8/PgWAKDzgIS4SNIFUBmlwMUzc20Wr5EjUq0uEDiznZSkpcXh5pXXbLbJ5RHQ7H/B6nW1OgaN1XfXOYrtgxAiLmimwIQQ4m1UAAkhYUuyU2ClUo5TP83023aEkPBDI0BCSNiiAkgICVtUAAkhYYsKICEkbFEBJISELckWQIrDojgsQnxNsrfBABSHRXFYhPiWpAsgxWFRHBYhviTpAhjKKA6LkMCT7DlASxSHdRfFYRHiHZIeAVIcFsVhEeJLTj8XGPD/s0IpDusFq9cpDov4kulzdYPxucCAa30PmikwIYR4GxVAQkjYkuw5QIrDIoT4Go0ACSFhiwogISRsUQEMAlqtHsm93kdlZa3Za116vmO1fjic+kKIpyRdAFnWgBHZ27z6D8sX+ySEBCfJXgQh4qR0/5+U+kKIKyQ7AlyztgQduy7BgZJyTJtdiAjlInTqusRs+Zu9KCnLNn6pmKN9+puzx9DvoXWoq7+7Ptg0JstbI1kp9YUQf5HsCDBv1jDkTn8IY5/cjt892w8v/+FBoc1RlNSqNYex7K1ss20c7dPfxI7hwYwEjBn3kXAMWq0eo3M+FLbdvHE81q19EmOf3B5yfSHEnyRbAMWIRUkBQN/0bpg2uxA7d52WbFSU2DEcKa1EdJQck57pH3Z9IcSfgrMAikRJAcaRXt6sYUJ6shQz88SOoVijC9u+EOJPkj0HCBgDAe67rzNOn9GbvS4WJWVq5IhUlB2dCe05vXDbhr19+pvYMSQmqHDjZiOOn7gMljXglby9ZufdHLGMzQ9kXwiRMkkXQACYkzccH/7zR7MLFnyU1II39gsn4PsNKEBdXbNwm4vw+kPr8OafM82SYWzt09/EjiEtLQ5/fvUxjMjZho5dl2DsmN5I7KECcPc2HsuLOabFLjFBhZhoBXbuOh3wvhAiZbLaVs6p5Jhl3ywFBw5//M1Cx292U0x7GTjnukNEMAyL/oMK8MaffhPQCz0kOMhkMuS9Oh/qpGQkJiUhKTkZ6qRkqGKkHSdni6t1SvIjQOKaNWtLEBv/NiaMS6fiR4gDQXkRhNjHXwAihDhGI0BCSNiiAkgICVtUAAkhYSsoCmCoxi3ROlpCAisoCmCo2rxxPG5XL0TWsBS/fJ7pPZKWBdc08MDy3kh32hiGxb29VwgF3vQzLe/VjFAuwuixd9cXm/5iiFAuQuce75jlD/I3epver0iIO4LiKjDFLXmODzgoWP0k8L51m63Ag+8O/D/ExnZ0u8308aTFGh0m/f4TjMruje7dowEAm1bn2L1Vx17bmrUl2LL1B9y69JrNZZCEuKId/wxNZ77gwnvd+TJla5QgNoKwHCUEO7F4KsB8lOTMsSuVcpw7MxtZmdajTcvAg/3FF1B1jcFX+8+73WZLQg8lYmIiXf5Z8BiGxfqNpShY/SQVPy/z179xf3y5cgySHQGaPhicZQ1mcUuWDw1/JW8vfjshXfIPQneWVqtH1qit2PXxZGRlpgjf83FfU6fvRkVFjd0Hw7vqzJnrSIxXQaVSYOr03Th8pALP5PTF6TN6NDS0uNUGAExDs5Awo5BHYO+uKVCpFGBZAwBg2uxCTJtdKLSZFme+DQDSUu/B4UNTcelSHeLuicJ33/2KETnbAACzpg7FqhVjvPJzIOEn6M8Brllbgn//t+42RzbBan/xBQzo10M4prS0OIwb2wc6XTUYhsXBQ+X444LHvP65fGEt++kVqxGWO238FNjALMbx73Ix+blPceBgufALzMAshoFZjHcXjcRvf/ex2Sh20+ocod10v9rzety8dRsGZjFqLr+OvV/+HLBAWxL8groAFmt0+LLoHC358lB6ejcUf/sLoqLkKNr3PFjWgF9+uYW+6XFut1lKTe2CjH+Pt/n52SN7QSGPwAXdTYd9Tesdh8WLHgdgnNZnPpYCna7asx8ACVtBWwAZhsXKVd/h03/9LtBd8brskb3wU9lVs/j/PfvOIjW1KxSKCCQlxuK9ZYe89nlDh6iRqu6McTl9AADfHLqI4ycvY1R2b7fbLOl0N1GmvYZeqV2s2latOYx7unRCxiDbBZKXmtoFHSM7CLFdpj8XQtwh2XOAYljWgAlP/xMHSsrROeEdALB5HknK+POaB0qMRY6Pk+Kvfm7fOlE4z2V5bPu+mIKxT25HhHIRAEAVpcDJYzNEz4HyCTGVV+tsft7uXf+Jhx/fgtr6ZuHz+P2508YwrM1zgGp1jNWx8+f4TKfPpucATY+vYM0TePjxLULbptU5QfN3TqRHVuNCHBbAYYEP47Bi7cRh8f9gAv0cD0JCkUwmw6w7cVjqpCSogzwOy5U6FRRTYLGpFSGEuEuyU2CtVi9MrQDjVCdUbnPxBcsprqlgOz1AiL9ItgDS6g/XKJVyXDw/L9DdICSoBMUUmBBCfIEKICEkbEluCiyTyQLdBUJImJBUAaxptb4Fpq62FlWVFaisqEBVRQWuXrmM5maKP/KH7JJSyMDhq2FDvbK/HzqUAuDwYIt39ke8R6FQoF27dpC1axdWgxBJFUBb5AoFIiM7IioqCrGdOwMA2traAtyr8BBz5iwAQJ2U7JX9nWs8Cw6AupN39ke8p127dojt3BlRUVGIjOwIuSI80nYkXwAjIyOhiolBU9NtAEC0UgmOCqBfqGJiIAOgTkryzv6uGB+oru7pnf0R75G1a4eoqCh06doVqpgYREa6H1sWTCRfAAGg6z33AAAiIzuiqek2PTzdT2JiYwCOgzrZOyO2mNux4Ly4P+I9MpkMkZEdoYqJEf69hYOgKIAymQz3xMUhWqkES+f//CY6JgYyDmjnpSmw6koMwHlvSk28y3i6KTxGfrygKIC8yMjIsPsLCqQOikjIwEHmpTWhCkUkAC4o15iS0ET3ARJCwhYVQEJI2KICSAgJW1QACSFhiwogISRstXflljqOM36R8OHtv3P6f4j4miv/j9EIkBAStqgAEkLCVlDdCE38L+Lb7yF/a6l3dvYYUFLxHZYf8tL+SMia/9ibfvkcGgESu9g33oTh0YfvnlTx4Cvi0Hd4/RsOw5IeAcdx9EVfdr8O//otln2zxC//j9MIkIhi3/TOY1Dlby0FON8+VpWEhuWHloLj/HOljEaAhJCwRQWQEBK2aApMfMb04knEoe+sXmPf8M+JbkLsoQJIfKL93r1QFPwVaDGYv/7DaeMfOkSgbeAgtD7xRAB6R4gRTYGJT7Q+8QS4DvZ/v3Id2lPxIwFHBZD4TMsLvwPXPsLqda59BFpenByAHhFijgog8ZmWGTOBCBuPWIyQoeW/Zvi/Q4RYoAJIfKatZ08Y0ntZvW5I74W2nj0D0CNCzFEBJD7VMncOuE53nzHLdVKgZe6cAPaIkLuoABKfsnWhgy5+EKmgAkh8ruWF3wHt2gHt2tHFDyIpVACJz7XMmAm0kwHt6OIHkRa6EZr4XFvPnuCiFMKfCZEKvxXAzh1s3A5Bwg/9fxDWbrVI63kIfh0B+ivihhAiPTKZ9H75+X0KfE/iB6hpbAK4NgAcgDb7fwYHcG3gwAHgEBslR/WVP3vchzf2a/Er04q/5KRDKTdfqTD2RwPq61uAplZwTa3gmluB5lZwzQagxQCONQCtbeBajP9FSxtgaANn4BAtl0GzqJ/H/SOE+IffC2BNYxNar74ItAe4dkArjF8cItCKCLBt7cE2cGipBdo3AdEtgLKlFbLWarT/zXrPPtxQi1k7j0LRKQ7bnx6AKbtOYfvT/c3eUl/fgv4PtkdrPdDKcGip59Baz6GlgUMLYzD+ub4Vra2taG1uRQvTCkOdAdxNoD5V7ln/CCF+5f+LIFwb0NoC7kYhmJ4ynAeHcq4dbsviAfQCbseD+wXABQ49GoDeMhmi0IJ2UbUwjgzdZKhF2+mJ2H1sAr6Ym4H5hT8hWamwfl9TK1rrgbJPDOCaWHBNTUALC45lgdZW41dbG7i2NqCtzRj5LgdwC0AbTfEJCSbtnf0ny1n8130cYGCBpgq0cu1QAw6X0A71nByQJQAGDm01MnCXAFkdkAAOgAGIvHVneuyGO8XPgDgsHpuCse/9CxMefRDLcwZY966pFZviotE2E+AQxU/Ezb5svRYDYOicE+71j5AwUVtbC4VCAUVkpN33eFJrXN02APcBGkeAaKpEC6pwC5W4hEpUQo9KNKGilcOvtRx+vcThWgWH+kqAq2gFd/6mcVtXmRS/iF5/wm80i/Fdwo9YO/Ehm2/nmlsBALv3GqwK3daPmq1e+/DOa8aNaQRIiJiqygpculSFG3q9JC6K+r8Acm2AoQVouoxWXEENLuMyLuMSbuASbuNSK4eKWuDiFeBaFXC7igNXZUDjhetw+XeCRfH79a2paBfbH8kLttjf5k4BPH+xWShyXXu3oqScw2ff6HG0nEOP3q3o2bsVx8s57P5Gj5/KOUT3bqUCSIgDVRUVuFxVhevXrqL6xo1AdycQN0Jz4FpbgKbraIECNWjFNchQhxuQoRGGVqCxlkPrFSDhJtAgAziuDfX1N2xOgeNSj6KuqQlACziwAJoBsFAparB/6Ub0799HKH5/32/A4hsJwIbXABmLGFU7VP+0zLx3zcYE458rm8ChEzgA+vPtEde7FR2T9MjJ7oHL59uDA5Bg8lr9+fYY8oqvf3aEBLeqygrExnYGAER27AilUik6Hfa1ABTANqBeD66pHgYYUIMW3ATQhJuQcU1oNQC3aoDb1cB1BmhsB3CcAQ3VN2BrClzX1ITbVY8ZzxTeeQxtW2sNOvz8DDjcLX4tyv6Y9t0WTOUAA8eB44DkAdOtu3cnwv3C5Xpw6CKc87t6vj26Pczi6p3i1wag4nx7JD7MouI8/2OkESAhYq5evgwAiFYq0XT7Npqbm8OsAHJtaLxxDdevNqPyogy1aEUzgGbUQya7BsPVi2itaQdDM4fbLHC9nQwV3E3oWm4AUNnYYQs4AEOnHYGBNaCTrBabf7sEvZPvE4rf/xxWYQ37JAyf/Q/aWtpgaDHgh9JJgIy17h5rLIDl1+vAAYjr3SoUvavfD7G6CFJx5zXjxt7+YRESWpqbm9HW1oa2tjZJnAMMyBS45sZ1XLzK4vJFoAatYCG7WwD1v6L1lgyGZuA2C+hlwEXU4pfWm4As2sbeWBg4wMAaYGANWDRmjY3iNwOGVoNQ/AwtBuMdK+2sCyBajaPM6voGtAEo3B+BHr1bcfl8e2iT/4rqhlu4ZajHzbYG3DLU45ahHreVwMbrf6cCSEiQCcgUWH/tGi5ebcb1X9tQwxnQBICVNUCGazDc+hWtNTK0sRwaWeC6TIZfUYfK1ltA+0Qb+2sGd6cAdou8jOGdryKi13Lx4tdiMBYrWYvV3rg7U2COA7r3bhVej+/dik8bbmH02/ustpkwk6bAhASjgIwAL13X4+K1ZtzqaEAt2u6OAHENbUwntNbIwLFA050RYAUaUdVWB9sFhkUbBxhaDZiY+DmYcyzO7RyHwl8H4K/sizaLn6HVAIODEeD1O1PbH8o55GQbUHm+PRq/egrrJ10TRn632hpwq60ebEw7/tAIIUEkIOcAf716AxevNqMerahFG5ohA4sGANfB3W4Hwy0ZuGYOt1sAPYBINOMKVwdbF0E4sDAAaGPbMH3pJzj39HR8VZ2JuuZI+8Wv1WCsVbYKYEvbnf0av/jixwGIHNUbk2vft7oJmuoeIcHJ7wWQAwfd1Wr8eo3F7SbjShAWMrSgHpBdBdfcBO7OCPB2q7EAtqEF1RxjeyWIjDVOgVsMSB2xD/9zw3guUKz4tRna7owAm633ZzB+hvLOt/XnKTKRkFAVkCnwucs30RaZjMa6OjQwdWhmWbRxDMAZgNYb4Bo4oLkNDQYOVTJAz7WBQxPsTYENHHDkf7KNU2EYz9/xt7oYcGeJLnfnNhkY/2vvIkh0h3YY+qf/u/umtjv31nDcnfrLmQz7OLMuKTtaPwOXECJdfi+AsVFy7PtpNPioK/6mEpnpn9EGyNvQCg71aEP9nYisGJX1/UIxShnu6fU+ANZY0GT8V/Pd79uxxgse7e78uZ2xLTbGOgyh+M10HNfV2yxwjlZ6ZNxv6zYdQohU+b0AeiPPz9QN7TSv7g8AMlKtb7chhIQevxZAKSbCEkLCF0XiE0L8QooDIHosJiEkbFEBJISELSqAhJCwRQWQEBK2qAD6GcOw6D9gHSora/32mSxrwIjsbYhQLkKEchH++sEPDrcJRD/9rVijE34m/QYUoK7OxsogEtKoAIYJhSICmsIXYGAW4+U/PBjo7vhdwZECxOZ3xQfHtwqvjRyRCgOzGGVHZ9q8yZ6EPiqAxCekNILU6DTYWLoJaT0fCHRXiMQEpACuWVuCl6d+jnt7r0C/AQX43X98ajY102r16NLzHasp25q1JVZTlanTd2POvC8DcRii7B0Dr1hzQWjj+89Pyfj3MgyLe3uv8OnxudNPvri9uqDIqk1MwZECDFw/CHXNdcJruXtyMa/oVeHPsfldhS/T0VrunlzM/2oBEt5VIza/K+LfTURlXaXDz2RYBrP3zsGqJ1ZCFUlLFYm5drainezFPTn7XmfionbtOYN9u6egvoFFz55KrHx7NE6f0UOr1SNr1Fbs+niyMD15Y/HXOHCwHC+9mAGWNeD4CeNzBRiGRcmRSsydPdz7PxkPMAyLSZM/wf8dnQEDsxg1l1/HshXf4cDBcmN7QzM+3VEmHN/HO07iwMFyjByRiqLPnsP81/ejsrIW8+Z/iQnj0rFqxRhJ9ZNvKyu7ZrPNnhcGvYAWQwtOXDY+P5lhGZRWHsXs4XkAgA3jNqAmvxo1+dUomfE93vvmPbMip7mggXbuadTkV2N83xzsP1/s8BgXFC3AqPtHITMl042fEPEVX9UaV7cNWNbTkEEJUKtjIe8QgXE5fXDy5FUAwP7iCxjQrweyMlMAAGlpcRg3tg90umpkZaYg87EU7Ck8i6zMFGz923EkxCuhVscE6jBsqqqqxaVrdbg3faXwmkJ+NylGGaXAlk1PAQBSU7ugX5/uwvGNHJGK/NeycG/6Sox89D4U7Xtecv18MCPBbtvJk1cx9/UiYR/8vmdNHYpVK8bg0XsfQeHPXyAzJRPbTmxDT1VPqFVqAMap6sTtzwrbdlJ0NOvvzKEzoVIYR3Ebxm1weHwanQYVtZXYO+ULsAYb2Y8k7AVd2N2cvOF4edrn0Osbsb/4Av644LFAd8lK1aU6xHdX4uLP86BSmSfOMIxz/xDTU+N80TUz3uinpbxZw5A3axgYhsXwRzdjX+EUs19Qs4blYfru6dA36lF8oRjzHzFOf/mp6ufP70JmSia0+rMYv32828fGGlgs/+59lJYfQ2x+V+H10vJjWHdkHX6cccLtfZPQIbmLINkje+GnsqvCdEqr1WPPvrNITTX+T5ya2gWxMZHYsfMUamqbkDEoPpDdtWnoEDXqG1h8uuOUw/d+c+gijp+8jFHZvQEYzwNu2foD/rf4JbS2clbn1izPEwaqn862WUrtch9iIlXYWbYLtU11GBQ/CABQVXsJ9c0NwvvWlqwx+95V8gg5vnq+SJhSX3/zCoakDMaKnOVU/IhAciPAtLQ4bN86ESNytgEwTsn27poiTInl8gjMzhuO0RM+wqbVOVYjFylQKuX4cs9zePjxLZg2uxAAkJZ6Dw4fmgqZTAamoVmYGvLHp1bHoFijw/hn/4G9u6YgLq4TCtY8gYcf3wIAwnnAxAQVYqIV2LnrtMe3s7jbT4Zh7bY5Io+QY9awWZi4/VmsyFkuTGnT4vpgzAOj8NSHTwMAnh04ET1U3T06PkIcCUgB5KdJAHDuzGwAEAoccPf+LHsctUtBWlocbl55zWbbxfPzbL4+ckQqGqsXiu4jMTEGqmgFJj7dN2D9BIznBy+emWu36CmVcpz6aabNthGpI1CTX231+oZxG+ye23PmnJ8YfkRIiCnJTYGJfWvWliA2/m1MGJceljczE+JtkpsCE/tMR86uam42CKcVNq3OCYkCyrAMMtYPxvVavVVbh4gO2PH7f4ne/lKs0WH0hI8AGKf+JPxQAQwDcnkENPtf8Nr+xKa3/qSUK3Fuzlm3tw+GUynEt2gKTAgJW1QACSFhiwog8SqGZTBofYZT63QJCTQqgGHEViSURqcxCyB4YvuTQptWf1YIH4hb2gMHyw8KbayBxagPR1vtj5BgQgUwTNiKhGJYBguK/ohTc39CTX41Kl+7iF9v/YqD5QfBsAzG//0pLMlejJr8ahyafhBTP5uGyrpKYZQ37+G5GJIyOIBHRYhnKA7LR8RipqZO3y28btrmqzgse5FQiggF4qLjsPrwGgBAaWUpOkR0wKD4QSitLEWUvBOe6TcRAKDRFeN63Q3sP18MpVyJslmnRG8x0Vz4WhhV8nFXhEhNwEaA4RyHtXnjeBiYxcLxLX33ICora30Wh2UvEopfHdHINiA2vytWHV6NH2ecgEqhglavRbwqHiqFCrl7crH1+N/wRN8xOKM/4/Dz6tkG7Dy9EzX51dg55RN8/OO/6JwgkaSAFUDLOCyeWByWUikX4rAABEUcVoRyEWLj30bVtbshoGbPonhoHerq7yavmMZhVVTUeFz8+EioFaPft2rjz+NV1FaiJr8aSTFqm4GlFbWVdwqj0qnPjJZHYeN449K1BFUiohVRHh0DIb4SdDdCh0Ic1oxZhdAUvoCszBRotXqMzvnQah/eisMSi4Ta8tRmlFeX4+uXNQCAZaOXIWP9YOwo24m0uDS8WZSPPkP7CHl6v9wqx6R+k7zSL0KkQHIXQUI9DquqqhZ19XfPYa5ac9hsBOjtOCyxSKgoeTRYQwt01Tpj32ovgW1lkdrlPgxRD0Fil3jkPGC8Knzo4iGculyG7N4jXf55ECJVkhsBhnocFj+l54/vxckDkdjDeGHC33FYaXF9MO/ROUIEFQCsyFkunCvcMXkHRvx1JBqaG4W1tWqV2moNbmn5McwrnI8VOcsxqf8zHvWJEH+SVbdwth7ZYeX9Q0vBcRzm/2ah4zfb0LWDDJxzH0VEMAyL/oMK8MaffhMSgQYkfMhkMrwybz7UyclIUCdBnZwMdVIyVDHm5/A9qTWubiu5KTCxj+KwCPEuyU2BiX2exGERQqzRCJAQEraoABJCwlZ7Zy9LcBb/JYQQV9l7gLnle2DjdWf378q2NAL0EZY1YET2NptrgZ2l1eqR3Ot9VFbWmr3Wpec7XnksphhHsVZmq1ks1mcTEizoIogPKRQRwoqPQNLqz1rdz8ff65e7Jxcfn/hUeG8nRUeUzihBbGSs6D75OHmtVo+Xp33us74T4ktUAIOM2GMsGYbF8Ec3Y1/h3Wf0msZa/SHjJWj1ZzF++3h8/bIGapUagPHm5z9kvGS+L5bx7YEQIgEUhxUAYlFZpm2WQQmmMVrOToHFYq2c4c9YK3/HhBFCcVh+JhaVxTAsxoz7CMveyhaOXRUtF7bdvHE8blcvRNYw56fUzsRazSucLxQ50zQYf8da+TsmjJCATYEt47BOnrwKQDwOKyszRYjDyspMkWwclhjTqCyeQh4BADhSWonoKDkmPdPfpX2uWVuCua8XCd/z+541dSjuu7M01zTWKndPrtn29qbA/o61Mn1OLwCoou6u8zaNCRv56H0o2ve8T/tCwkPQXQWekzccR49VSToOSwwflXXr0mvCaKexeqFHF0ryZg0TRpPpqXG4eGYuDMxirFoxBmlxafheV4JO8iizWKv0uHQvHpXnTGPCbI1+ed6KCSMEkGABDIU4LDFiUVmJCSrcuNmI4ycug2UNeCVvr9k5QHcEKtbK1dguT2PCCHGH5K4Ch0IclhhHUVl/fvUx4diXL8nGtev1AIz3FY59cjsOlBh/MRwoKce02YXYtDpHNBhBKVfajbXizSucj3mF8wE4fxuMI67GdnkaE0aIO2Q3XIjDAsfhVTfjsO4JszgsljVgwtP/xKvzHgn4fYC+xN8H+OUXz5n9MqLYLmJJJpNh5p04rER1EhJF4rDcrTWubiu5KTAJfhTbRYKF5KbAoaS52SBM6RxNVYON6RXbtNR7zNootosECyqAPiKXR0Cz/4VAd8Nn+KVwhAQzmgITQsIWFUBCSNiiAhgG3InmYhgW/QesM4viCicU9xUe6BxgmJBKNJe/iUWBibVR3Fd4oBEg8QkpjCBZA4s3NG/gyIzDqMmvxsKRr2POvrmoa64ziwmrya/GoekHMfWzaT4NeyDSQ3FYPiIWeSWl2Cexfhr7dEFo4/vBF7dXFxRZtYkpOFJgljYDGEMa+Jit3D25QipNbH5XfHB8q9n75n+1AAnvqhGb3xXx7yY6LFbyCDl2Td4prHpJi0vDtbrrqG2u9TgmjIQGisPyAbHIK0A6sU+O+sk0NOPTHWVCPz/ecdKsrazsms02e14Y9AJaDC04cfmEcR8sg9LKo5g9PA8AsGHcBtTkV6MmvxolM77He9+8Z1bkNBc00M49jZr8aozvm+NysdLqtRiYOABqldqpmDAS+igOywfEIq8A6cQ+OeqnMkqBLZueAmAMoejXpzt0umo8mJFgt+3kyat2o7lWrRiDR+99BIU/f4HMlExsO7ENPVU9hRGaRqfBxO3PCtt2UnQ06+/MoTOhUhjXB28Yt8GlY9XoNHj3wHsonVFi9rpYTBgJfUF3EWRO3nC8PO1zScdh8ZFXF3+eZxXWYBr7lJWZAq1Wj9E5H1rtwx+xT4766Q5+FYiteH4AmDUsD9N3T4e+UY/iC8WY/4hx+suwDGbvnYPPn9+FzJRMIbrfGwqOFAjFz3Q6/GZRPvoM7WMWEzap3ySvfCYJDpK7CBIKcVhikVeexj65GjPlbj8tfXPoIo6fvIxR2b1darOU2uU+xESqsLNsF2qb6jAofhAAoKr2EuqbG4T3rS1ZY/a9u2wVPyBwMWFEWpx+LjBg+xme3hYKcViOIq88iX1yNWbK3X7KZDIwDc3CFJb/e1CrY8AwrN02R+QRcswaNgsTtz+LFTnLhSltWlwfjHlgFJ768GkAwLMDJ6KHqrtHx6fVn8V/H1iGxubb6L9ygPA6n4DtKCaM+IatZwOLvceT/Tsi0zsZh7Xi0FJwHsRhxYVZHJavuBMz5e1oLnvT21BkL+6LuI6Pw0q8E4elTk5Goo04LE9qjavbSm4KTOyjmClCvCvoLoKEM09ipkIxmothGWSsH4zrtXqrNsuVHa4Si/sioYMKYBjwdjSXUinHqZ9mem1/bvdDrsS5OWd9sm+K+woPNAUmhIQtKoCEkLBFBdBH3ImgsqTV6pHc632zQAF+7a437gMUw7AMBq3PsLveluKiSCigAuhDfASVgVkc0IsOrIHFqA9HWwUM8ExDCOKW9sDB8oMO98mfIys7OhMxqkgf9JoQ36OLIEEmLS0ON6+8ZrPN1v15DMtg2MbhWDl2BVZgpdn7WQOLnL+PQ/t27VGTX22+L5bxzQEQIiHthNumnfmCC++1te0d4RCHJUYsgsq0rd9D68yWyZnGaDk7BVbKlSibdcrm7SC6m7+gvLocG8fbDxbQXPhaGB3ysVW+IqWYMOJDztQSR+1e2pbisPxMLIKKYViMGfcRlr2VLRy7KloubLt543jcrl6IrGHeSXXW6IoRpYhCjML2ao56tgE7T+9ETX41dk75BB//+C+fBoZKJSaMhA+Kw/IzsQiqI6WViI6SY9Iz/V3a55q1JaIRVO6KlkcJo8MEVSKiFVFu78sZUokJI+Ej6M4BBkMclhixCKpijc6tfTqKoLLHNCGZDyUIFCnFhJHwIbmrwKEQhyVGLIIqMUGFGzcbcfzEZbCsAa/k7TU7B+htj937GPrH98P03d4PAnU1tsvTmDBC3CG5AmgahxWhXISMRzbg448mWcVhvbJgH158fmDQJXTwEVQL3thvdR9dWloc/vzqYxiRsw0duy7B2DG9hags/r7Cjl2X4EBJOabNLnSqwDAsg/tX9UG3pT1RWn4M8wrnC7fDyCPk2Dl5B87fuODybTCOmMZ2OcM0JixCuQhtbZxVTFjB6ieFmLAP//kjFUHiMZmedSEOCxxefczNOCx5eMVheTuCSqrsxUW5E9tFQpsQh5WUjMSkJKiTROKw3Kw1rm4ruREgCX4U20WCRdBdBAkmoRhBxROLi/IktosQf6IC6CPejqCSGoqLIqGApsCEkLBFBZAQEraoAIYBd6K5GIZF/wHrzKK4wgnFfYUHKoBhQirRXP6m1Z9Fwrtq0XscC44UWEWFUdxXeGgXgDAYEgakMIJkDSze0LyBIzMOoya/GgtHvo45++airrlOeI9Gp8HG0k1I6/lAwPoZTpytI868xxvbBmQEGA5xWGKRV1KKfRLrp7FPF4Q2vh98cXt1QZFVm5iCIwUYuH6QWQHK3ZMrxGyZBrNajshy9+Ri/lcLhNFc/LuJDpNp5BFy7Jq8U3jYuenaZ8C4Smb23jlY9cRKqCIDuxaaBAbFYfmAWOQVIJ3YJ0f9ZBqa8emOMqGfH+84adZWVnbNZps9Lwx6AS2GFpy4fMK4D5ZBaeVRzB6eBwDYMG4DavKrUZNfjZIZ3+O9b94zK3KaCxpo555GTX41xvfNwf7zxS4dr1avxcDEAUJBXFC0AKPuH+X2ozNJ8KM4LB8Qi7wCpBP75KifyigFtmx6CoAxhKJfn+7Q6arxYEaC3baTJ6+KRnM9eu8jKPz5C2SmZGLbiW3oqeopFCSNToOJ258Vtu2k6GjW35lDZwqpNRvG2Q9xtUWj0+DdA++hdEaJ8H1FbSX2TvkCrMF3gRNE2oLuRuhgiMMSi7ySUuyTo366w1E016xheZi+ezr0jXoUXyjG/EeM019+Ovr587uQmZIJrf4sxm8f7/axmSo4UiAUP7VKDdbAYvl376O0/Bhi87sK7ystP4Z1R9bhxxknvPK5RPokdxU4FOKwxCKvPI19cjVmyt1+Wvrm0EUcP3kZo7J7u9RmKbXLfYiJVGFn2S7UNtVhUPwgAEBV7SXUNzcI71tbssbse3dZFj/AeG7wq+eLhOn29TevYEjKYKzIWU7FL8xIbgRoGocFGKdke3dNsYrDGj3hI2xanSPJOCw+8urhx7dg2uxCAMb1socPTTWLfQKAFycPtIp92rtrihD79PDjWwBAOA9oGjPl6e0sYv2UyWRgGpqFKSz/96BWx4BhWLttjsgj5Jg1bBYmbn8WK3KWC1PatLg+GPPAKDz14dMAgGcHTkQPVXePjk+rP4v/PrAMjc230X/lAOH1FTnL8YeMlzzaNwkNsusuxGEBHOa5GYfVLczisHzFnZgpb0dzuZo8HczsxX0R18lkMsyYNx/qpGQkOIjDcrfWuLqt5KbAxD6KmSLEuyQ3BSb2eRIzFYrRXAzLIGP9YFyv1Vu1dYjogB2//5fbt7iIxX2R0EEFMAx4O5pLqZTj1E8zvbY/t/shV+LcnLM+2TfFfYUHmgITQsIWFUBCSNiiAugj7kRQWdJq9Uju9b5ZoAC/dtcb9wGKYVgGg9Zn2F1vS3FRJBTQOUAf4iOoAv1UOK3+LEb8dSQamhutLg6ItYnhz5Hxt4kQEoxoBBhk0tLicPPKazav4tqKoBKLhGJYBuP//hSWZC9GTX41Dk0/iKmfTXOYskJIqKA4rAAQi6Aybev30DqzZXKmMVrOToHFIqFKK0sRJe+EZ/pNBABodMW4XnfDLGVFc+FrIZ6Kj63yFSnFhJHwQHFYfiYWQcUwLMaM+wjL3soWjl0VLRe23bxxPG5XL0TWMPen1KaRUFq9FvGqeKgUKuTuycXW43/DE33H4Iz+DACgnm3AztM7UZNfjZ1TPsHHP/7Lp6NDqcSEkfARsAJoGYfFE4vDUirlQhwWAMnGYYkxjaCKUC5CbPzbqLpmDAg9UlqJ6Cg5Jj3T36V9rllbIuzrjE4v7NtyhMRHQm0cbx4llbsnFxW1lfhxxgmoFErh9Wh5lPDeBFUiohVR7hyy08wurFiMfk1jwioqaqj4Ea8IunOAc/KG4+ixKknHYYnhI6huXXpNGO00Vi/06EJJ3qxhwmgyPTUOF8/MhYFZbFYkCo4U4LlPXzBLRUmLS8P3uhJ0kkcJuXi/3CpHely6x8fpKtOYMFujX54/YsJI+JBcAQyFOCwxYhFUiQkq3LjZiOMnLoNlDXglb6/ZKMhdtiKhAGCIeggSu8Qj54EnAQCHLh7CqctlyO490uPPdDW2y9OYMELcIbnbYEIhDkuMo6isP7/6mHDsy5dk49r1egDG+wrHPrkdB0qMvxgOlJRj2uxCh+t6HUVC7Zi8w+o2GLVKDYZlPDpOV2O7PI0JI8QdFIflI96OoJIqe3FR7sR2kdBGcVgkLFBsFwkW7V0Zk9Ezfl0TihFUPLG4KE9iu0jos/XsXlvvcbfWuLKt5M4BhgpvR1BJDcVFkVBAU2BCSNiiAkgICVtUAMOAO9FctoIVwgnFfYUHOgcYJqQSzeVvYnFfGp0GE7c/K7z34dRh2DvlCwAU9xUuaARIfEIKI0hHUWALiv6IU3N/Qk1+NSpfu4hfb/2Kg+UHA9Zf4n8Uh+UjYpFXUop9EuunsU8XhDa+H3xxe3VBkVWbmIIjBRi4fhDqmuuE13L35AoxW7l7coXordj8rvjg+Faz983/agES3lUjNr8r4t9NdJhMIxYFpohQIC46DqsPrwEAlFaWokNEBwyKH+TET42ECorD8gGxyCtAOrFPjvrJNDTj0x1lQj8/3nHSrK2s7JrNNnteGPQCWgwtOHH5hHEfLIPSyqOYPTwPALBh3AbU5FejJr8aJTO+x3vfvGdW5DQXNNDOPY2a/GqM75tjllvoDNMoMHmEHF89X4RGtgGx+V2x6vDqO2k4Kpf2SYJbwM4BWsZhnTx5FYB4HFZWZooQh5WVmSLZOCzTyCueQh4h/Nn0JmIAUEXdXUJmGvs08tH7ULTv+YD1UxmlwJZNTwEwhlD069MdOl01HsxIsNt28uRVzH29SNgHv+9ZU4di1YoxePTeR1D48xfITMnEthPb0FPVUxihWZ6T66ToaNbfmUNnCgVqwzjzSC9H+Ciw0hklAIzT45y/j0P7du1Rk1+N3D25GLh+EL55+SAVwTASdBdB5uQNx8vTPpd0HBYfeXXx53lWYQ2msU9ZmSnQavUYnfOh1T78EfvkqJ/u4FeBMAyL4Y9uxr7CKWa/oGYNy8P03dOhb9Sj+EIx5j9inP4yLIPZe+fg8+d3ITMlE1r9WYzfPt7tYzNlKw1Hd/MXlFeX4+uXNQCAZaOXIWP9YOwo24k/ZLzklc8l0ie5iyChEIclFnnlaeyTqzFT7vbT0jeHLuL4ycsYld3bpTZLqV3uQ0ykCjvLdqG2qU4451ZVewn1zQ3C+9aWrDH73l32osAAgDW0QFetEz6fbWWR2uU+jz+TBA/JjQBDIQ7LUeSVJ7FPrsZMudtPmUwGpqFZmMLyfw9qdQwYhrXb5og8Qo5Zw2Zh4vZnsSJnuTDdTIvrgzEPjMJTHz4NAHh24ET0UHX36PgcRYHNe3SO8Hn86848EY+EDtk1J+OwVh5aCs6DOKzuYRaH5SvuxEx5O5rL3vQ2FNmL+yKu4+OwEpOSkZiUdOe/1nFYntQaV7eV3BSY2EcxU4R4l+SmwMQ+T2KmQjGai2EZZKwfjOu1eqs2Vx7ybotY3BcJHVQAw4C3o7mUSjlO/TTTa/tzux9yJc7NOeuTfVPcV3igKTAhJGxRASSEhC0qgD7iTgSVJa1Wj+Re75sFCvBrd71xH6AYhmUwaH2G3fW2FBdFQgGdA/QhqURQiUVCibWJobgoEgpoBBhk0tLicPPKazav4tqKoBKLhBJrIyQcUBxWAIhFUJm29XtondkyOdMYLWenwGKRUGJtPM2Fr4V4Kj62ylekFBNGwgPFYfmZWAQVw7AYM+4jLHsrWzh2VbRc2HbzxvG4Xb0QWcPcn1KbRkI5aqtnG7Dz9E7U5Fdj55RP8PGP/3KYwecJqcSEkfDh9HOBOYv/eiqU47DEiEVQHSmtRHSUHJOe6e/SPtesLRGNoOJZRkKZstUWLY/CxvHG2KkEVSKiFVEu9ctVUokJI75j65nAljXFk1rj6rZBdxEkGOKwxIhFUBVrdG7t01EEFSCeiiLW5i9Sigkj4UNyF0FCIQ5LjFgEVWKCCjduNuL4ictgWQNeydtrdg7QXYEofq7GdnkaE0aIOyQ3AgyFOCwxjqKy/vzqY8KxL1+SjWvX6wEY7ysc++R2HCgx/mI4UFKOabMLHa7rFYuEGp403G7bpP7PeHScrsZ2eRoTRog7ZFddiMMCOMx1Mw6rR5jFYXk7gkqq7MVFuRPbRUKbTCbDf82bD3VSMhIcxGG5W2tc3VZyU2AS/Ci2iwQLyU2BQ0koRlDxxOKiPIntIsSfqAD6iLcjqKSG4qJIKKApMCEkbFEBJISELSqAxG8cRWwR4m90DjAMiEVe5e7JxccnPhXe20nRUbgp2tttsZGxvj5UQlxCBTDEMSyD8X9/CkuyF+MPGS9Bqz+L8dvH4+uXNcLKD/45ubZ4s41hGQ+OhBDvozgsHxGLvPJn7FNpZSmi5J3wTL+JAACNrhjX625g//liD47OM/6M2CJEDMVh+YBY5BXg39gnrV6LeFU8VAoVcvfkYuvxv+GJvmNwRn9GeM+8wvlCQRq4fpBZIKq32/wdsUWImIBNgUM5Dkss8goITOxT7p5cVNRW4scZJ5C7J9eszZ9TYH9HbBEiJuiuAs/JG46jx6okHYfFR17duvSaMNJrrF6IrMwUs9gnW6GnPG/FPqXFpeF7XQk6yaOwd8oXYA0sfrlVjvS4dK/sn5BgJrkCGApxWGKRV57GPrkaMzVEPQSJXeKR88CTAIBDFw/h1OUyZPce6c6hERJSJHcVOBTisBxFXnkS++RqzJRSrsSOyTusboNxNvtvXuF8zCucD8D8VhdCQgHFYQUZipkiwYrisIhHKGaKEO+S3BSY2EcxU4R4F40ACSFhiwogISRsOf1cYMD2MzwJIcQVls8DtlVTPKk1rmxLI0AfYVkDRmRvs7kW2FlarR7Jvd5HZWWt2Wtder7j1v5c4Si6ir8fMUK5yGp9NiHBgi6C+JBCESE86DuQWAOLnL+PQ2n5Maslau5GV/GR+PxT4QgJRlQAg0xaWhxuXnnNZhvDsBj+6GbsK5wirI9mWAbDNg7HyrErsAIrbW5H0VUkXFEcVgCIRWWZtvV7aJ3ZMjnTGC1np8BKuRJls04JAaiu8md0lT9jwggBKA7L78SishiGxZhxH2HZW9k2gxI2bxyP29ULkTXMu1NqqURX+TMmjBCA4rD8Tiwq60hpJaKj5Jj0TH+X9rlmbQnmvl4kfM/ve9bUoU4VCalEVwUiJoyEt6A7Bzgnbzhenva5pOOwxPBRWRd/nmcV5FCs0bm1T36FiK1zgMHCNCYsKzMFWq0eo3M+tHqft2LCCAEkeBtMKMRhiRGLykpMUOHGzUYcP3EZLGvAK3l7zc4BBhNXY7s8jQkjxB2SK4CmcVgRykXIeGQDPv5oklUc1isL9uHF5wdKMg5LDB+VteCN/Vb30aWlxeHPrz6GETnb0LHrEowd01uIyuLvK+zYdQkOlJRj2uxCpwoMwzK4f1UfdFvaE6Xlx4TzfR8c3yq8x/QcYPy7iV45z2ca2+UM05iwCOUitLVxVjFhBaufFGLCPvznj1QEicdkV5yMw1p1aCk4D+KweoZZHBbLGjDh6X/i1XmPBPw+QF/i7wP88ovnzH4ZUWwXscTHYSWaxGGpk5KhtIjD8qTWuLqt5EaAJPhRbBcJFkF3ESSYNDcbhOTnTatzQqoYmF6xTUu9x6yNYrtIsKAC6CNyeQQ0+18IdDd8hl8KR0gwoykwISRsUQEkhIStgBVAd9a1Eve4E83FMCz6D1hnFsUVKBTNRXwlYAXQV+taiW18NJeBWRzQizFa/VkkvKtGbH5XxC3tgYPlB63eU3CkwOpeRTH8+ciyozMRo4r0co9JKKMpMPEJWyNI1sDiDc0bODLjMGryq7Fw5OuYs2+uEL4AABqdBhtLNyGt5wOB6DYJM5IsgGJxUfYik6TGnWMIROyTWD+NfbogtPH9cLef8gg5dk3eKTxYPS0uDdfqrqO22VgkGZbB7L1zsOqJlVBFqqy292c0FwkPkrsNxjQuSq2OAcOwyBjyF6SmdkVWZgo2bxyPzRvHA4CwYH5Udm9JLf539xj42KdJv/8Eo7J7Y+nbB30a+yTWzwczEsA0NOPTHWVC8nPWqK0Yl9PHa/3U6rUYmDhAKIgLihZg1P2jkJmSiRXfm4e3mkZzaXQaPPfpC5g9PE/YlhB3tHfpySN+eCqSWFwUIB6ZJBWeHIM/Y58c9VMZpcCWTU8BMIZQ9OvTXYgls9dPZ6O5NDoN3j3wHkpnlAjfV9RWYu+UL8AarAMg/B3NRXzE9ElIHMDZqyl+eiqS5EaAYnFRzkYmBZo3jsEfsU+O+ukMy346E81VcKRAKH5qlRqsgcXy795HafkxxOZ3Fd5XWn4M646sw97nv3DzCAkRJ7lzgGJxUY4ik6TCk2NwFPvkasyUu/209M2hizh+8jJGZfd2qp/2WBY/wHhu8Kvni1CTX42a/Gpcf/MKhqQMxoqc5fhxxgko5Ur3D5IQEU4/F1jsGZ6uYlkDxj65HQdKjJl/fLwTv172yz3P4eHHt2Da7EIAxrWmhw9NNYtMAoAXJw8UIpOkhI+8cvUY+NinvbumCLFPDz++BQCE6aNpzJSnt7OI9VMmk4FpaBamsAp5BPbuMo7mnOmnLVr9Wfz3gWVobL6N/isHCK/bSqQmocuyhtj73p1a4+q2ssvNTsZhfbsU4DjMcTMOK14RXnFYvuJOzFS4R3MRaZDJZPivufORkJyMRLUxDivRVhyWB7XG1W0lNwUm9lHMFCHeJbmLIMQ+T2KmwjWaixAxVADDAEVzEWIbTYEJIWGLCiAhJGxRAZQgfn2uVNc5ExIqqAASQsIWXQSRoLS0ONy88lqgu0FIyAvICHDN2hK8PPVz3Nt7BfoNKMDv/uNTs+Vd9iKa1qwtsUr8nTp9N+bM+9Iq9ThCuQide7yDyspaycVMWbaZ9sMXSdlSit8iREoCNgLctecMvv/flzF2/Hb07KnEyrdH4/QZvRC7tOvjyUJYQNaorUhN7YqXXszA+o2lOH7iMrIyU8AwLEqOVGJf4RSrWz1eyduL305Ih1odA7U6RjIxU1mZKVi15jCWvZVt8168zRvHY93aJzH2ye1e649U4rcIkZqAnQMcMigBanUs5B0iMC6nj/D6/uILGNCvh7Bki187q9NVQ6mUI/OxFOwpPAsA2Pq340iIV1qljaxZW4J//7fuZsu+TOObKipqfPqP3DRmKkK5CLHxb6Pq2t3U477p3TBtdiFGj/VPko3ZMzMeWmcWvuDPnwshUhN05wDn5A3Hy9M+h17fiP3FF/DHBY+ZtRdrdPiy6JzdHL1Ax0wBd1d08IXJl7l/UorfIkRqJHcVOHtkL/xUdhUHDhqTYrRaPfbsO4vUVGNOXGpqF8TGRGLHzlOoqW1CxqB4YVuGYbFy1Xf49F+/s9qvu/FN7nA2ZmrkiFSUHZ0J7Tm9009fczUOy9P4LUJCmeRGgGlpcdi+daKwbpWPYeKns3J5BGbnDcfoCR9h0+ocYYTFJ54cKClH54R3zLZtbW1zK77JXWIxU5GR7c2iwADj2ly1OsZhTBjgehyWp/FbhIQyisMKMu7EYREiBRSHRTxCcViEeJfkpsDEPk/isAgh1mgESAgJW1QACSFhiwogISRsUQEkFL9FwhYVQEJI2HL6ucCA8VmbdCdf6KH4LeIvps/tFXuGrye1xpVtKQ7LR8TisPwdT+Xv+C1CggXFYfmAozgsf8dT+Tt+i5BgQXFYPuAoDsvf8VT+jt8iJFgE3UqQYI/DCkQ8lT/jtwgJJpK7ChzqcViexlO5Godlyp34LUJCmeRGgKEeh+VpPJWrcViWEVuAa/FbhIQy2SUn47BWf7sUnAdxWAkUh+UVFIdFgpVMJkPu3PlITE5Gwp04LHVSMqIt4rA8qTWubiu5KTCxj+KwCPEuyU2BiX0Uh0WId9EIkBAStqgAEkLCFhVAQkjYCpkCyDAs+g9YR/e3EUKcFjIFUKoKjhQgNr8rPji+NdBdIYRYoALoQxqdBhtLNyGt5wOB7gohxIaAFEB+uvrqgiKriCbLqaxWq0dyr/fNvrcX7QQAxZoLdtv8iWEZzN47B6ueWAlVpCpg/SCE2BewESDT0IyysmswMItRdnQmPt5xUlj/K4aPdjIwi2FgFpstZWMamvHpjjIYmMUo+uw5bPvHjwE7J7igaAFG3T8KmSmZAfl8QohjASuAyigFtmx6CoAx4KBfn+7Q6aodbicW7WS6z8QEFVTRcm922WkanQYVtZVYMfr9gHw+IcQ5QbcSJBiinZZ/9z5Ky48hNr+r8Fpp+TGsO7IOP844EcCeEUJMSaIAfnPoIo6fvIy/fTABANDMtuKC7ia6d4/GK3l7zeKieHy00+icD1FZWYvY2I7+7rZdXz1fJPyZNbDI+fs4TOo3CX/IeCmAvSKEWApYAWQamnFv+koAd2Or+GTnGdOHmMVFXbteD0A82olhrIskIYSICVgBVEYpcPHMXKs4e0B80b/pcz/M9qeU49RPM4Xv09Li8OuFV73SV0/II+RmI0JCiHTQfYCEkLBFBZAQEracngJ7M8vZcrpKCAkfnMWXrXZP9u0KGgESQsIWFUBCSNgKmQJIcViEEFeFTAEkhBBXUQEkhIQtisPyEct+/vWDH4S2qdN3C6+btvHrm/nvGYbFvb1XBPQ4CAllAV0Kx8dhabV6ZI3ainE5ffBgRoLodnwclq3n4prGYRVrdJj0+08wd/Zwm6tNfIlhWEya/An+7+gMYZlexpC/IDW1K7IyU7B543hs3jgegLFQjs75EKOye2PkiFQUffYcJv3+E4zK7o2lbx/EhHHpZpFfhBDvCehSOFtxWI4KIB+HtXPXaasUGKnEYVVV1eLStTphrTNgXO/MK9boMHrCR8L3qiiF8OeRI1KR/1oW7k1fKcmkG0JCiSTSYFwRDHFYVZfqEN9diYs/z4NKpTBrYxgWM2YVQlP4ArIyU4QRoKX01Dh/dZeQsCWJiyB8HNao7N4A7sZhsazBYRyW9pxecre+DB2iRn0Di093nLJqq6qqRV19s/D9qjWHzY6vWKPDlq0/4H+LX0JrK0fn/wjxIYrD8gGlUo4v9zyHhx/fgmmzCwEAaan34PChqUhLi8O4sX3Mji+xh/GZIcUaHcY/+w/s3TUFcXGdULDmCTz8+BYAoPOAhPgAxWH5SFpaHG5eec1mm+lFEFNqdQwaqxc6tQ9CiOckMQUmhJBAoAJICAlbAZkCUxwWCTtttk/phIV2JYHugV00AiSEhC0qgISQsEUF0A8s1zOH2ue5gmUNGJG9zeYaaWfZOj5+7bU7+7OFv9E+QrkI/QYUoK6u2fFGYW7aEh2+Qkugu+GSoFsJQvyHv+/yd8/2s7n22l0KRYSwEkYKCo4U4M2ifKzIWS48u3nkiFRhnfrL0z736ued/7YOgw9cxX8+E4f1aZ0BANyNVvzmL+U4eSfU/a3/SsDMe6JEt+O0Tei8o8LsPZ8sTMEodAAArNlUhUXXGoW2jv064cpvEwEAX36mx+RTt4Q208+zbDPdr1hbMKICSEKC2D2TDMNi+KObsa9witV9pxqdBhtLNyGt5wP+6CY4bROGn67G77pHmr2+dtdVvL7wXoxCB5z/tg7Dd17HmOlJSEWE6HYdunXAkTvvO/9tHQYvKTcrSKZF1tSYCXGomWBcbmnr8+xt56gt2ARkCrxmbQlenvo57u29Av0GFOB3//Gp2XTIXpTUmrUlVtORqdN3S3K5mOkx9HtoHerqWbS0tGFE9jaraVqxRiccl6MYrXnzi4T2zj3esRkTxn+eI2KxZGvWlqBj1yU4UFKOabMLEaFchE5dl+DAwXKHffHGz8zy2MWOzzRezJUpMMMymL13DlY9sRKqSJVHfXfW9B2XsGhiN6RZ/NPLm5YoFK1e98jRcr0FF9DmcDtTvR9VYXH3Tnjv25su96t9tw5C8fMEp21C7JJziF1yDo9/e83j/flawM4B7tpzBvt2T0F9A4uePZVY+fZonD6jF6Kxdn08GQZmMcqOzsQbi7/GgYPleOnFDLCsAcdPXAZg/AdccqQSc2cPD9Rh2MQwLMaM+wjL3soWjkEVLUeHDu1w332dcfqM3iz38MyZ60iMV+HSpTq7x877qvg8Lv48DwZmMZ55qi++2n/e7uc51VeTWLKyozPx8Y6TOHCwHHmzhuF29UJkDUvBptU5MDCL0Vi90GzaaqsvnvzM+AgxA7MYNZdfx7IV3+HAwXKHx7d543ihr65YULQAo+4fhcyUTLf77YovP9PjfFa01dTW0oUbLDr26yQURGe3A4D7u5mHb/xjh14oSOtuNJi1TVuiQ+yScxh+uhrf/ban3e3iNpZDB4NTbS9qa1Gz8H7ceiYJJw7USv6cYMCmwEMGJUCtjoW8QwTG5fTByZNXAQD7iy9gQL8ewj80fu2sTleNrMwUZD6Wgj2FZ5GVmYKtfzuOhHil3/P+HDlSWonoKDkmPdPfqq1vejdc/LUGR0orAUAoGmlp3RweOwDMfmWYkDDDL6cr1ujsfp4j9mLJnDk/Z6sv7hKLEBP7eYpZs7YEc18vEr7n9z1r6lA88V8dUFFbib1TvgBr8P06ck7bhJe4Zlx5NNHh+wYfuIpPFqa4tJ0tedMSkXfnz+e/rcPgv1xCb5Pp8aaFqdh05zM6L9E5NXV21Lbtt92Nf4hrj3+DzOU++1t7V56jae85nv40J284Xp72OfT6RuwvvoA/LngswD1yTXp6N3xZdA4P3N8VudMG46v9OnTuHImHBiegoUHavy19SSxCrFijc2uf/JpyW+cAR304GqXlxxCb31V4f2n5Maw7sg4/zjjh/oHYsfbQDdy+1ojYsnN3X9zRiE+71Zifw7tT/PhCJLZdyW+6WX3OuevNSOtjPVLsldYJ/3ZAhvM3WIy6x/yChSwtEs8iwmabt3E2/mvv2cDu1hpXtpXcbTDZI3vhp7KrwrRPq9Vjz76zSE01/o+amtoFsTGR2LHzFGpqm5AxKD6Q3bUpMUGFGzcbcfzEZatIr8QEFW5U38b3hyvxzMT+iI2NxBmtHqmpXR0euzuf5wrLWDK5PEKYsvuaWISYt47P1FfPF6Emvxo1+dW4/uYVDEkZjBU5y50ufpaPL3Akb1oiahbeL3wt7t4J//lMHPTTU+wWP2e2M/XlZ3osutaIcWnRVp9f9O0taLu1x5h7Iq3aOG0T/qdbO5ttoU5yV4HT0uKwfetEIS6Kj8rip2RyeQRm5w3H6AkfYdPqHKvRghSkpcXhz68+JhzD8iXZQqRXYmIMbtxswD33JCMurhP69e2GnbtPo1dqF6jVMaLH7s7nOSIWSwYYR9wPP74Fazcfcbo/7nAUIWbv+Cwj0viLNptW53j11h1LiQkqxEQrsHPXaY8/h7vRij8cMF4weHbJ3fO9zlxtbbnegowlxhFyh24dcHxhqlAYTW+DMb1aDBjP/31y59ydZVs4kVU1c06NFld/uxQcx2HOYwsdv9mGRIUMnHMfRfxE7PYQX2FZAyY8/U+8Ou8RydwHKIa/D/DLL54z+2XLMCz6DyrAG3/6jXMFkNYCQyaTYfrc+UhMTka8OgnqpGQkJiVDGWP+/54ntcbVbSU3BSZE6tasLUFs/NuYMC7dp6NM4nuSmwKT0NfcbBCms76eqrrL9MFVaan3mLWJBfaS4EIFMIwFIpZMLo+wm+otJfxSOK+RcCRUOKMpMCEkbFEBJISELSqAPmC6zC0cUeSVaxiWwaD1GaisqwzI54czKoASwxcPb/0jD9Tn8ZFXBmZxQC9yaHQaxOZ3Fb6e2P6k0Maf5ys7OhMxKs9vArb8LP7rg+NbAQBa/VkkvKtGbH5XxC3tgYPlBz3+TOIZughCgoarkVcMy2BB0R9xau5PUKvUYFgGwzYOx8Hygz4JQBiROgI1+dV3+3Tn81K73AfWwOINzRs4MuMw1Co1Co4UYM6+ufjm5YOQyaS/ZjZUURyWDxVrLtiMmTI9Bn4ENmfelw4jqMTiouwJ58grRYQCcdFxWH14DQCgtLIUHSI6YFD8II+OwVnbTmxDcudkZKZkQh4hx67JO6FWqQEAaXFpuFZ3HbXNd3+emgtfC6PGeUWBe6Z1OKE4LB9hGprx6Y4yq5gpy2PQ6W7i/C83MHf2cNEIKrG4KGf6Eo6RV/IIOb56vgiNbANi87ti1eHV+HHGCagUvs/+Y1gGm45uxvxHbBcyrV6LgYkDhIJYzzZg5+mdqMmvxs4pn+DjH/9F5wT9IGAF0DIOiycWCaVUyoU4LACSjcMC7MdMWR7D/uIL+O34vg6PwTQuKkK5CLHxb6PqWp1HfXGGZeSVJ+fzxI7Bk8grfl9ndHph33PmfQnWwGLUh6NRUVuJmvxqJMWoMXD9INQ1O/dz84Tp6M+SRqfBuwfew8bxG4TXouVRwvcJqkREKxxn/xHPBd05wGCPwwLuHkNVVS3+uvU49hVOcbiNWFxUsPB35JVWfxbl1eX4+mUNAGDZ6GXIWD8YO8p2Cs/+8AWt/ixWfLsK2yZutWorOFKAdw+8h9IZJcLojwSO5K4Ch0IcliXLmKm0tDgMGhiPDZuOWY1g7UVQicVFedKXUI68AgDW0AJdtbG4VtVeAtvKIrXLfU5t62rkFW9tyRr07ZFuNfqj4ic9khsBhkIcFuA4ZmpcTh/hGCzZi6CyFxfl6GcQrpFXaXF9MO/ROXjqw6eF11bkLHf6CrA7kVda/Vl8+fNXVqM/rf4s/vvAMjQ230b/lQPM+jOp/zNO7Zt4H8VhBUixRoc5r+5zqoB5giKvHPNa5BURRXFYBIDxH9b/y/3c7AIDkRaKvAoPVAD9bOr03WHxD4uPvHJ3KZw/8Of4+j20DrV1TWZtebOGwcAsxqoVYwLUO+IPkjsHGOo2bxzv8RPUXEGRV/Z5PfKKBB0aARJCwhYVQEJI2GrHP0PTmS+48F5b24YLisMKjjgsexzFU1GMlmecqSWO2r21LY0AJYbisLzLXgSVZXRV/LuJThcSb8doARCW7ZnGZ/HEIr2IZ6gAkqDBx2HZKqi2Rt0My2D835/CkuzFqMmvxqHpBzH1s2lCoUuJS0bFn8tRk1+NP2f9EUPWDwvIaIofyc17eC6GpAy2auMjvWryq1H52kX8eutXyhL0EorD8iGKw7Lmzzis0spSRMk74Zl+EwEAGl0xrtfdwP7zxVbvnTZ4GvrH9xOiswD/xVMp5UqUzTplc4WKM5FeFKPlPorD8hGKw7LRDz/HYWn1WsSr4qFSqJC7Jxdbj/8NT/QdgzP6M1bvlUfIcV/nu/uWSjyVo0gvqfQzWFEclo9QHJY1f8dh8XL35KKitvJO4VA6tV+pxFM5ivSSSj+DVTufXV7x0WXgOXnDcfRYVdDHYR09ViXEYTkzguWjpG5deg0GZrHN0ZrU+eIY+BUbNZdfR3pqHC6emSus4EiLS8P3uhJ0kkdh75QvwBpY/HKrHOlx6Vb7EWsLJN3NX1BeXS4UuWWjl6GBbcSOsp0B7pkHzGoDF9DLwJK7CEJxWBSH5a04rCHqIUjsEo+cB4xXTQ9dPIRTl8uQ3Xuk1Xvz9ubZbXOVuzFa9ngS6UXESW4pHMVhURwW4J04LKVciR2Td2DEX0eiobkRHSI6YMfv/wW1So2f9T+jXP8rkt41HmdKXDLOzj0DlUIFhmU8Ok5XY7QYlkHG+sG4Xmv8JVRafgzzCudjRc5y/CHjJbuRXp72kwCyyibn47AADrMfdS8OSx1JcVimKA4r+FGMlmv4OKyEpGQkqJOQmJSMxKQkKGNizd7nSa1xdVvJTYHDAcVhhS6K0QouVAD9jOKwgh/FaIUOyZ0DDHUUhxX8KEYrdNAIkBAStqgAEkLCFhVAP7AV7RRKn+cKd6Kywj1eTCrxWzx/xZL5AxVAYleoR2X5m1jkFa/gSIFVuy/it4gRFUAS8qQwghSLvOJpdBpsLN2EtJ4P+Ll3rhGLJQs2FIflI7ainVpa2myOqIo1OuG4xOKixOKpxKKk7AmmqCzjz8k6XkzsGMQUHCkwCxUAjKEJfJxU7p5csxBS0xFZ7p5czP9qgRC06kyYqljkFWAskLP3zsGqJ1ZCFaly2H9PORtLZvnzdCeWTMooDssH7EU7dejQTlh3azoqOXPmOhLjVbh0qc7usfNsxVM5ipIS7WsQRGXx/bQVLyZ2DGJeGPQCWgwtOHH5hHEfLIPSyqOYPTwPALBh3AbU5FejJr8aJTO+x3vfvGdW5DQXNNDOPY2a/GqM75tjM2PQFQuKFmDU/aPsFkhvcvSzXrXmsPD/kuU9je7EkklZwO4DtIzDOnnyKgDxOKyszBQhSiorM0WycVhi0U5907vh4q81OFJq/MfEF420tG4Ojx2wjqcCjCNId6KkAPtRWc4sYbPVF3eZRmXxFPIIh/18MCPBbtvJk1cx9/UiYR/8vmdNHYpVK8bg0XsfQeHPXyAzJRPbTmxDT1VPqFVqAMbp6MTtzwrbdlJ0NOvvzKEzhUy+DeM2eHTsGp0GFbWVQmKNrzn6WfdN74Zpswuxc9dpFO173uf9CaSguxF6Tt5wvDzt86CNw0pP74Yvi87hgfu7InfaYHy1X4fOnSPx0OAENDS0BLp7AcNHZV38eZ7V8kCGca8o5M0ahrxZw+yuh541LA/Td0+HvlGP4gvFmP+IcfrLT0c/f34XMlMyodWfxfjtvrl5nTWwWP7d+ygtP4bY/K7C66Xlx7DuyDr8OOOE1z9T7GcN3P258VefRz56X8gWQsldBAmFOCyxaKfEBBVuVN/G94cr8czE/oiNjcQZrR6pqV0dHrs7n+cKqUZlWbLsp7NtllK73IeYSBV2lu1CbVOdEDNfVXsJ9c0NwvvWlqwx+96b+MRnfrp9/c0rGJIyGCtyljtd/FyN33L2Zz1yRCrKjs6E9pw+ZG9BktwIMBTisMSinRITY3DjZgPuuScZcXGd0K9vN+zcfRq9UrtArY4RPXZ3Ps+RYIjKkslkdvvJMKzDY7BHHiHHrGGzMHH7s1iRs1yY0qbF9cGYB0YJEVTPDpyIHqruHh2fo8grT7gavyX2s46MbG8WPQYAm1bnQK2OcTuWTMpkFU7GYa35dik4D+KwkigOS3JCISorEMcQKMEevyWTyTBt7nwkJiUjXiQOy5Na4+q2kpsCE0KcR/FbnpHcFJiEPj4qC0BQT59MWU5xTfFJ1O7e4lKs0WH0hI8AGKeqpvgLFsQ9VADDWChEZQXiGGz2Q67EuTlnfbJvit/yHZoCE0LCFhVAQkjYCroCKLYWMdjXKUph0T4h4SToCqDYWsRQW6foCtOcPcvib7q43TTQwN0203w606+/fvCDaBtg/kvKMkTBtM2yL4T4Al0ECQEMwyJjyF9QsPpJ4H3rNj4o4eU/PAitVo/ROR/iuwP/D7GxHe22de8ejdfeKMb/HZ0BtToGa9aW4JXZX+DwoalWJ+X5z09N7YqszBS7bTx7V35Nn5di+nlSvNmdhIaAjgBNf+PbGwkE63TWXqSQ5TTXVnqzrdgnMUqlHOfOzLZ5Y7FlMMP+4guousbgq/3nRdvk8gh8tus/hJuL09O74dJVBrW1TVafsfVvx3HfvZ1tfr5YmyOJ8SoqfsSnAjYCnDp9Nyoqamxe3jcdCfCjklHZvYPqTn8+UsjVe9xMY5/4aLBxOX3cXjXBR22pVApMnb4bh49U4Jmcvjh9Ro+Ghha7bbb2Y0zwMf87YBgW6zeWYtNfrMMC7LVNm11otQRLpVIIKxoqr9YJrxPiSwEZATIMi4OHyu0muZg9A8HJcE+p4SOFRo/90KXt7EU7eYr/hVP20ytWoyqxNsD495H/zgGhX6bcGf3x+YIGZrHZZyqVclw8b8wXXPX+WCTfv4IuCBGfktxFEIZhMWNWofDMCFfCPaWEf0D2vLmPIEK5yOVC6C3p6d1Q/O0viIqSo2jf82BZA3755Rb6pseJtvHWrC3BpN9/gpPHZliN/rRaPd59/5DNX2Ribc4YOkSNuC6dcEF3063tCXFGQAqgQhGBpMRYvLfskFVbVVUt6urvRt6vWnM4KEeAPFuRQs1sKy7objqMrnIl2smeoUPUSFV3xricPlb7FGsDjMUv/50DNosfYPy7MQ1wdbbNGUdKKyGXR0gy7oyEjoCcA5TLI7DviykY++R2RCgXAQBUUQqcPDZDSEHm14q+OHkgEnsYY4rE4niemzJQMlE9lv0E7kYKAcCM6UPMjs80usqdaCfTc2eA9bHv3vWfePjxLaitb7bap702rVaPxe8eQJ1Jf/jj4K8Y79l3Fh9/NMmqP2Jtzh6D6blBQnyF4rAIIX5BcViEECIhdCN0ELCcHpryZUozIaGOCmAQ4G8PIYR4F02BCSFh6/8DzyJB3L96VM4AAAAASUVORK5CYII=
- data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAATYAAAJYCAYAAADoqsoeAAAK5WlDQ1BJQ0MgUHJvZmlsZQAAeJyVlwdUU9kWhs+96Y0WiICU0Jv0FkBK6AGkd1EJSUhCCSEFFRsqgyM4FlREUBnQEREFR0faWBALtkGwgH1ABhV1HCzYUJkLPMLMvPXeW2+vdXK+7LvPPnvfdc5a/wWAksIWi7NgFQCyRTJJdJAvPTEpmY57DGBAA3igAYhsjlTMjIwMA4hNz3+3d70AmphvWE/k+vfn/9XUuDwpBwAoBeE0rpSTjXA7Mr5yxBIZACiEgdFimXiCf0NYXYIUiPCHCeZPMpo8wWlTTJ+MiY32Q9gJADyZzZbwASD7IH56HoeP5CGnImwn4gpFCG9G2IsjYHMR7kZ4TnZ2zgR/RtgciRcDQDFGmJH2l5z8v+VPU+Rns/kKnupr0vD+Qqk4i730/3w1/9uys+TTe5gigyyQBEdPMXQ7MydUwaK08IhpFnKn46HbAnlw3DRzpH7J08xl+4cq1maFh01zujCQpcgjY8VOM08aEDPNkpxoxV7pEj/mNLMlM/vKM+MUfgGPpcifL4hNmOY8YXz4NEszY0JnYvwUfok8WlE/TxTkO7NvoKL3bOlf+hWyFGtlgthgRe/smfp5IuZMTmmiojYuzz9gJiZOES+W+Sr2EmdFKuJ5WUEKvzQvRrFWhhzOmbWRineYwQ6JnGYQCwRADkSAC3hAAtJADsgCMkAH/kAIpECM/GMD5DjJeEtkE8355YiXSoR8gYzORG4gj84ScWzm0B3sHBwAmLjPU0fkDW3ynkK0yzO+3HYA3IoRJ3/GxzYCoPUxANR3Mz6j11N35WQ3Ry7Jm/KhJ34wgAiUgTrQAnrACJgDa+AAXIAH8AEBIAREIJ0kgYWAg/STjXSyGCwHq0ERKAGbwXZQAarAXnAAHAZHQTM4Ac6AC+AK6Aa3wD3QD4bAczAC3oExCIJwEAWiQlqQPmQCWUEOEAPyggKgMCgaSoJSIT4kguTQcmgtVAKVQhVQNVQH/Qi1QmegS1APdAcagIah19AnGAWTYXVYFzaFbWEGzIRD4Vh4AcyHc+F8uBDeCJfDNfAhuAk+A1+Bb8H98HN4FAVQJBQNZYCyRjFQfqgIVDIqHSVBrUQVo8pQNagGVBuqE3UD1Y96gfqIxqKpaDraGu2BDkbHoTnoXPRK9AZ0BfoAugl9Dn0DPYAeQX/FUDA6GCuMO4aFScTwMYsxRZgyzH7Mccx5zC3MEOYdFoulYc2wrthgbBI2A7sMuwG7G9uIbcf2YAexozgcTgtnhfPEReDYOBmuCLcTdwh3GncdN4T7gCfh9fEO+EB8Ml6EX4Mvwx/En8Jfxz/BjxFUCCYEd0IEgUtYSthE2EdoI1wjDBHGiKpEM6InMZaYQVxNLCc2EM8T7xPfkEgkQ5IbKYokJBWQyklHSBdJA6SPZDWyJdmPnEKWkzeSa8nt5DvkNxQKxZTiQ0mmyCgbKXWUs5SHlA9KVCUbJZYSV2mVUqVSk9J1pZfKBGUTZabyQuV85TLlY8rXlF+oEFRMVfxU2CorVSpVWlX6VEZVqar2qhGq2aobVA+qXlJ9qoZTM1ULUOOqFartVTurNkhFUY2oflQOdS11H/U8dUgdq26mzlLPUC9RP6zepT6ioabhpBGvsUSjUuOkRj8NRTOlsWhZtE20o7Re2qdZurOYs3iz1s9qmHV91nvN2Zo+mjzNYs1GzVuan7ToWgFamVpbtJq1HmijtS21o7QXa+/RPq/9Yrb6bI/ZnNnFs4/OvqsD61jqROss09mrc1VnVFdPN0hXrLtT96zuCz2ano9eht42vVN6w/pUfS99of42/dP6z+gadCY9i15OP0cfMdAxCDaQG1QbdBmMGZoZxhmuMWw0fGBENGIYpRttM+owGjHWN55nvNy43viuCcGEYSIw2WHSafLe1Mw0wXSdabPpUzNNM5ZZvlm92X1zirm3ea55jflNC6wFwyLTYrdFtyVs6WwpsKy0vGYFW7lYCa12W/XMwcxxmyOaUzOnz5pszbTOs663HrCh2YTZrLFptnlpa2ybbLvFttP2q52zXZbdPrt79mr2IfZr7NvsXztYOnAcKh1uOlIcAx1XObY4vnKycuI57XG67Ux1nue8zrnD+YuLq4vEpcFl2NXYNdV1l2sfQ50RydjAuOiGcfN1W+V2wu2ju4u7zP2o+x8e1h6ZHgc9ns41m8ubu2/uoKehJ9uz2rPfi+6V6vW9V7+3gTfbu8b7kY+RD9dnv88TpgUzg3mI+dLXzlfie9z3vZ+73wq/dn+Uf5B/sX9XgFpAXEBFwMNAw0B+YH3gSJBz0LKg9mBMcGjwluA+li6Lw6pjjYS4hqwIORdKDo0JrQh9FGYZJglrmwfPC5m3dd79cJNwUXhzBIhgRWyNeBBpFpkb+XMUNioyqjLqcbR99PLozhhqzKKYgzHvYn1jN8XeizOPk8d1xCvHp8TXxb9P8E8oTehPtE1ckXglSTtJmNSSjEuOT96fPDo/YP72+UMpzilFKb0LzBYsWXBpofbCrIUnFykvYi86lopJTUg9mPqZHcGuYY+msdJ2pY1w/Dg7OM+5Ptxt3GGeJ6+U9yTdM700/Snfk7+VPyzwFpQJXgj9hBXCVxnBGVUZ7zMjMmszx7MSshqz8dmp2a0iNVGm6FyOXs6SnB6xlbhI3J/rnrs9d0QSKtkvhaQLpC0ydUQ4XZWby7+RD+R55VXmfVgcv/jYEtUloiVXl1ouXb/0SX5g/g/L0Ms4yzqWGyxfvXxgBXNF9UpoZdrKjlVGqwpXDRUEFRxYTVydufqXNXZrSte8XZuwtq1Qt7CgcPCboG/qi5SKJEV96zzWVX2L/lb4bdd6x/U7138t5hZfLrErKSv5vIGz4fJ39t+Vfze+MX1j1yaXTXs2YzeLNvdu8d5yoFS1NL90cOu8rU3b6NuKt73dvmj7pTKnsqodxB3yHf3lYeUtO413bt75uUJQcavSt7Jxl86u9bve7+buvr7HZ09DlW5VSdWn74Xf364Oqm6qMa0p24vdm7f38b74fZ0/MH6o26+9v2T/l1pRbf+B6APn6lzr6g7qHNxUD9fL64cPpRzqPux/uKXBuqG6kdZYcgQckR959mPqj71HQ492HGMca/jJ5Kddx6nHi5ugpqVNI82C5v6WpJae1pDWjjaPtuM/2/xce8LgROVJjZObThFPFZ4aP51/erRd3P7iDP/MYMeijntnE8/ePBd1rut86PmLFwIvnO1kdp6+6HnxxCX3S62XGZebr7hcabrqfPX4L86/HO9y6Wq65nqtpdutu61nbs+p697Xz9zwv3HhJuvmlVvht3p643pv96X09d/m3n56J+vOq7t5d8fuFdzH3C9+oPKg7KHOw5pfLX5t7HfpPzngP3D1Ucyje4Ocwee/SX/7PFT4mPK47In+k7qnDk9PDAcOdz+b/2zoufj52Iui31V/3/XS/OVPf/j8cXUkcWToleTV+OsNb7Te1L51etsxGjn68F32u7H3xR+0Phz4yPjY+Snh05OxxZ9xn8u/WHxp+xr69f549vi4mC1hT0oBFDLg9HQAXtciejkJ0Q6IlibOn9LbkwZNfSNMEvhPPKXJJ80FgFofAOIKAAhDNMoeZJggTEbmCZkU6wNgR0fF+JdJ0x0dpnKREbWJ+TA+/kYXAFwbAF8k4+Nju8fHv+xDir0DQHvulM6fMCzy9VNqpqVMsugJzS0A/7Cpb4C/9PjPGUxU4AT+Of8JizUh8jnksS0AAQAASURBVHic7J11nBTlG8C/M7N53X3AcUF3l3SnIgKKoih2d7eICqIYGKiIioGiIqIg3d0dB8fB3XHdmzPz+2N29/YCExT97dcP3u7U+07sM8/7vE8IqqqqnGcKCioJCjKi10vn+9B/msIiC/5+eoxG3T/dFR8+/q9RVRVBEMjJySElJYXHHnuMmNhYUlJSSElJITo6GkEQ/lIbovuDoqg4nQpOp4LdLuN0Kp5OuD8DOJ0KiqJ61tkdMna7jMMh45S17S4f+wU7d2Z7lru3/ztQVXB4+qTgcMgATLxuAcuXp2vrvPrkPmc3DoeMLP99/fXhw8f5x6O+iKKAKFaXkoqiIooCOl3Vcp3OIwsRBAFDHVqZyaTHbNZjMPz9GpsgUE1TdAstk0mHyaSrpUW6z8ct6C4mLdOHDx9/Dp2qasJg/4E80tMLyMmrYP/uMwwd3oz+fZPJySln/YZTjL6sKQBfL9hPs6ZRNGkcSXGxlanT1lBRYScmJpCrx7emXr1gBAGyskr58JMdREf5c8341sTFB3kE5YXE6VR44pnllBRUkNokiltv7OgSXipFxRYeefIXRFHgxmvbU79BCG+/t4UG9UIYMigNgLdmbaZ502h69mzwt/TXhw8f5x/Rrals35HFZWM+5+CBXIKCjNx5748cPpJPxqkSpr26zrPDy9PXsmlzJgDvvLuFkmIrCQnB6PUSokuZs9mdvP7mJoKCjHzz3UGmTlsLaFrR+bfoabiP++xzqwgPM9OmdRwnThYzbbrWd1EUeP2NjQQGGNi79yz3PPgTNpsTgMm3fs+JE0X8sOgwH3y0HYNB4gKYHn348PE3oXPb6HQ6gcGD0pj20iBEUWDnnjw2bDhF2zZxREcHeHaIiQogwN8AwJmsMrZuOc21V7elU6cEzzaiIDBubAuumdCaBgkhfPPdAQCEC6T9uLXO4mIrH326g8Zp4YRHBbBnaybhMUE89mgvVBWGDW3Mg/d35/TpEi4f+yVHjxVw640dkQSRcRPnE2jW8+PCq4mNCdT661PWfPj4V+KxsVmtTtJSwz1Dr7BQPxwOBVlWkR1VxnVZUZFdkwQvvtCfw4fz+OSLvUy49is+mj2a7t3qIwgCHTsk4HDIWK1OjyC8UKioCAicOFlEdKQ/D9zbg8AgI0Z9N2LjNCGlqnBJ9/oA2OwywUEmKirsALRrHcvL0yswxAR6hJoPHz7+HlSvv6rX97+CZyZAkkTycis4m1vOxo2ZbNyaSc9LGqDTS2SdLSMzs4SP5+5k8Q+HMZo0eaiqKk2bRnHvHZ1p1iyapcuOAZqQLCm2otdLOBwKlZX289DVXzkJQUBVoVnTaIxGHTk5ZbRpHUujJpGEhZpdfXJwPL2Qs7nlfPX1fuyyTPt28RxPL+ThJ35h9jujSE2J4O57F1NZ6fANRX34+Bejc/9+A/wNfLfwAJv3nMFWbmf6K0No1CgCh0NhyOBUevZ8ky6XpHH5mOYEB2nC4qZbFrJxRyY6WaFT1wbcclNHAJIbhuEfoGlpERF+1K8fesFPRBDAYBD5dM7ljLpiHk9NXYVql3novku45eaOJCWF8uTTv/DEs8tISAjhi7ljkESRJ59bTrdu9endK4mkpFAuG/s5X361l+uubYssK0iS+NuN+/Dh46JCkGVFFUWBOXN3sX/fWV55eeA/3ScfPnz8h6npoPvoY48RGxtL8nl00PXY2Cor7ZzOKvE44EqSiCRpB1cUFUVRPcZ0URQQBAFZVjyzkYKAR7uRZQVRFBGEqplQ97EuNKqKxwbo7qsoCsiyWjW8FEBy9U+WFQRB28a9b10+fT58+Pj3oHNLxm5d65HUIBSdTvTMMro51w/9XMM07+V/t4AQhOpOxG40wfrr53CufX348PHvwuPu0aplDK1axgD/TTcHTeMU/pFz+yfb9uHj/5FasaL/VbTh8/9f2z58/D/iEWyCUH3YqKpVNilVrbKzebtBuLepWvc39vxXcPfHW1jfctsPrFlzslZfvc/Tve9fOQ/v6+QOpp84aQF79+bUarvm9byYrqEPH/9mPJMH3kMl96yF92fvWYqayy42bcRbQLtDxs5klWKxOGvZ/KrOE+Cvx4bWfDkAZGaW4nDItY7t/u62afomLHz4OD94BNvho/kIQFpqBIIgcPRYAYqs0qhRBFark42bM1FkhcaNI4mPCwIgO7sMVYUjx/LRiQLNmkcTGmKuNfnwd7NqzQmslQ4iowJo2yYWwJWHTWX1upPoJJG2reMwm3Xs3J1NVIQ/8fFBgMDefWcJCTaRmBhcTcD/HlRVZfmqdJx2mfj4YFo0jwbAbNZhdyisWJVOgL+B1q1iMRgktu04Q72EEKKi/AHYtTubmOgAYmIC/3DbPnz4qMIj2BYtPsK0GWtZtuha4uKDGH7pZ1x/bVuuj2rHcy+sYvXadMwGCaOfkTdeHUqzZlE88NASsnPKUEU4euAsw4Y3Zcb0IRgM0j/2o/zqq318u+gA2GUcosiVY5pz2aXNEEX4aO4OCkutHDteyOjhTXnpxQG8M3sba9acYNuGmzl5sphhIz/h5RcHMfYPCjanU+GTT3fx87KjiLKCIum4YWIb+vdPQZYVZr2zmWOZxWSfKeP6ie147OFLeHn6Ok5mFLNpzY2sXZfBxEnf8M5bIxgYHehyufEJNh8+/gyiZmOC++7qykP3XsLzL6/hrnsX88j9PXjgvu58Nm83u/dks2PzbaxfezONUiP49PPdyLKC0SjRoX0cK36+jp0776JP74aeIdffHZKkqloo1yNP/kLDBqH0GpCKo9LOlJfXeNb7+xlY+sNEFi+YwC/Lj5Fxqph33xhOn17J3PXATzzz3Ao+ev8yxl7RHFVVEUVRS6D5OyZVCgosPPHMClq0iKZX/1RyMouY/voGQPONi44OZP2yG/hg1ih+WHSQvLwKvvpsLE3SIrj93kW89dYmvvhsLIMGpqKqqi/iwYePv4CoOdqq2O0yN1zXjkMH8/hpyREmTmyDzebk6NFC+vZuiM3upLzcTu+eSfiZdDgcMv7+Bvr2ScZml4kINzPm8uYEBhoB/laNTVE15+EjR/IJDTVRUengwIFcmjaJ5Nmn+2rbKCqTrm1LeYUdvUGiQWIoZ85otq97bu/Ml1/uJSunjD59NOHs7r9eL/2qb5tbfh87lk9khJmSEjsHDuTSo0d9Hnqwh+sYOq69pi3l5XZCQszERQeSnV2KLCvcdXsXZr21BVlR6dwpAbu9ti3Ohw8ffwydph0I6HQSL7y4mjGXNePkyWKef2E1jz/Wk5Yto5nzyQ4ee6QXRgN8t/AgyQ1DMRh0yLJKWZkNo0HyaDWSJP7t9jXBFQQfHx+MpdLJ3bd3oUGD0BrbaMb5AH8Dy/blcvJ0MS1aRKPXS7wwdTXTpg7ip5+OMO/zPVw5viUAdpvMI08vo35CMHfe1hmglv3Q/Tk2LgibTeapR3oREFgzm4mKXi8SEGBg67bT5BdVkpISgexUeWn6Oj56/zK+/Govi348wrChab4Elz58/EU8kQdPP7eSpSuPs2ThNZSU2OjW+z1kReGB+7qze28OSQ1fxmDU0atPMnfe3gVRFLDZqrJg/JNhSILrf+HhZl6ZOpAuPd/DHGhAtcncf28PbrulE3aHwugrPiMwxIwgisx6fRjBQSaunDgfp1Nl8vXtaNI4ktHjPsdhl5k4sQ0Go8SBA7nMnbuTK8e2JCLCDy2pSu3zbJgUyhOP9aJ+4+mEhZtx2mVefGYA48a2oKzcRp+BH+Jn0mEONPL+W6PQ60RGXjGPxIRgrr22DSGhJq67aQEfzBrF8GGNfQH4Pnz8BQR3laqCgkr0eomgIG0oWVhkQVFUIsL9cDgVzpwuQVFV4uOCPJWeysvtGAzSP1LboC7c2lR2ThlWqxNUCA0zExJsorTMRnGRBaes4u+vJzoqAFVVOZtbQUiwCZMrFVNuXgVGgw4/Pz1Wm4N77/8ZS6WdD2df5sqs++szvqddw1uAiHA/AgONFJdYKSmxIssqQUFGIsL9UBSVs7nlRIT7eeos5JwtJ8DfQECA4R+fWfbh40JRZxB8zAUKgg8P93M1qv2g3HnMVBX0OrHa0M69TUDAhU0g+UfxDAvrSBYZFGgkyGX/q9peIMYrOzBAVKTmelFYaOGm27+nqMTK53PGYDBIv2uImBAfVGtZSLCJkGCT57uqahpuzX5698Un1Hz4+PPUKrLpcdJFG3BVOe1Wrb/Yf3TeE7LefT3X8roICzMzf964ast+z1D7t9r+tevn09J8+Dg/nLN6cM3f17/pB+d0yp7Ac71e/NMRErKiwh9MuXSuNupa7lSciIKIKIh/qn9/N06n4knz5H1dL1Q7CAI6r/RZslxVA1anEy9aG6S7lq5WulLy3Ne/4/rJctWMvjYxWNtMpCjaNRRFEUVRUBR36i6x2r7e29Vc7t7Xvd/Fxn+yLPr5qg0q/cHJEIdSPaW4TtQhCiIqKk7Z6anNoJf0nvUXI4qq4FS0Cl4CAjpRhyAI6HTiBU/rpKrqOdvRcgT+9fYdDgVJ+muTXbKsVCusrdOJnuOd6/n7O65fXYKsJt6CSBTFOgWTIAh1Hst7+e9p65/i4vxl/QWcToVpr65jw7oTJCSF8/hDlxAXd/5rmrpjUL2PqRf1dW7rLcxAExyiIDJ351zSItLonNjZI/S8kWUVUfz7fQJFQcQgVbefOp0qb8zaxC8/HaR+cgSPP9yL+Pig8xr65T7WR3N28M23+9Cb9NxxUyf69GkIwM9LjvLOB1ux251cdUVrrrqy5Z9qX6//68JFE7I1+w8Wi4MpL61h/57TdO+ZzORJHTwTcjPf3MSypYdp0jKWu27tQlxc4Hl5Lt3XQJZlNm7cSFhYGKqqUlhYSNeuXZGkqnKSgiCwY8cOgoKCSElJYefOnezbt4/w8HC6dOlCaKhmSz927Bhbt27FaDTSuXNn4uLiACgrK2Pjxo00a9aM9PR0QkNDad68+V9+DmoWdPmrXHw65F/EZnPy889H6dK1ASOHNfb4lJ1v4VDTvUVWZR5Y8iC93u1Dj3d60veD/mw4pUUelNnKGf/5VbSd2YHJC26m3F4OwE9HlnAg78A525Ak4W8VarIiIwoC6zLWMeCDQXR+qyvD5ozgWOExRBG6dU5kwoQ2bN58mlOZJa69zq9Qy8ws4a1ZmxkyqBETxrciKUn7oZWX23l95kaaNIrk2qvb0qpV9J9q32aTefjRX9i46ZSn3T/Dhx/voGvXt+jS+306dpnF4SP5Hl/JAf2SSUwM5YdFhz2V0BRFpWuXRLp1a8DiRUfIzSt3tf+nmq+G+xkRRZGMjAyOHz9OQUEBBw4cwOFw1Nr+yJEjnDlzBoC4uDjS0tI4fvw4paWlrj6phIeH06pVK86cOUNubq5nX1EU2bNnD/n5+WRkZJCenl6tDxcLv1tjq5ni+2I1dKsqxMUFcvXVbUmIr5p1dKcpVxQVQRRqDTOdTre9oPZNkmW1mp1HEAQ+m7ebzNOlPOyKLnAoDrZnbWdk85EMTO2PU5FJCIoHYPJ3NxIdFMVDPR9g4aFFPPDTA7w76l2CTUEEGANRVAUEPBqbe6h0/wM/M2hQKv36JgMCv2bKUFRFOw51D3EVVUHg3IJSVmQkUWLBgW95ftULPN37SeKDEtCJEvGB8YgidOyQQMcOCSz9Jf283Hvv66ooIAgqO3ZlEx7mx623dKrqu6Jy9FgBNrvMbTd1IiGhaubZnd5d+1z9ZeNtjwPt2bDbnazfcIr27eI86eJ1unOfTM1U8+5j7dqdQ0xcCI8/3ptVK09w6ZjPWfDVOBo3iuSSHg1QFDibt9krg4tK+3bxxMcFs25D5q+2+WcRBIHw8HACAwMxm83Ex8ej0+k869wpukwmEwaD9sKPjo4mIiKC9PT0akPS0NBQQkNDOXjwoOcY2vnriI6OJjAwkJCQEKKjo7kY0YHmw/bGm5vZtvMMJzOKaNE0mk07zvDg3V258YaOfDRnB089twwR6NM3hVlvjODb7w7w4Zwd/LjwakwmHatWneCd97fy4gv9SWoQ+o96zzscCvn5FcTFBqAoWjHo7KwyJt/2PSeP5hMQ7seUp/rSp08yFRUO7rhnERvWnKBcVrjtho488tAlzP/6AO+9vwVzoJ6dm0/QZ0BT3n1rhMffrbLSQWFBZdU5qqCX9ET5RxIfFE+QKQgBgaOFRzlZfII3hr9OpF8kr218na2ntlNoLcRP78fGjI28s+E9jhcc565L7uDervd4hkrZOeWeGgwA9y6+DxWVGUNeBWDmxplklJzi+b7P8fCSR9h4cgt2p5XWCa15YeDzxAfG8eSKJzlbnsu2jO2cLjnD1e2u4qWBUwGXURgBFW34qaoqCw8s5IrmlzOiyYhq19T9o7DbnVRanH/qvrhfhkeOFjB2wpfkZ5USHBXAR++OIiYqkGtvXMDuHWdwiAJxCS/SpkMiH84axQOPLWHJokNYBWjf4x3CQsws+/FaoqP9efe9rbw+cz1WRaF75wa888YI/AP1/PzzUR5+YimKzUnrDonMnDaEHTuyuOWeH8jKKuWuhxZzz90LGX5pc2a8PBijSVdtOOV2kF6z9iSPPvkLpeU2HE6Zh+/pwcRr2mAy6mjaLIa2reNo2zqOLVvP8NbbW3nj9SEoikphYWWtGGNFUcnPr8Bul39TU3P3paCggA8++IBevXrRsWPH37zG/fv39wixVq1aeexghw8f5vvvv8dkMlFYWMiwYcM87VRUVOB0Vr+nbk3W4aiyG6uqisFgYPz48UiSRL169S7KiQNwDUXNZj3rN2bQtk0cw4c0pqTUxgN3diU7u4L5X+/j3Q+2sm/nXWSefIjiYiszZm7g0lHNKCmxsm17FgBLfjlGk0aRJDUIddmG/ll1zj1UVF1azE23LaRn1/rM/nA0E8e3ZvKtC7HZZH5ZdoziIisfzRnD6aP388hDl2gHEFR27s7m8Qd7kpn5OLt2Z7Nw4SFOnSpm3bqTHD1eQNbZMtatz+DAwTxEVaJ+cD2mr3mV1q+3Y/BHQym2FnGi6ATRgdHkl+dxxRdXUGYvo2lcY47kH8Xf4MfajHUsvu4H3hz5Op/t/AyL3cbuPTmsW3eSohILu/bksG5DBqdPlzGi6XB2Z+8ityIXp+JkybGljGg8HLPezNSBL/LGiNd4//J3ySrL4ut98wEorizmdMlptt+xleWTl+Jn8ONs+VkkUar2wAqCQGZpJhklJ0gOTdYSZSpytaGaKArnDJnznrGsC9UVz5uXW8GY8V/w3FN9ycx8mIfv7c59D/6Mf4CB5T9fx4ezL6db+0ROHH+AH7+dQESkH3M/GM2SpdfTqXU8a5Zez4GddxAXF8ipjBKW/nKMxx/vQ8bh+/ns48sJDDKQkVHMY08sY/pLg5n9wWhKCy08+vgv9OuXzIHtd9Cra0PefX0EmZmP8PbM4Z46ud7arHuSouclDfjko8t5d+ZwHr2/J6/MWE9JiQ1BAKvF4Um02qRJFKqqeHwU63r+/0x0jiiKBAcHYzQaf3tjNIO+KIpIkuQRaoWFhfzyyy9cddVV3HnnnbRs2RK73e4557q0+F9brtPpPH8vVsGmA+2hjIr0p02rWHbszKJ7t3qEhfmRfqKIrVtPM2xQGkFBBmw2J+Mub8mRI3kYDCJDhzRi5ap0UlPCOHQoj/vv7e46bN1hR/8EOp1EaakNi9XB51/u5svv96PanAwYkILTqdCubRyffbWHBx9dwoQrW9Otcz2aN4+iotzOleNa0b59PLKs0K1zPTJPl1Cy1Mr7H2yhoNSG3SZz7Fg+l/RoyPNP9+W9ke952r1s3mheWDWVK1peToW1knt/vp9BqYO4ru1ErvxqAsGmIKwOKw9f8hAmnYkgUwih/sGUl9v5YM52Nq0/QWZuJemnivj2hwPccUN3Rl3VirigBHZk7STQ6I+fwY+W0S1xKE6eX/UCX+/+hqSwJA7mHmRMi9EAGHVGJraeiIpK8+jmNI9u7umj283EjUlnQnFnFkbFoTgQBQn975i9/a3ZSncapg0bT9EgMZhePRtgsznp3r0BmzedJiOjmNBQM06n4hr+qdWMyNqwseovAsTGBtKqdSyvztzAiRNFdOtaj759kjl1qoSC4kqefH4FDruMQVUYfbl23naHogkjVcVmc4IgYKwjcsY9TN69O4db7l5ERWEFhiCTNrkiCuDKKu1wKFqaLsBolFxtyDhc1d7sdtll5tBGEnaHjKKqOFzbiOcY07uFSmhoKDfddNNvXv9fIycnh7CwMOLjNdOIwWDwvLAURUGWZVfGZxlZlj2uHFUZshWPG8nFZks7F54n1l2iTieJnmlsPz8DAf56Nm7O9Ey1b995BkHUpv7HjmnBiy+tZtWqE8TGBtGtWz2UiyzljuJ6oxYXW5n9/mW0bRNXbb2/fzDzPxsLwORbv+e11zdwcO+dKCoY9O4pfIGde3Lo0b0+48e1ZPIN7fnyy70cPVbI44/1rLNdSdThkO2khCVzNO8oj/d7jMntbmDhwYWUWEpICknCrjiwylbX9gKqLBIWZmbmq0MBuOXWH7h6Qiu6dq3nOW6PBt3YlbMLi6OSoalDCDWHsiN7F98fXMjh+w8CMOKTkdhlu+u4EjanDQEBRVU8w07vGVgREUVViPKPIi08jR8OL2JMizGYdN7REnWPndzP+bIVx7FYnQwblIbgKmVYV7KApAahnDxVTFmpndjYQIqKLOw7lEtIiMlVwlFAr9d8v7x/QqKoLXfXj1BUFZNZxzNP9uGZJ/vwyed7uHzcF6xfNRmDQSIyzJ+NKyfX6q9eLyCIAgad5AkNrIk7mzIIvDJjHUMHpPLYIz3ZviOLSTcu0HwbdSLBwUYMBomzZ8uZ9+Uenn2qD4IABr1EvYRgT8JSAFlR0OtFkpPCCA40kdQwDL2rItyvYbFYOHDgANHR0SQkJPz6xudAr9dTVlYGaEPLrKwsj21MFEVCQkIwmUyEhoZ6tDy3ADOZTAQFBV3Urh11oQPtoc3Lq6Cy0kFRsQWdXqS83EZRkYUbrm/H6vUZjBz1CYFBRkrK7TzxSC8A6tcPITDIyGPPLGP61EFabQRZRbwAhtE/iyKrhISYuPeurky8/hsaN4oEVeWSHknccVtnVq48wftztiHqBIwGHd26aUIkIMDA94sOkF9qIftUCfUSgxk8KA2HQ3NoPH6ikPQThdhsTs1orYNp66ZxLPc4ORU5KIKTmzveSKgpjCf7PcHSI0tZcWQlZ8qyuLbttZh0JrJKs7A5LABYnTZyynOQZQWbzY4kiZw4WcTxE0W0ax+PIKjo9RL9U/px5w/3UGot5erLr0FFJcQUjFlnYvickUQHRbMuYx39UvoBUGgppMJRCWiTEzW1NNcKULWZ3Yd6Psj4r65i6JzhxAbGEmDw5/6e95EQlFCncFNV7Uf7+Zd7+fjTnezechvNmkWhKNWD+EVRs+G1bBXDqJFNGTX2c1LrBXG2yMZllzalXj1NAFitMjlny2q1Zbc7yckp88ThCoJA1plSnntxFcXlNmJCzPTulYROL9KxQwKdOibQttPbNGoSiWxXuP+ebnTskIDBoGPwwFTuefAnPv10Ox27NOCWyR3QG6Q6XRZatojh/Q+3sWt3Fvn5FgoKLMiKQlm5jTkfbubIiUK2bs6kb9+GDByQSlGRhSkvrWHN+pMcOVpA8aWfMnpMC8Ze3pxpr69l5Zp01q0/xbix8xg4uDE3Xt/BFRtcvW33d4vFwg8//EBaWhpXXnnlH3n0PcTFxWE2m5kzZw7h4eEUFxd7bGqbN28mPT2d9PR0ysrKSE5Opnv37hw9epQDBw5w5MgRcnJySEpKonPnzoSEhPwrsjvrQNPMnnm6L/FxQbRrF4sgCAQEGOjYMZF6icHMemM4Py46iKyoDBqURkpyOAD+/nruv7c7/funMHRII9cb9+LQ1twzoJKkaQ/jx7UkONREenohqGgCDoiO9qdHt/o4FW3WcOxobcgiOxViYoLo1CEB2sYxdkxLQkJMLk1E01YrKuyet76iKjSNakqoMQxJFBmYNoDE4EQUVeH6dpMIMgSRW55LakQqA1L7owKP9HyYSH+tH61jW/H2iDfRiTp0Js0W8+wzfUiID8ZokDyD+4ahyTzW61FUVSUlLBmAhqFJvDvqHTZlbKZeaD1u6DCJmACtlOIdne4gyKQJDW/vcbUubyEVUsJS+PTyT1idvhpUMOlNmPVm3AlJFaX6noqioJNEBvRLYdWqdEwm95u9bvsMwNNP9CEtLYKi/HLqNwxn+JBGnm16XFKf+IRAz3V126QapUXw+oyh1HcJQAHNNty5YyIVVge2SgeTbuhAWmoEANNfGcRnX+zB7pRBgcgIf08b113bluAwEyUFFaSmRXja8I5QcX++eXIHGjYMJSe7jPbt4pFlFX9/A7fc2IEObWKosCkM6pvCuCtaAFBRYad1qxgaNYogINBAYW4FDeqHIEkiTRpHEhxi5LqJbSnKrySxfqhnoqimoHB/DwsLo0mTJtVmJv8o/v7+DB8+nEOHDhEVFUWnTp08xwsPD0cURVq0aIHFYsHf3x9RFAkKCiIhIYG0tDTsdjs6nc4zk3qxCzXwyu5xLuqa3XTbHy5Gl4/ycjvXTlrAC8/3p1FauEcg/NFZ2o/m7GTvvrO8Om2QZ9kffVO5HXFVVUHw0pT+yhuvWqEdl1NvXc69fxZ3n3+t3XFXfsldd3SlS5dEHHaZp55bwZff7GfalIFcOqrJH065dD5n0P+pZ9I9fD0fP3p3yFJubi6LFi0iMDCQQYMGERhYO7nD7+vbxaVh1ZXdIyYmlpSUFJLPd3YPt5e7d7C2e4bHrf2Ae2as6s2mKJohVhL//gSTdaHXi5SW2ejd612at4vn3ZnDSUoK8/gjec7P5cvmfW6AR+vU6USsVgdOlxHYO2QG6o48kNWqWcTqMaCiNsPoEkCSqGk13r5lmkFb8ayDuiMPBEFAVrXhmCS47CEInrbdAk4QtGGndxtOxYlO1PHS2pd5Z+N7BBkCkVUFSRQptZXRP7UfM4ZNx6wze+JYtVhZCadT5ZEnl/LVZ9sRTUYec2V20elE7ritMzdN7kD9eiFav35DqHn7htXU8jVjde34XE1bVFxxi17HURSPq7r3rKN3+UOtT4KXxlrd9+3XYoG9j6Ptr9mQaz432mxxlauIt7rg7pfbb87Nudp2zzSGhYUxatQozGYzZrP5nH38Lbx92Go+SzXLT7rbP9fyfwu/qbH9GTTfq39O0Gl2KhlB0KpT/R5twO146/3DcAv2/xp22Y5DdlTT8lRUJFHCqDOeU/uz2WScThmDQTpv8bg+fh8Xm9b1V/hbNbbzyT9tZ5MkET+/P9aHmn32rrP6X8MgGWrFgv4ejEbJ49JQk4vRLPFf4r8i1P4uzqsEcut+a9dlUFRkOZ+HvqAossrqNSc4cjT/n+7Kvxbf787HxYRHsGnOhjIOh4zN5vR4kauq5oToRnN3cDn3qZoDos0ua46IrvxN9z7wE4cO5XmWe9siLjSqu082J3ZHdc95u+vc7HbZY+9QFJXSUhu9+n/I9Bnr/7Z++vDh48JRzUFXFKsPM9xjYb2+6nXsnfJFFIQ66x3ERAcQFGSq06P7QiOco0+gOU7W3h5CQk1s23QLwUGmOvby4cPHvw3RrdGsWHmCJ59azm33/EiHDq/z6usbEASBI0cLePKpFZ4dHn9qGStXnwDgeHohvQd+SIeus7hs7OccPJgHaLN527adoeMl7zL0sk/ZsSPLtfy3Cw//VQoKKhk47GM6dHyTaycvoKhQGxLbbE4m3fgtHTq+RY9+s/nue81Lf/36DAaOmMuU51Zw/HjBBe+fDx8+Ljyia/RIztlypry0mjYtYnjttZHMem8LGzaeorTExuq1Jzw7rFp9gtOuXFxvvLmJvj2TePP14Tz1eG9POhmL1cFnX+zmtZcHExxg5OUZ61x7C+cl/1RdqKr279bbFzF5Untmvj6CxPhg7r5/MQBz5u7EoJeYOXM4r70yhG6uMKVGjSJ47sm+FBTZ2LAp88J0zocPH38ruqp87DLXXN2GGya1A6BTuwT27jtLpw6JhIaYPU654eF+GAzacDQiwo/ZH2wlLNSfyTe0Q3C5Rhj0Eo892ouunetx8EAeixYf1hq5QAZm94xcVlYZW3aeZvf+LAxmPYVnSuneW8u+mhAXxEsz1uFwyNUyOoSH+xER4U+LFjH4mfWezCQ+Y7gPH/9ePAYzh0MhPMzPs6Kk1Ob6oSvYbE4kSXMwLC6yeBz1Hn+0FyePP4DJX09M/It8u0DLBisIAsFBRhRVxelUPDnMLhTuIJ+CwkqC/Y1sWHUTezbfxunTj/DFJ1qA+9ChjUg/cA933taFpi1f5467Fnn6CqCTBIICjS5HzgvaXR8+fFxgPBLHZNSxa1cWXy3YR/qxQs7mlzOgfwqlZXbyCiqYO3c7+w8VsGblMe68owsAy5ank1dYTniwkX79U8k8ow1RCwstWCxOREGgosJOQUHlBT0JUdCGuC2aR9O0aRT3P/QTAwamosoqrVrG0LRJFLt2ZXPoaD56ncj4K1tzIl2zpx0+ks/uPTms35LJicxiIqL96d65HrGxgT7fLB8+/qXo3DYvvUHi6LEC5n21F9UuM3vWKKKjA4iKgvvu6cZnn2yhc/cUpk0fTkpDLQh++Yrj7D10FtnioEv3Btx2S2cAxo1tQWyMVvy3bZs4zH5aIZMLKSTcIWAfvDuK2+5exKdf7EF1yuiktjRtEsX2HdksWHQAVVaIiAzgpSkDAcg4Wcy8L/eQ2igch0Phi/l7SaoXQmxsIBdTXjkfPnz8fgRZVlRRFPjo450cO1bAC8/186z0aSw+fPg437jdyM7m5JCcksIjjz1GbEwsyRcipMpqdXLiRBE2u4wiK+j1Ok/BCXehV3fcpCRpAeHuwrBAteKwDoeMTie6SoJpTrDno+TZ70FVVewOxRMG4S6s6ynCizu9segJTNackaui//U1At59+PDx70Ln/gGPvrQpA/snu5xqqzuynqvQ67kCob2XS9KvZ0843wjnSPV87iK8dReG9eHDx78Xj8YWFeVPVJT/r237f4c7wwdcPEHxmr9eVRqdi6FPPnxcbHgE2/lMlPdfwG0H8L4c/7TNsapPtVNI+/DhowqPYFMUBUUFvaRV0XBX1nEn1XPKWkI/URLQuVL8uG1WVcWURSRJ8OwrKyoCVTY5wJO40X3s82nLUl1+c+7jKorqle1XS2CIq0iI6ir+7NaA3EJLdRWjEUWBgsJK9uzOQVZVunSqh7+//k/0SXN+1kqi1exTVcJK77ar+qR6kgG6+1RWZmP7jiwcDpn27RMIDfHFt/rwUROPYJMk0WNZk2XVY49yp202eAXIu5e5c5jVNFG59625XKu6feEmEbSAfcnTVvU6jkKt/njtWWtJdnYZd9+/mCMHc/ELMtL7koY8+nBP/Pz+mHATBH6lT7Uzxf5anwoLLTz06BI2bjxFSKiJ9u0SePqJPoT4hJsPH9XwCLbvfjhIRYWd8WNaIEkiX87fh14vctmoppw+Xcpb72xCdsgMHNSIvq4wpbXrMnA6FZatPI4OldGXt6Rli2gWLjxESKiJRT8fITLCj2uubE1UVACCIDD3s13s3H4GY4CBof3T6NGj/l/Oee/WbLKyypj7+S6uGtOShMQgMk4Vs2jxETq0jUOnE1m38RThYWZ0kkRBSSWD+qZQVGxl5+5sVFklJiaQ/YdzuWZ8az77YjfFRRZ27rgDgIj4F+nYIYERwxv/oT4VFlp4f852Rg1rTFpqBPkFlXzx5V7atonD30/Phk2nMJl0hASbOHWmhKED0ygrs7Nv/1nKym0kNQhj174cxl7WjPUbM9m9J4d9u+8EIKnxdJo2ieTGGzr4PO58+PBC57HbIPDgo0uJivAnPi6I56es4rmn+3LkaAEPPbKE2NgAggKNPPbkLzge78Oggam89voGsrLL6Nc/mY0bTnE0vZgP3ruU519cjcPuZODQNH5acoRDB/P54L1RLFueztKlR2nZPIr8Ett5zdPmNvJv3JTJunUZfD//Sp5+ZiU6vUiDhBAeefIXWrWMZvWakzRKi0CQBBwWmUU/HSYw0MDBg3lERgQg6gXMBj0ZJ4sZM7oF2dnlXHfDN0RF+LNzZ9bvFmxan7Qh98GDuSxceJBVv0xi6strOXWqmLTUCO6850dSU8LYsvU09euFIkjgtCmsWZ+B0ymTnV2GwaDDZNaBU6Wk1MqlI5tSXm5n4nXfYNDrOHy44A8XT/Hh47+OThA0u8/I4Y0xGXW88MoaHFaZD94ZRcdOCTz7/Cr0BpG33xgBwDPPrWTVmhP07dOQqCh/evdqwO23dUEF9uzJQacTiYryZ+yY5lw9oTVbt53hrnsXU1BYidXiYOfeHJo0ieLl5wd4OvFX7Wxu43lcXCDffTmeSTd+yyW936dTp/q8Om0Qe/ecRa8Xee6pvtx46/fcclNHMjJKsFqdGA0S99/dnQ/mbKdVyxjCQvzYdyAXg17i8JE8li8/xqCBqZSW2MnLr/C0+VuTLVWVvM3Mef8y7rhrET37zqZpoyg+/fhyzuZotTOffKw3jz+1jBHDGmO1OsnLr8SgF5k8qR1r12Xg56enWZMotmw7gyhATnYZt9+1iDZtYunetT77Dpx12ez+0iX04eM/hQhV2k6rltHINoXMzBJatYpBVaGoyEJailarUVWhQf1QjAYJWdYK+KakhONwyAgqtGoZg16vOcN26pjoMsgLhAabKMivZOiQNOZ9PIbIcD8at5rJc8+vBM5vnjZBFGjdMpZNW854alDmF1QSGx2AxaoViQ0KMlHoSl0eEmwCBCwWJxER/uTmlRMR7od/kIGPP9vNhCtbc/edXTmTVUpCfFX5M+/ak7+G+9p2aJ/A9u3ZREb5YzBI5OZVEBMZgNOh4HDIhIWZKSy0ACpB/kb0OomycjtRkf4UFlUSGGAgIsqfjz/fTf8+yTz+aC9y8yuIjPD3FVbx4aMGojbjJlBaauPeB37mhkntmDypPddct4BKi4PevZL4aekRjhwpoKjIwhfz9xAYaMJo1FFZ6aC83I5eLyErCg5nlYA6faaYoiILX32zD6NZR3JyOFabTJNGkYwf15I7b+nEjz8dcc2g/vU8be6Sagu+PcCq1SdYt/pGPpu3h+Ur0gkKMlJcbEVRVCwWB1arE1nWUp5XVGgl9ux2GYvFic0mExCgp03LWJo3iaR7j/rs2pXNslXH6d8/BdAmT+6490f6Df6IYpeArGtY7Z7ZXLHyBJ99sZt1q25kzZoMvl6wn6AgE8UlVpyKitWqta0oWtREpcWhpWl3ylRU2nE4FPR6kfZt40hLCadv32SOHSvk24UH6dO3oSdO1ocPHxo6t9bxyox1qCJMvKYNlZUOBo+cy9SX1vDcM305dbqEAQNngyhy661duP/ebqgqxMQEEBRkBFx1LF1hSbKiMOG6rzHoRJo2j+bDdy5DkgQ+/ngnL722FgSV4GAz06cMRKcTPe4ffxZFVREFgUOH83nhldW8MX0oXToncM3E1jz34ipuvbEjTZtGotdL1K8XQmCgkchIP4wGHQkJQfj56YmPCyI0xIQia24vl13alOPphbRu/QaKXmDai4Np2ybOU5IvJTmMN9/exPH0Itq1M7ucZqvXHRVFgczMEh57+hcee6gnHTrEceedXZg2Yx13396N5s2j0OtFEhODCQoyEh7uh8MhUxEXSECAkdjoQMLD/TAZ9djsMr16JnHz5A506f4Oqqry6KO9GdAvxXX9//z18+Hjv8Z5rSsqKyqSKDB85Ke8+spgUtPCz9ehLxqcToVde3J4d/Y2HFYHb80cjp+/O3uJT7r48PFb/B1B8NWqVMlewylZ9qpGpajIslJtmXt5XXLxbG4FefkVrn2qb+8+jlYt+/yOn2pWe3e3565Gpa1XPY6x7n/u7+7tfu28BUFgxcp0LFY7L00ZiH+AwWNLPBfe56pVFq/ep5ptV/uuVn0+V598+PBRnWpVqrzxdh/Q1tX+4dbcx/3bvuO2TiQlhdZyQTjXcc4X7miGutpz983tEFtTELm/ey+uq7+SJPDgfd2rLfutWV3vPgmC4NWHc7dd87v784W+hj58/Bc4rzm7Rdev7+oJrc/nYf8w7pqhggCiKJ53+5PTqSArKgad6Knz8GdQVAUB4V8/hPXWcrXU6uf3fLxTY/nw8Xu4IMUIHE4F3QV4wH8vmkZ04drW6cTzcuFE4b/hVFszTOxCHN+Hjz+C55flHXjtbf9xr/O2/Xhv7437u96VZPKfwG6Xueqa+TRs+DKDR37CyZNFQJUW57ZbeeNt3/I+5+rX4vfZs1RVRVZkZEX2FJmpiazKADyx7EkWHlqotaEq59ze+9je26io1Wx3iqpox1Frb6P8zjY8fVTkuvtA7fN7d/Y2GjZ8iSatZrJkyTFtf/nP2f+874Xbv/GDj3Yw7dV1XvZJ97bVn0H3/fLhwyPY3A6n7n/uEnRVQzr3MsGz7Fx2qn8Su12mtMTGBx+OYd6cy4l31ToVRDznJXr10234rzo/bbn39ag676p2bDYnlZUOz3en4mTkZ6No+HIKTV9tQds327Pm5BrPOoAHf36QFq+1ZlfObgBOlZyixFaitSGICDW0zIoKOw5HlYBxh755vnsNY93HEIXqLxX3NuI52qi6DppQKLWVcu3Xk2j4ciqNpjdhefpyQBs2Lz22lE5vd6HpjJa0eK01q9JXATDhylZs3nw7XTvW43RWqef6/VE0t5+qe+HW1PLzK8k5W+6yT4oevz3vZ7CulE4+/n/RgWYzKiuzUVhkobLSQXiYmZzcCpLqhxAaasZuk9m6/TSKopKaEk5MTCBnz5ZjsTppUD8E0FKLZ+eUERMdgNn8x9P7nE/MZj0xMQGEhpo9+okoCOzclU1RYSVmfwOdOyZ48q2dOFlExskiJL1EvYRg6tcPobjYisXioKTMRt7ZMtIaRRIdFeARNG/P2kL6iSJenTYIEJAFJ4Ig8PHYOVzSoIenLyoqOlHHZ7vnsez4cuJCYrDarQAYJSN6Uc+OMztxqk6aRjUhwBCA1epAkkSunfQtYy5vxqWjmiAIAmfKMzHrzUT5R6GiUmotpdhaTGJwIofyDpFXno+iKiSFNaBBaAMAcityERBJLzyOqkJqRArhfuGoqNWEnKIqSKLE9we/Z3jTYcy5/EM+3PEhDy95lC23bGJF+kru/PEuPrz0A7rW6+rZX1XB30+Pv5+e0FDTX8qWLIoCBw7mkpNdht6oo0O7OEwmPZIkEuBv4NDhfHLPltKsWQzh4X5kZpZQUWmncaNI7fqcKaW83E5aWoTPr+//HB1ASYmVBx9eytHjBeTklBEdFUBmdik3TWrHzTd25IWpa/hl2VFMBpGAYDPvvT2SXbuyefzJ5WxcdyMhISZ++ukIH87ZwdtvDScxIfgvZ+z4K6iqFlUAIDsVdDqRtWszePeDbVjLLDgliSH9U7hxcgdOnSrhsSeWUZxfztlSG9eMa8Vdd3Thh0WHefTxpbTrGE92Rj7GAH+++mwsMa7qW9FRAZSU2KpSEikCeRV5fLVnPicLT9I6rjUtY1ogIHAo/xBvbnqTFwdMYeamN5BVJ4qqYJAMfLN/AaossCd7NwMa9efN4W9gMmkvhpAQE/FxgZ42Zqx/jZzybOZdMQ9REJm65iVsso0X+j/P1/u+4UjuMeyyDUVQeLT3I7SNbcOzK5/lWMFxREXkcN4ROtbvyOxL38OsM6OKKqJLaZdcaamubn215xqmhqdic9pwKk6WH1/OkNQhdK3XFVmRPbVlvfmzw0+3prZrVzZvzNpEaUEFDkmkR6d63HVnV4xGiR9/PMmx9EIO7MkkJiGCzz8Zw7KV6Tzw6M/M/3QcXbskctkVn9OtSz2mv6K9bHz8/6ID8PPTk51TytgxLSgvs7H/YC5339GF3XvPMu/zPWzbcYbd228H4KZbF/LhRzt44bl+vP3OFtZtOMWQQan8suw4AwekkJgQfJFlm1BBhcefWUaTlHB6923K/t05PPrUMiZc1Zo9e3LIyi7l1ls6ccXo5p69TGYdoWFm3ntjBFHRAfToPZvFPx2hQYMQVqw8zs49ORQXW3EqTpo0jmb0ZU0Y12Icu07v5ovdX/LWprd5bfgMuiR25u3NbzNr5Cxax7Ti7a2zqB9SH1EQcSpOVFXh66u+Zuvpbdyy8GZKyitZsOAQx4/ms3XnGUoqbPy07CiDejfmxs7Xc+f393Cq+BThfuFszdrKzCGvYdaZubfbPXy1Zz4GnZFX17/K6hOraBvbBqNkpF5wPd4b9S42p5UFB76j0lGJv8Ffs0fV+P07FSeSICEIAm9ufIubO9+EgMCRwiO0jGrhsa2da0hbE7cvo15/brurO0/dlJfWoBNUBo9syplTxTz53Aquu7YdRqNEYbGFHxdOwM/fQLtOs1ixMp3rrmmDJAq8+c5mvvx6L2Mubc7993dz2d580Rj/JtQa//4qOnBVgQ/1Iy42kG1ZpTRtEoXN7qSy0s7x4zYG9GmIzebE4ZDp2zuZQ4dycTgUrri8OWvWnqRxWgR5+RX07dvlootZ1Okk8gssGPU6LDYn27adQVJhxrTBSJJA9+71OXw8nx8XH2b+gv2MGNyIqye0pqzUTr8+KURE+mO1OmndIpbCokri4wOprLRjd8g4nAqVlQ6sVgciEnd0vt3T7qQFN/D5rs85XHCIz3Z+juxQKLaWcCDrILd8dxuP930Uo87AxLYTcSpOyuzlhPqFoqqqZr+rsOOUFZctz47d4aRhaBKNI5uwNWsbZp2RlLBk6oc0oMxezk3f34TNbictIg1BBX+DVr9CFEQGpg7ELtsxSEbGtxzn6WNNQaOoCjpRR7G1iNsW3kGYOYzr205CRSVAH0Clw4okSlgcFi2rrygh8OsvMC2r8rnXK4qWHdhS6dAmOIBt28+ArDD9lUEEBhopK7MzZnQzDEYdTqdCq+Yx5OSUY7fLXDmuJfO+2MN33x6gKO9RnE7lgs/S+rj40QGeNN4Oh6ZpWV1ZMPz8DCQmBPHJvN08+kgvjEYdCxcdpF69YPR6kQEDUnns8V9Y+MMh6tULoUnjCC2s6qLR1sApK/j56ai02BlzeWeGDW1Ubb3RqOO+u7oBMPOtTTz57AquntAaQQTZKXsyBS9fnc6MoYMYOCCVgQNS+eLzPRw5VsiTT/Sq1abFUcnJ4hP0T+lPy+hWvD3ibYotRRRZizhUcIgWMc2J8ItARaXIUoRO1KETJRwOJ0GBRm6e3BGAm25eyMRrWtO1az3PsbvW68TOrJ2U2Urp37Af/gZ/NmZuZkfWTg7dfQCAVSdX4pC1e4gAZbYyDJIBRVGQVdklkGoLNQGBImsRty+8ndSIVJ7u87Rn/aDUgUxZ/SK3db6FesFV/fmtF9m3Cw/y8y9HeeGpvkRE+KMo4D2KFQQBp6wi6UQcdicDhjTmpsntax1HVTQ3m+JiK2s2ZHDLzR0wGCTemrWZls1jaNYoimefX8W0lwf5NDYfmmBTVbBYHcguDUGnF12ZL+xcOb4lO/fkkJzyCgaTjm49krjzti4AJMQHkZwSxoy3NvD1vHGeB+piwNMXFfzMet58bRjjr/mKu+//EVQYNaIp014exPz5+3nyheUgQmCAkcmT2gEQFGhk7mc7WbUpg+LcCiZObEufPg1xODR3ijPZZeScLcNulzXNR1K4deEt7MjcQ5m9hH6pfbi5482EmkJoG9sGgFJbKctPLmdS++tIC0+jsLLI019Zlal0VuKUVWS7NnmQl1/BqdMltLfLCKL2wx7SaAjz9y6gwl7BU32eQkUlLSKFhqENSJqaQrPYJpTYitGJmqed3WlHUb3qqQra8rrcRkRRZPraGczbNI9OyV1YtP8njDoDzw98jtHNRrMzZyed3u5Cg+AkHIqDGcOm0aNBD1yp6Wpdf4DyMjvvvbmWXt0aMH5cS2RZRvRKMy8IIAqgM0jMmDaEcVd/xcuvrELQiVzSNYkPZ1+KwSDyzDOrmf/DfgryK7jntm60bx/PrPe28Pb7W/jpu2sICTHRuce7WCxO3pw51Dc7+n+OoGpQUmLDZNLhcCquAiwCDodCUJARu10mI6MIRYV69UIwm6rcUy1WJ0XFFuJiAs/dyt9Iebmd6yd/y/PP9Sc1JazaurO55RQXazOSwUFGYmICKSmxcjavAlXR7E3JDcLQ6UU+/Ww3P/18lKef6o2qqqQ0DEf0mvGrrHTglBWCArXsJioqZ0rPYLFbEUWRxOAEDJIBWZU9vlWKqlBmK8Pf4I9RMlJqK8WgM2DWmbHLdspsZYT7VSUOKC62YjLpMJmquwMXWTSBGGoO9SwrtZWSU3aWAIM//gZ/DJIBs95Mma0MnajDrDf/rutXWFmIXbZjcVhwKE4kQSQ6MIYAgz+yInOq5BSyohWYjg2MxU/v79GMHnp4KU2aRnLtNW08RXtWrznJXff+yOefjKFVq1hPIZtzUVBQSUFBJaoAAX4G4uODsFgc5OZWYHPISKJAckPtvhYUVqIoKpER2rC7sMiCzeYk9iJ5Fn3UTV1B8DEXohK8IAiegiDeZUHMZu3NazBIpKZG1OoYgNmkw3yRPUglJVb27MlGkgTi4gIxGXWoqkp0VADRUQHVtg0ONhEcXLsYisXixGzWk5pSd4aSmkVdBAQSghKqLVNRkQSpmoHeW3AFm4I9nw2Sodo6oM4iLSrVBZqbIGMQQcagWssDjVX3xm30z63IpaCiAFGQXEcUUFSZQGMgCcEJtY7hRhIlkkKTqvdH1YTR2bPlZGQWk9ZIOwdJEnnnvU3MeGsT06cMpFWrWJyuGepzoaoq4eF+hIf7VVtuNuup73Ir8iY8zM91Xtr/wkJ/n/D28d/nNyOD3ILTPbSoyzH3YrJnGI0SSUlhPP3UL6Q0iea1VwZRv35oHbadqs/ew2f3DF1cXCCpqWEe7/bfU5zYe3gnINQ5c/hrM4q/Z7ZR8Gqn5rY126+Jomi+ap/tnseHW+cQqA9AVhUkUaTMVk6f5F5MGfQCfnq/ai8v72PVOkcBvvvhEK++sorA8AAaJmnalKqq3H5rZ26/tbNn+9+qUFZXwtGaz5/3MvdywRVB5/2M+vj/5rzmY3PjcMjo/sGwqt/CHa7jnVLb7hrmXEwTH/923LVcRfHiiErxcXHwtw1Fzzf/dA7+qqLMgkvAVl+vuQNU76OhRp/d8aH/RUEnKzKyKmuRA1RpgaIgeiYd/tDx5Kq4Tp2uqgi2FgJ1Hjvuw8fv5Lz+at3B5TPf3MSpU8Xn89B/CJ1OxGCQXE6htdfv2JnFazM3AK4oBbvM1FfW8POSo55txP+w9iaJEgbJgF7SY5D0rr+GPyXUQJtoMhgkDAbJ5z/m46LgvP5y3YPaeZ/vITu7/Hwe+rxy8FAen36+C9D6bLfLvPjK2mqCzYcPH/9eLshQNCLCDz/zBTn0ecHPrPe4CAD4+Rs4tOdO/P0M/2CvfPjwcb4Q3dlJv/7mAEOGzWXEmHkkJj7PpBu/RVFUdu7KYez4Lz07XD7uC75esB+A9RsyaNZmJg0bT6drr/fZv+8soMUHfrfwIPUaTSOl+Wt89/1BQLN9XWj27j1L50veo1mzGQwZ9QkHDuQCkJ1dRree75OY8gqTJy/A4dTOe9WqE7Tp/DadO77NF1/tueD98+HDx4VHdA8fZUVh85bTPHpfDzIyHmPL1tPa0ExVKS7RnFoVRaW42ILDrqXumf3hDsaNbs7OzbexYdVkWrSIBsBic7Jn31kyDt3P+MtbMHvOdqDu6fzzhaqC7FSZfPP33HN7Fz76eAxNUyO4454fcTgUJt/8Hf37NuTU0fuZNWuUy2wO3XvUZ+emW+nTL438/MoL0zkfPnz8rejcxvXKSgdXXdmKjp0SQIVuneqTkVFMXGwgZqMeu13GYJAIdHnaA/TplcSM19eTc7aSQQNT6NGjASHBJox6Hc8+3RdBgIS4IA4fztN2uEB2ZUXVwnLSTxZSVmnlldfWIQOizcHosa3JzCyhstLBpaOa4XQqBAVVOb4qiorDIXu84e12udrMng8fPv59eAxhiqJiNOq07LIC7Nl/lqFD0nA6VcoqbBgMEgX5lRw7WoDR5MrdNaE1V09ozc49OYwYMZcH7u/Bnbd3QRQFKiqqssv+lmPmX0VARVUFJFEEGbauu7lakZXiEislZTZXRXWJ5SuOI7n6ZDJqlyA8zI+Y6EAMBp9/gg8f/3Z07qFhgL+BHxYdpLjCyplTxcQlBNK3b0OKS2w4nDJXXz0PuyJxYH8uistU9sKU1ew/mktksIkOnRKJitIM8rm55ThdmWbLymycza24oCfhHuI2bBjKuLEtad3pbZq3iEZxKIwb05KRIxrT65IG3HzHQtq2iWX3jhxP3OeqVSf47Ms9/LD4MCHBJrbsPMOtkzvQskVMNe97Hz58/HvwDEVlRSU83J/mTaNp0TiKK8e3wt/fgL+/gZkzhrJyxREaN43l9ps70dAVhJyWFoFfoB6nzUn/gWkMG6ylBJr28iDSGmmxpSNHNqFz50RAS899oeSEuz7DE4/1ol79EAqLK1Fllbg4LVbyqcf68M33+6modPDA3d05m6u5o0RG+tO8WRRduibidCjY7LLXcNsn1Hz4+DciyLKiiqLABx/t4ODBXKa9PMiz8mKKAf29uD3pffjwcXHyt4ZUSZJARYXdE46kZT7VDu5dgBjwVG3yLoXmXYVdlhVPoWJ3Sbu/UuTjD6FqySXduLOpaqXbqgrvusOlvIv9urkQRX99+PDx96Fzz/5dM6E1E65sVaeh/1wFiM8VcuS9/O+eXXRnH6lZIlCLG/Xui+Dp3z81A+qrBP/7jw++wsk+fj8eje2/lCf+QleCPxdacZYq7U8SJURBRFVVT21R7+UXayV4p+JEUVUEQCfqPILKO3heEARPbKmvEryPP4t38ZbzXszlv4SiqKxbn8HRw3kEhZoZ0C+F4GDTebcXuofn3hruuYLIBUFAL9Wutbo7ZzfhfuG1ElS6+ScKk8iqXOd5uOuOSlS5w7htJbt257BpYwah4X5c0j2J2NiA83K93cc/drwQu91J0yZR/0q7r4+/H0/NA0VRPPYw91BOkrQMF7Kietw3JElEpxORZRVFqcpppuU4U9Hp/tmhldXq5IEHlxDoL9G2Yz26d63nEmwqDqeC6pXOyC0wHA4FRVEAAUnS1rlztrnPzX3ebmpqhaqqsuDgtxzMPohNtqPT6Rjb8goaRzSi0lHJjHWvU2mvxKQ3cmnzUTSPas4Lq6YwILU/17S+BkVV0It6T31PqO3/59b63ILHXQpPJ+pwKk5kVQFX7QKdqENA8OyjqIqnstS5BLCqahl/Fx74gXUn1xMVEMXkTtcTbAxGFER+ObaMJYeXYtabaRbThHGuilenMotZteo467dm8ewTfbnu2jaua/bHnwOHQ9aGnoKAKGgpsD77fA95ueXMmD4Yp1N75rRnsHppP3ctWb3+4tSEffx9eKpUnatMmqKoWgJGo676MklA8trhYhnKKopKamo4M18fRlhoVYSBINTOuQbaj1n7IVT/MdSVs01VNcEvigJr154kv8DCpaOaaBlCFDuvrH2FaHMMLWJauIakmlI9dfVUym2VmCQTh/IPM2XVFOZdMY9I/0gCjUEYpOrB9+5i0x/P3UWbNrG0dIWq1RRI1YSgqKtT/a5LiNWVqVdWZERBZPGRxfxwZBGR5kh+PvYzWRVneHXwdDZkbuDzPfOI8Y9DEiVeWTuNBqEN6JzYmRHDGjNiWGOee34V7i79mXeboqh15vILDjIhO2X0eqmqQLWqVntmtX19As2Hhg60oiFLlx5j+84sMjKLadsqljWbMrjl+vYMHdKYjZsyuf+hn1CcMmPHtuLuO7uy8IdDrFufwdQpAxBFgQMHcvny633cMKndP14J3mp1kp5eSEDLaCRR9Bi0r5v8LQf3ZhMRF8Qb04aQ1DAMQRB4bsoqFv9wEEw6Jo5vzc03dmDV6pOsWXOCwlILm9cdZ/xVHbjz9s4u4aaycfNpjh0rYNTIxqiqgKKqJIYk8lTvp2ge1axafzZmbuLK1ldyXZtrmb9/Ph/vmAtoWnJ2aTZXfXENeRW53NfzbgamDMLhdGLQ6/jq630YjSItmkchKwozN80k0BjI5PY3APDj4R85UnCUWzrezAurprAufQMO2c6gRoO4v+d9mCQjc3fNxeKw8sP+HyixlnFDx0lMbHsNiqIgiFXpy0VB03oahDRg6sAphJvD2ZC5gau/vIZpg1/hTMkZjhel8+FlHwKw+OiPnvNzygqyUyEvv5LEesH8cbTIEVEUuOeBn9i4Nh2/UD+mvziQNq3jcDplKisc3PfQz2xYc5TJN3Vj0rVtmfPJLpavOsbrrwwlLMzM8y+uwmpx8uzTfS+Kl6yPfw4RtGHV+x9tI/tsGYIKC747QGJsMJu3nGHN2pPc/9AS7r27Gy9OGcj8Bfv56OMdNGsWzbffH+TQ4XwAfvr5KGezy4kI9/Nkr/2nEAStAI1BL7mGmHDXvYtp1zqW6dOHMnJYE265cxGyrLBk6TGOHCng6af7MW3KQPr3TwYgK7uMZ55fSePUCF58cQhvvbOZFSvSPa4uIcEmwsL8EAQBUQSdKFJQUcCwj0aQ8nIa9/54P3bZDsCX475gQ8Z6Gk1vypbMrcy9/GNAK+Dy0faPmNzxerrW78Jzy6cgI6PXaZXYIyP8CQw0akNnSSLEHMIXez6n3K45F8/d9QlhfqEYJANXt57AlIHP89KQqezI2cnnez4HYEPGBj7c8SGP9n6EMS1Hs/TYUrJKszzmhqprpt2vplFNCTeHo6JyNP8ozWKaISBwadNR3NXlTtq92YFL3uvJrJFv0zmxs1ZkWRIxGnV1Dj1V4Leyzzud2gz2M8+uIDLcj+nTh3Lz9R25576fKC21ERxsYu5nu+jYPp7HH+/H1FfWsGNHFr17NiAzs5S3393Chg2nWL48nSGD0lzuPH/hAfLxr8dTpSo0xMyIoU04fDiP1NRw2rSOZdPm0/z001Hato5h9KWaFnLVuHyOHS3guolt6XVJEstXpFO/XgjrN5zi2mvaYDbrXdWILo43piSJ2KxOdu3J5oeF+wmK9Kcsv5KQSH8qK51ERwew/1AuM97YwJefjSM4WIs6UGSFqye04eYbteLFndonsGdvDrv2ZPPaa+uwKCqyU2HeFzsZ0D+NN2YMZcGV31BmLaPAUsidi+7ilbXTeLTXI7y4eirF1hIWXD2fB39+kJkb3+Cp3k9icVq4ufMt9GrYEz+DP6sylpOfX8H9Dyxl9YqjlDpUFi8/gsko8ujd/bj8+sF8u/879p7dR6g5mCJrEQOTByIKInty9vLU0meIDohid85uBqT2BbQqVde3vZ6u9bvStX5XKhzXY5QMWnGaOmaOZVVGEiQ2n97MjHWvM/eKOQDsyNrFy2tf4el+T3Km9Az3Lb6fT6/4lISg+F8tQiPAr45L3bZcVVHZcyCXrRtO8tX3+6kssSILAqoqYLE4uHx0M8aOaQHABx/tZMfObG64vh1fzL2CsVd/xcy3NrJq6fU0bRr5j44WfFwcuCYPVIwGCUHQipoYjTpsNieSJCC6HHHd2KxOZJdf0XXXtmH2B9vZ3DiSkBAT/fun/L3OuL8DQRAoKbNhszqZ+/EVdO9Wv9r61q1i2LHpFrKzy+g/bA4hAUaW/nQtdrtMRFhVObeycjtGk8RNkztyx22defe9rZw4WczUKf1RVc3IbRZCCDGFkBiSSOPIxhwvPE6lo5Jlx5bxyRVzaRbVjPt73M9N393C/d3vw9/gR6g5BFVVsTotSBgICzPz3tsj0elErrv+Oy67tAnDhzVCEECnk7ikQXe2Z21HVp0MShlITGAMRwuOMXXNVFbetIwo/yjGzLsCp6JN9oiCSIAhwOMz56+vXtrOG1nRqsT/fPQnXlz1Mt9d/S0NQrTr9fORn2kW2ZThjYcDMGfnXL7c+yX3dbv3VytrFRVbqay0Ex9XuzQg4Jmsqqi0U1Jk5dUZw7l8dPWhvNOpUL9eiOd7eYUDsyuRaWWlndjIAPJzyikvt52zHz7+v/AItsJCCxaLg7IyGzq9SEWFA4vVydgxzbnzvsW8P3srYWF+LPr5MJMmtgWgSeNInE6ZKa+s5tIRTTGbdThlbWhyseBwykRF+tOjewOmv7aevPwKUKFeYjDt2sVz8mQxu/ZmI4gCk65pwxdf7QXAZNKxe2823/1wkPTjhZzOKmHQgDTPpILNJlNRYUevl7QSfSisPbmeosoiMopPsjN7O8/1ew5/vT8xgTHM2fYx3ep3Y0X6SjondiLAEEBeRT4VtnJtRk92kF+hDev1OhGdXqK01OqZBXRXc++R1J0Z616nyFLM8/2fBaDcXkGFvYIfDy5GFRSWHltKj6QegFZIudxe7vGnOxeyqgm17w8uZNTcUTze93H25+xnT/YeOtfrRFJoA5YdX8b8fd9gd9rRCzo6JXQCzh3GJssK787expPP/sKqJdfTtUu9WrVFRVHA6VQICDDQv18ysz/ahiCoiJJIRLg/PbrXx26XWbniGGmNI9i39yxlFXYGDUzl0OE87rjnRyZNbMeka9sxafK3vPbqEPr1Tfa5hfyfowMwGHQMHZJGWloEZrMOURKJjvLH399A506JvPBsP16dtgZFhTtv78LIYY0BCA01M2FCaxZ8f4AJV7UCtED3fxp3HQO7XfZEQbwydSAPPPIz77y3BVWF/n1TaNcunoMH83j/w+04ZG3b6VO1WFm9XuLwkXxmf7wdxSbz3tsjSUoK9QxzWrWKITauqhixgsLPR39mf9ZBBBGmDphK32RtODht8Mu8tGoas7d8QHJ4Q6YNngZA74a9aRrVBICE4HiuaHmF5rTrGkYNHpRGcrKWcEBwzdp2TuhCt3rbcSpOOiR0AKBNbCvu6XY3X+6eT+v4VjzR53FaxWr3o2eDniQEJ1a7Pk7FiazI7swB7jJVKIJCXnkeV7e+muN56ew+sxeT3khiSAJXt5lAbkUeH2+biygIPNrrUbrX7wZoAkx2Kp6QNdBmKXU6kZFDG/HMs8vIyipz3ZvawlWn02xiDz3QA4es8N77W1ElgU7tEunRvT6dOyeydcspZn+0HQGVTz4cTXi4Hz//cpT27eMZP1Yboo7b3oJNW07Tt0/Df300h4+/xm/WFa3LXiHLCpIkXpRvxfJyOzff+j0zXx9ezd3jj9pd5n6yi0OH85nyfD/Psj+axkhRlfMeXeDdB7dt6/cUWj6f7brRhrdVlcCefW4V9RsEM/FqzY/t56VHeef9rURF+DNj2mD8/Q2/Wnhaln+/75v3s+fthuPj4sc7CL6hKwg+NiaWhhciCN7hUJAkwTWjCQiaQdftCOmuV+DtqCoI1HKS/KcRRYGjxwoZPPgD2nasx+MPXUJ8fLBHi3PLcW9HY+3c3PGIInq9iMWiuYzYbLLLEVlXbULEnQDAe1jlkB2eIaNO1Hn8zBRV8YRbCYKAXtQjCJrzrDu0SlEVZEWuFqHgcCpINfwDBUHAoThAxbOtgLZMUaoEqSiKSIKEU3Fq9T0FyTMx8NGOj5i/ZwH+ej+P8K2wV9Klfifu7n4XBtHgEZbu0ClREM95fvO/2c8H729m14E8pj4/wN1TQoJN9O7VkCvHtiQw0Fj1bJ0DSRKqHHRd91Kvl1z3SMatWur1Wpk/WVaQFRWDXrMPOxzaNj5/Nh8eweZ+GKq99VyfNUfIcwe8X0xFcc1mHe+8NYKTJwvwDzQRHKxpbVqd0Nodrelo7GbkyMb06Z2E0SgBde1X+3rUFTYFmgG/phMuVHeeFQURscYx9efIPKwXa7ejF/V1FlOs1oZrg/bx7Qk0BKEX9R5h65AdxAXFYdaZ0Ym6OrXAc51fyxbRXH99B4JCzLRrGwdoL72uXerRtUs9QHtL/x6Nqi4HXe0e1XY0rvns/dOFun1cPPznYkUFQaBNm1jatImtsfyPHScmOoCY6IA/tI+qqqheIbzew1C3puPu44UeOtaFW6NuEd2CFtEtzrmd+zzc1eHrWo+A5xwapUXQKC2iRluuMDtX5IpvmOjj7+Q/J9hAczEoLbGi04tERfr/qTf5b9lt6lr/awKrLgFR6ahEJ+rq1OYAz9DtfA/xVVVFoXYpRMH9328I3pr9KSmxUlhYicmsJzzMz1M34nyF2Vmt2jDebK5bY/ThoyYewebOVuE2yrpj8URRqBYQrg3pqhI0um1M7kSOkiT+Ye3ofGK1Ohl12WekH82lVYdE3nx1KA0ahHqdn+ac4B2s73QqHtub6ArB0hIDqK7EAKrnvN3UZQQ/WXSSvPI8HIoDURBJi2xEmDkUgC2ZW3HIdvSSntSIVELNodz+wx30btiL8S3Hax78LluWm1qTNi7fNG/bnTuwXVZkj1bonVJIVmVtxlN13z/N9ibVMbx2k1GUwaniUwQYA2kV21JzFUEFl8/ZsfxjBBgDiAmMAeCrr/fz8tQVFJY7eOv1EYy7ovkfmgjwxvtegDa8nPnmJvLzK5jyfH9kWXMXcSdnUGTtGRSEqrq1F7p4kI+Ln2oZdOvyRnLPJnoHhLsfWnfoiluruBiiDZxOhZjoAD6dO4bEhCqnUO8Mv954C2dv6tI2vDWojIxiKi0OmjSOBLSJg6u+nkBeST7RAdEY9UaeHfA0XRO78umuT/l4+ydU2CqwKFb6JPdk+uDpWuC6pKsVqO6+prt25xAbE0C0a0gs1QjKFwXRc8tqphRye5dJggQC1dMN1WE/UxQFQRA4kHeAZ1c8z6nCUxRYCnig531Mbj8ZWdHSGX2z/xuu/nIid3S9g6mDpiAgMPn6dky+vh2PPr4Mi8Xhud5/FLfQqolOJ1b7p/XXlZzBdY/OdR99/H+iA62m6NGjBRw7XkBufgWpyeHs2X+WAX2Tad4smqysMt55fwuyU2ZA/1R6XpLE9u1ZZJ4uYdRIzQ/r7NlyNm85Tbeu9QgP9/tHKzwpikpeXgWxMQEIrodfFAXeemcLJ4/nExrpz523dCYg0IgoCixcdIj1a0+i99PTs1sD+vdL5vCRAk5lFJFbUMGBvdkMHNyES7rXx+6QURWVeZ/v4eixAma9NRxBEJEFJ4nBicy9/GOSQ5Or9Wfmpjd5rv8zDEweyE9Hf+b5lc8BIAkSNqedNza8RYW9gtEtLyU1LJVKix2dJPLwo79w1ZUtuOLy5ggirDy5nEBjEF3rdUFVVQ7mHSSzJJM+Dfvw9b6v2ZdzAFlx0q1BN4Y3GQbA5tObUVWVVcdXY5cdDGk8mPbx7Wq5oqiCZk87VXyKR3o9ROuY1iw5toR7f7yfsS3HEmQIYsvpLczfO58eyd2JDIzw3GNNc1KoqLD/aW1di1gRmfvpLvbuzsIcZOLWyR2IiQl0pcMS+ezLPRzcm8XIUS3o0D6eVWtOkn6ykAnjWmEwSCz55RjFRRauGNP8opih9/HPIQLY7U6eenYF787exsdzd/LQI0tZ8N0Bvv5mP0ePFnDH3T+SlV2G1eLkwceWsnLVCSoq7Nxz/0+cPlMKwI+LjzD3k10oruHsP4377a66nEbfe38b2dllJMQHU1bu4OlnV6KqsH1HFvO/3kdAgIHycjsVlVrg+uYtpxk28lM2bMzEanVw6x0L2bcvF4NewmjUkZwUSsOkMIxGHQaDiCRJnCg6wTVfXMe4eVcyd8cnnr68M2IWC/Z9y/gvJrDx1EZmDntD66OkY/bW2RRbilhzcg0PLH4IUPH3M2A06mjYIJTUhq429Do2ZW7m+VXPYZftCILA6xtfZ2vWVk9OtoTgBOKC4piz82MWH1kMwAfbPuCuxXdjdVrZkbWd51c9T36lFuHgPaEhCZpGNzhtMK1jWmsB/KpKoDEQSZDIr8znxTVTuaz5ZXSv352CigLP0NjtlvFn7WluM8cXX+5l/8FcEuKDkCSRp59dgcXiJDDQwJdf7WX//rMUFlZy020LycgoxulUePq5FXw5fx9ZWWU88thSCgoqAV8Q/P87nsgDAbhmQhuys0s5c6aUfn0asnHzab6avw9RhNnvjALgqWdXsGTpUaZOGUCb1rGsWn2ScVc0Z8WKdEaOaExkhH+tsJl/EkEERVb5+LNdiIpMSrNoTh0rYP+RfJ5+qg+lpTb2HcglPiGI114Z7NnPaJDo0yeZ16cNQacXOTLqU1avPcmWbaeZM2cbZ4ss2KxOli47QvfuDXji0V5MHzSNEwUnyS7P5vUNM9FLOsa3Gs/BvIPkVpylV4PeLD22hHZxbWkX1xaH7KBL/S480fdxdmfv4ZYfbiK/qJypU9ezZeNJjp8pY/Wmk4SHGrnlum5cP+oaNpzawJGCo0SYwzhSeIxHez6KQTLQMqYVL66cSqApkK2nttKr4SUAhJhCGJo2lCd7PwFoWXtNkqnKblYDh+JAL+qxOC08u+J5Hu/zGP56f+bvnU/buDZc0fwKnlj+BCHm4HO6f3ijqr/u6uHW+gQBvvxmH5nHC2jRMYH87DKWrznBlOcHoigqaWkRTHm2PwC9+3/IuvUZXHVlK+Z/No4nnl3Ou7O38szjfRk+opGvHqwPTbA5nQr+/gb8zHpKSqxERwVQWmbD4ZApsjpp7KoRqigqyUlhHDtWgCyrXDOhNb8sO07TxpGoqAzon3rReYBLksjZ3Ar0ksgV41qQnByOJAo0aBCK2ayjR/f6zJl9Gdu2n6FVp7fp2yOJV6cNpqLCTtMmkej0WoxldGQAdpuDQQNSiI8L5MefjpCdU84Nk9oSGeGPQa+je/3udK/fHYBTJZksPvITI5qOYMb6GTzV90mGNxpOiDmIx5c9Sd/kvuglHV3rd8WpyBRaivDT+WM267ni8ub079uQV2ZsoHu3+nTpnEBaw0hi/QNoH9+BrWe2ohNEuiZ2Ji4wnrPlZ7nlh1sY32I8yWHJHC044rHbqYJKk8gmOGQHOlFHq5hWnmtTV7JJvajnSP5hrl9wIzd0mMywtKGcLD7Jy2tfwW53sGj/T2SVZSEisP3MTr4a98WvOq781qyu+3kpL7fjsMmMHtOCtu3jQVWZ+uJAQkKMVFY66dK5KiwsJiqAykoHqqrStEkkJr2OLXsyadc+1nNMn1z7/8aTQddicWCzOZFllYpKrQyfJIl06ZzA81NXcd217YgI9+OL+XvpeUkDJEmgU8dEvvxqLx/M2U5qagTR0f4XZRB8RLiZkFATxcVWBvZPqbbe6VRo1TKGJk0iCfA38PTzK3iVwej0IgUFlZSW2jhxoog1GzO4+aYOJCeHkZwcxqlTJZgMOgb2TwU0U32JrQRFUcgoPsnm0xuZ3GEyZp0ZARGb00aRpRiHrBBmCsVP74fNaae4sgidqHnOl9sqMBp1dOyg1UCY+8keunRMZGC/qj53rdeJRYcXU2wp5rq216KXdKQXneR08RlGNRtJma2Mw/mHtTThgF22U2orRS/pPbOodbmeuIPg9+fu54p5Y5nU/jrGtxxLqbWMKP8oVkxaToWjElVVeGH1FMySmYd7Pew597rkiKqqzHp/G+/O3sLXn40jNTW81mypOwjez09PTHQAefmVnvNVFRVBFLSEnFlllJba2LP3LNt2ZvH8s32x2xUefeIXenSvz8B+qdx480I+eH8U0dHnp+aCj78Ptca/v4onH1tMTACBgUbCwszo9CKBgUYCA41cOqoJp04X06vXewiSwM03d+bBe7XMEbGxAVzSswGz52znm3la/vt/wvG0LrRQLy2WUZIEPp59GZeOnces97eACqMvbcZr04fw9df7eezZZThVBbNJz7NP9AHA38/AN9/tY/32TGylNl6aOpj27eNxOlUtsaROxD/A4An/UZC544c72ZaxAwd27uh6Gze2vxGAJ/s8xuNLnuZh+2MkBsfz+ojXEAWREHMIoS53ELPOTEJwAqqqYnfI6HQioaHmKpcTQBIFBqUN4oeDizFKJi5xDTfbxrWmf0pf2r3Wgfb12tMuoS0RfpqWHekXSbBRy2rr9lFTVKWafc3tyoEI8/d+Q3FlCV/s/IoPtszBrDfz6rBX6JnU07N9WkQafno/6rmC6xVFRa1Rn9WtiTVJi2DP1tNs3nKa1NRwFEWpFenhznD81sxhjJ84n8QGL4Ek0ueShnz80Wji44N48831/LzyGFark/feGElycjgz39rE4WMFvDRlIH5+en5edoSnnlnhmtC5OJ5DH/8MvxkE/2+jvNzOTbd8z6vThxAd5f+nj/PJp7vZsTOLGdMH//bG/wfUFXCvCcQqf76nnllBw4ahTLy6DbKskH6iiAXfHWTJkiN8/OFoEhKCLjpThY+/n7qC4GMuVBB8VTrv2m9dVVVxZdhGFKvbTFRVRVHx+BP90wgCZGQU89JLq2jbPoEhg9IIc2k+QLXK9TXPTUNzMq6osJOTU+6pxuV2VvZsVUfkgaIqHoO8SFVSAG9Pf2/Pfu+CySpqrWGi+57UvMceZ9saIVveQsdbO/P+LAoi60+tZ/vpHRhEIyoKgiBid9poGN6Q/qn9NPucZ3ypJRv1Pm71fsO2HVmsX3uCxUuOcNMNWiolURTZvOU0q9efZPrLg0lMDP5dTrvuSmm/do+09Oy174GvsLIPN9UKJmt4hwi5/wrnDHTXMkdcqO79cUwmHVdf3ZqtmzM4eDiP/n0aetbV9cDXPDf3j6pjhwRiYgJcjsgiNa1IdQmcc6UoEgShTk9/7+3rqgh/rh9oXe2cq+1qvmouoZtVmsXOrF2YdWaPsLM4LOCOOBEkTUie461Zrd+C5sO4Y8cZenSv7zHyq6rKhCtbMeHKVq7vvy+z8u+5R97LvbvoE2j/Ui5AxeT/3FD034S7qvrFWhH+r6Klu9JSWvmEjg83tYaijz5GTGwsDZMvwFDUR3VqxsJeCNxOsX83siJrMaQ1EAURSZTO2wTQxZbSysf/D55frduR0m23cP+ta533Mm/c370Xe2+nfa59rHO18Wew22Wuue4bUlJeYcioTzh5sgigWhB87X7XblsQBVcw/F/v07l4evnTLDq8yGWnrLLPnQt3KqG6vrttdDXPz5OAyL0OLWjeIBlq/XNXj/+jvDd7G8nJL9O87Zss/eU4QLU04b+X2s+EWucz81vLffjwCDa3I6XbbuH+6x3kXrWs7nQ67u/ei7230z5XPxbU3cafxW6XKSioZNY7l/Hx7MuIi9cC4QXR+/jekwB1ty1QfXv3tfBux2pzer47FSeXfT6ahi+l0nh6U1rNbMPKE6sA2Ji5kQ5vdiLl5UY0frUpMzfOBOB4UTpFliIEQRuO1hQqFovDk7FC61P1dELe3z2TEjXOr1oqot9IR+RUnJTZypi2bhpxLyby5sa3AG3IrKoqy9OX0+ntLjSa1oymr7ZgZfpKAMaPa8natTfTvk0cmadLtHb/xD2seZ2rnsW6n81zLQdY9ONh4pJeJiFxKnffvxirVbtXPsvL/weeyIOKCjvFxVYqLQ7CQs3k5leQmBBMSLAJh0Nm5+5sFFkluWEYkZH+5OVVYLM5SUjQfKRsNidncyuIjgqgoLCSsFAzJpNOO2alnbi4IM6eLUenE8nILEFVVJo0jsTPT48gQHZOGSfSCxF1IjFRgTRoEPKnTyrAz0BiYjCREf4e/UYUBPbuP0tJkQWzn4F2beK0ZIkCnMosITOzGEkvER8bSGJCMKWlNqxWJ6VlNvLzyklJiSAiws+VfhrenrWF9BNFTH9lIIIg4EQrkPLBmPfp3bAXoIUnATy85BGmDHmB/g37seDAAqatncadXe4k0BCITtSzN2cvTkWmUWQqfnp/rFat9OHESd8yZnRTRo1sgiAI5FRmYdKZiPCLQEWl3FZGia2UuMA4jhUcI7+iAFVVqReaSKLLxyy/Mh9REDlZeBIVaBiWRKg5tFaGD3f2jre3zMKsMzOi2TAqnBWahidIrEhfyW0/3M77o96je/3unu1VFQIDDAQGGIgM9//TpRcVWeXQkTxiYwIJDdXKHh45mo+/n4HgYBO5ueU4nArBQSbyCiqonxgCQGmpjZJSKxHhfuQVVBIXE0BxsY2771/MN/PG0aVLPS67Yh4vT1/Lk4/1PqczsY//FjrQEgU+/OgvHD6WT3Z2GXHRgZw8U8wtN3Tg5hs78uLLa1i0+BAmg0hoeADvzxrJ9m1ZPPnscjauvZHgYBOLfzrK+7O38eHsS7l64te88Fw/OndK5KOPd7D4p8P88vN1PPjwUvbtzyEo3ETGiWIG9E1h1psjyMuv4KlnVnDiaD55FTYuH96Mxx/t+Vt9PyeKqmK3awJIdsWtbtyQyRvvbKKi2IKil7h0aGMmTWrH6dOlPPzoUvJzSjlbZuPa8a25566ufL/wME889Qut2sRw+kQegWFBfPXpWKKiNd+4yAg/iootniSWsiJQYClg4YEfyC3LpUVsC08FqqtbT+CHgz9QVF7E8eJ0rm9/PaBpGN8f/J75u79mT84ehjQdzMyhr2MyaabP4EAjsTEBnjZeWTud3IqzfDbmU0RBZOqal6h0WpjS/wXm7Z7HobNHsTttiDqRx/s8RuuYVjyz4hmOF6bjdMgcyT9Kt6QuvDfqXcw6M6qoetKFu1MiPdTjQQBuWXirR9tTVIVlx35hSOpgetTvgazKtVItATjl2skrf/NeuVxabHYnTz63guysMtavvIENGzO5dvICHrq3B5u3nebAwVyys8uolxDCyTMl3Dq5PQUFFtZvPEVefgURoX5k5ZczZlQzmqRF0Kp5DF261GPBggPs2nMWvV6ivMxOQKDBF5Xwf4AOwM9Pz+msEq4Y3Zzychv79udyx22d2LMvl3mf72HT5kz277oTgMk3f8/sD7fzwrP9ePvdLazbcIrBg1L5ZdlxBg5IJiYmAJ1O9PwY9XqJIFfdAbNZR/36ISyYfyW5uRX07PcBmZnFnD5TytFjBUyc2JZrr24D/PGKUOdG09keefIXmjUKZ9DgNPbtyuahJ5YyblxLdu7KIvtsGXfc1oXLRjX17GUy6wgIMPDuGyOIiQ2ke6/3WfTTYZIbhrJ6zQm27cymqNiC9AI0Soti5MhGjG46mp2Zu5i97QPK7WW8Pvx1OiZ0oHNiZ345voxPdn6Cn8mPF/o97+ma1Wnlu6u/Zcvprdy68BZKKipZ+P0RThwvYPvuLCpmO1ix9gT9Lknjxk6TuGvhPWSWZBLuF8aWM1uZMfhVzDozD/R4gG/2LsCgMzJt3TRWpq+gdUwrDJKBuMA4Zl/6PpWOShYc+JZKRyX+Bn/cKb69scv2qjhT17WzOCwcLTxK86jmyIqsLf+dt+a3iv24/dTMZj1fzxvHVdfM596HfyYzo4QP37uM7t3q8cGc7dx+W2d27c6mvNzOjTd04MDBXAoKLXTrWp/GjSL4+pv9PHhfD9ZtPMXx9CIS4gOZ+8lOPpu3h/FjWnDyRBEFhZUEBBo4dxCYj/8KImgVqiJC/YiPC6KszE7zZtHYHTKVlXaOHStgYL9kbDYnZeU2BvRNwaiXcDgUxoxuxpq1JzmRXkReXjl9+jR0vQ0FV0ZdhZAQE4rrTW6zylwzoQ0VldoQrXFKJEeO5NOubTyXXtqU5cvTGXfNfN7/YNt5C4nR6SQKCiwYDBLFpTZWrzlBSamVl6YMRBQFunerz8ABqXzz7X7GT5zP51/sAaC81MaA/qlERQdgtTpp0zKOwsJKKioc5OaWU15hx2JxkptbQXGxBVEVuafr3cwdO4dfrl9Cs5jmzNo8C6vTyi0Lb6V9fDt+mLiQ1PAUrltwPRanBQWZ6ztcj1NxUm6vINQvFEVWKSmxkptbjtXudH2uoKLCTnJYQxpFNmHrmW2sPrmapNAkkkKTKLdXcNP3N/P1vm/YdnobsuzE36BplqIgMjhtMHbZjllnZkKrq4j015Jj1nWNVVScitNTNcshO9BLevx0/lgcViRRwiE7sMv2amFZ50KSRAwG6VfvpyAIOJ3a8/LQ/ZcwY/p6nHaZ7t3qkXGqhPi4YKIjA6god9CiWZQWyywrBPkbSKofSkmpTUvUIGixwXHxQfy07Bg/LznGGzOH0ad3Q+wOmcBAo7vFP/gU+fi3IYKrjJ6iegLfbTYnIODnZ6BRowiWLDuO0agjMMDID4sPYbE50etFBg1MJfNUCYsWHSYxMYQWzWO0YO5yuyvFtsiHc3aic2lvCtob2t9PT0ZGMQeP5tGiRQxGo8Sdt3bmkzmjGTIwjWeeX0Fubvl5OUGnrGA266iosDPhqjZ8MGsU784axaSJbTGZdISGmnn4/h589vEYOraL59Enl3mujCwrnlxjK9acoFnTKIYMTuPNmSO48dr2jBjcmDdfH85NkztgMFb5NdicVk4Wn6BBWANEQaTEWsqQNC00q19yP4otxUiChEEyUlhZoGXSFSUcDpngICO339KZN98YSY9O9Xn8wUt4c8Yw+g9IwiT607VeJ3Zl72LJ0V8YkNwPf4M/+87uY9uZ7Syc+B3Thr6Mn9EPh+ya2BCgzFaGQTKgqprQ+rXZV6NkxCAZCDAGEOYXil7SY5AMDEjtz+KjizlTegaz3oxBMvwu/7uFiw5z+z2LXHnSqBHlgWuZik6npV6fNmMds94aSWWlk5WrTpAQH4Td7vRk17XZZE/2ZkXVSu7pJBGby/Sgl0TatI6lqMjKa9OHkJYaztvvbKZhw1BCQkyeiS8f/210oM1CVVbacTgVrFYHOr2E3e6kvNzOleNbsmNPNqlp0zCa9XTsVI87bu0MQEJCMEkNQ5n2xnq++nSsx3Zx6agmDL/8U+Ljg7GVO4iK9APA31/Hbbd+x6PPBGCpdPDcE32Jjg5g+fLj3P/IEhyqQrCfgWsmtPF6u/453O4AqNpQe+arQ7nquvncdZ8CKowc0ZRXpg7k66/38/SLK0HUjODXX6sNhYMCjXzy2U7Wbsmg6GwF469sTd8+ydgdCqgqp8+UkJ1Tht0ua9qIpHD7D7exM3MPJfYSeiV3587Od2CQDFzTZgKXfnI5/jp/RFHkyb5PYJAMFFoKPV7WsiJT4SjHKSvIdoeWbimvgoxTJbRrJyO4Au+HNBrM/D0LKLeX80Svx1FRSQ5PpkFIPZJfSqNJTGPyK/M8PnJWh9WTEFIQBHRC9WGmG/dkwPvbZ/PmurfIrchDQuLzHV/yzICnubz55ezI3kGHtzrRMCQZh2Jn2tCX6dGgh3akGrLSPflYWGThrddW061TPcaPa4ksy9XSzLttbJZKJ+Ov/YrQEDM339SB0DAz10z6hmef6osoCNhsTiorHdjtMna7jMXiwGLRviNotS6cskJxiY02rWN5+YWB9Br0IarNSaPm0dx5exfPsNfHfx9B1aCw0ILZT4/D9UPV6UTsdpmQEBNWm5P044UoqkpSUhj+flUJBisrHRQUVpLomh0FbZY1/UQhqqqVsbPbZSIj/bnxlu9JbRjG4KGNMJv1JCeFoqpQVmbjTFYpsitLRFpaBEbDn/PsLC+3c/3kb3nu2X6kpYZXs6acySqlqMgCQEiImYT4IIqKLGTllKEqmlROSwnHYJD49LM9/Lj4EE883gtVhcaNIj1FXtxaqdOpDbVBExSnik9RYa9EFESSQhtg1GnCWVZlThZlYHVYCTQGUC9Eq7VZaCnEpDO5UhjZKLGVaMNEV2B5QaEFP7OuVnWm/AotA26Ef1XJu2JrMWdKsgg0BhJg9McoGfE3+FNsLUYvGvA3+P2u65dfmc/ZsrP4GwK0oajiID4ojkBjIE7FSXrhCRRFRgUSgxPwNwR4NKAHH15K06aRXHtNG4+bypp1Gdx6+0I+//QK2rSOPWe8qKKoZGQWExMdiNk1eZJxqpgAfwOiKGAy6bHanOhc2ppW9KWqcIvDqWAySlitTkJDzagqHDyUi6Ko1EsMISjor70ofZw//rbIA0EQCA93PfhePyI/Pz2qCiajjqZNo2p1zL2Nn18w3uh0Immp1etMApSXO0isF0Jzr2MJAgQFGQkKivxLJ+JNaamNQ4fyMJl0REf7YzToUFWV+Lgg4uOCqm0bGmr2uBd4Y7E4CAww0rRJVLXl7usdEFC9ZJ6AQP2Q+tWWuV0qJEEiOawhNQkzh3k+G3VGonRR7oMBEB5Wu18qajWB5ibEFEKIKaTO5TX7U1BZQJGlqFYQvb/Bn9jAWE/Ko5rt6kQdaRGp1ZerUFRsIT+vgtNnSmjUKBzQbGtvztrEjDc38srzA2nTOvZXMyuLokBS/VDPMQUB6terfj5m828HyrhfAoJAtXvnmwn9/8LzpNR1472XucvW1eWYe6593bjtI40bRRAcbPIME0Wx7u3/ygNoNEokJgbz8EOLSWkazRvTh1C/fiiKUr0973ZqeruLokBsTAANXBqlu1LXr10fqD68q+lMW3Ode1nNbap9r+O6ulMHeR/Hc3wv9bSuNhRFQRIlPt41lw82f0iAIRBFlREFiXJ7GX2SezN18Iv46f2qFXvxPpda5yjAN98eYNpLqwgI8+eGSe091/GOWzt7zBbw22Xxqpylq3+v+Vfrh/a/c23rXua+KD6h9v+FLwj+H8SpOBEF8V8TBO90upJ3CsI53Te8cYc5/d5oEqdTOW9Fln1cvPznguDdP4p/w4PrLpRcVy3Sc+GQHdU0GncBZFVVcSgOjzbhXl6Xk+vfgazKKHVMTwqCgCRKOGXN3cMd6uXup3ddz2rHc5XfA6rlratLu/81LpYCQD7+/fytv6w/IiT+LE6nwptvb2LThpPE1Q/jgbu7ERsb6BlO/l60bc+9vTshorch/FxVmwRBwCAZai3/cu+XJIcl0z6+fZ1FjC/Ui0ASpFrpub2peR4qKooM77y/lZXLDlOvYQQP3NOd2NhATfiLQq1izn8E9735/Is9JCeH0bFDgs8m5uMvUSO7h3fmhF/P7qEtr50l45/GZnOyYMEBUtMi6dGtPmY/tzFZqHYe3vza+Z0ra4Toyv7hRlZlnlj+JIM+GEK/2QMYMmcYGzM3AXC65DQj515G73f7Mvijofx4+EcAvtm/gD1n91Rl36jhM1Era+/vze5RxzZ1rat+DbTlTsXJgz89RNe3e9Dv/QFMX/+qx67XskU0AwaksWzZcU5mFLv2/HPSxzsTiTsTyPcLD7FrV/Y5n7/q+/6pZn1chKgX4J9HY6t6Owo1/rrX1X6Aa2f3+NPndt5QVc2/7pZbuxAXE+BZXvv8qLHu187PS4C5nHa/+HIvp8+Ucv+93VBVAYfiYG3GWgYkD6Rvch8UVSElXKsI/9CShxnVfARNIpqwJmM1MzfOZGijoUT6R2ruEjWy52qO0gKPPLqM/v2T6dM7CerIsFsz00ddMsazzW/cG1mV0Qk6Zqx/DUGEaUNfpsxWykNLH2Zo2hAaRzamR7f69OhWn42bzvzle+19Lnq99jk01ExQkKnWELbm/fEVavHxW4gABQWVTHlxNaMun0frDm8x8bpvSGn+Gu9/sBVVhbmf7CIh6WXqNXiJybd8h83mZN7nexg8dC52u+bhvnZtBhMmfs0JV/4z74pFfzcOh8zZnDJkWcXp1PqRn1fJsEs/pWmTV+nc8z3Wrj0JgMXiZPIt39MobTqJadOY+vJaAL5ZcJDhIz/l0rHzqFfvBSbf8j12u4wkaUbz4iIr2VllrqGi1q6f3o9GkWm0j29Hl3qdifTTXFgCjYGcLs2kQ0J7gkzBpEakAZqLxc4zO+n7/gAavpzCm5vfBDRbkyAInDhZhNVidxnfVe7/+QEeXPKQ5zxnbZ7FA0sexOKwcOeiu2j/RidazGjNDQtu5GzFWQCeW/Ucd/54F+3e6EDsCwk8uvQxT7hUXdpbkCmI06WnaRLdmOjAKJJCG1AvpB5a3QEVq9XhCYn7o7i1rMzMEvoM/IimTV6l54AP2bLltGu9yo4dZ+ja+z3i6k/l9Tc1jfe2uxbRf+gcKivsAHTt+R4vvbJOu4b/4HPm4+JFBM33Z8XqEzRtHEn/vinknC3n9hs7kZlZxtff7OONtzexbeOtHD/6AFnZ5cyYuZHhwxqTk1vO9h3ZACxZeoyGDUJpUD/0D9uzLgRa9lYB1RXPOPnW7+l7SRIffzqWSVe35QaXoFqy9ChFhRbmfjqWzCP38/CDWmlBWVFYtz6D++7oyvHjD7NpcyYLfzhEdk4ZO3dmkZlVQkGRhZ27sjieXoSIRKRfJE8vfYakl1IY+cml5JRrwmXqwBc5XpBO2qtN2JW9ixf7TwFAL+pZnr6cb6/5mleGvMRH2+Zgddg5fCSPnTuzqKi0c+R4ITt3ZXH2bCUD0waw7fRW8ivykVWZH48uZlDqQMx6My8OmMI7l77Nx1d8yOnSM3y19ysAcstzOZx/mM23beSHa79DQSGnLAdJlKoN7yRRQlZkrm07kbZxbej6dg/u/vE+Zo2chZ9e83HUht9indqa9hL59dhRtxCaNPk7rryiBR9/Opah/VO5+faFABhMOn5eeoyfvruGb+dP4O13N3P8eCGvvTIYvSTy1ntbeO6FVXTtXJ8H7uvm6ZMPHzXRgTa8iorwp0P7BHbuyuKSHg2IjQngzJkSNm8+zZCBqVoxZKfClVe05OjRfMxmHUMGpbFi5QlSksPYf+As99zVFUFwP8AXxwOn00mUldopK7Px4ZxtzPlyF4rVSZeuiTgcMq1bxfLhJzu498GfuPXmTnRqH09KSjiVFQ4mXNWabt00p9vuneuTkVFMXn4F77y7ieJKBw67zK7dZ+jdK5mpzw/g49FzAM2uddlnlzNl1RReHTKd6xdcT2RAFMfvP8yE+Vdz0/c38/Hlc7A6rTzU8yGCjEFE+kcT6hdEWZmN197YxIa16WQXWTlwNI85n+3g7psuYfQ17YgOjGVH9k6CjAEYJANtYtrgVGSmr5vOx9s+pUFoAw7mHWB081EAmHQmrmtzHTpRR/v49rSPb++5Nt5uJu6QqtfWv843+79l820b+WLv5wz+eChLrv2JCL9IasVNeaHZG899z7UZZoHc3HJKy6288fZG0IuolU56uAruWCudPPRAD/z9DaSlRtCoYQSHDueRlBTKu2+OpHOv9zAbdBw7dI8rI/LFYf7wcfHhsbFJkoCiaO4NqmvGz2zW42fWs21Hlst3SWLvvhxkVy2A8eNa8tLLa1m9+iQxMYH06NHA8wBfLKiqilNWKCmxMvdjLazHG39/Awu/vgqAa67/hhenrmbfrjtQFAWjsSorxb4DuXTrnsiEK1tzy00d+fzzPRw7XsgTj/eq1aaAgFFn0LJNKA6OFaQzY+irgMBd3e5iwpdX45AdBBoDsDq0EC9RFECRCAszM+uN4QDccusPTLiqFd261fMc+5IG3dmVswurw8KwtCGE+YWxK3s38/d/zfEHjwAw6tNLscvasE0SJU/Cy7rK9oErqsAVQ7rp1GYmtbuOIGMgN7a/kVfXzmDL6S0MazSszmwebsGydn0GVpuTfr0beiZqajs0a2X0KisdLFl0LXFxgdXWS5IWAaPTiVgtDtJPFZHUIBRRFPhl+XGGD2zE8eOFbN58mk6dEnwTCD7OiSsIXiUvr4KKCgeFRRb0epGyMhtFRVaum9iWletOMv7KLwgMMnImp5xHHtAqkCfVD8E/QM9jzyxjyjP9AG1IcjH5I8mySmioiVtv7sR1kxfQulUMqNC1Sz1uvKEDa9dm8PG8XUg6gaBAI+3axgFayNSPPx3G4nByJqOYiCg/hgxqhMOhoKoqJzKKOXGyyJPQUtTBm5veJD3/BNnlWZTYi3ii9+OYdWY6J3bkuvk30CgijeOF6VzV+ir89H6cLjlDE1cySqvTSnZ5NrKsYLPZ0ekkTpwsIv1kER06xIOgotdL9Evuy70/PkCJtYTZo99DRSXAGIBBNDB23ngiAsJZdWIVfZK1ivaFlkIq7BUAtSYp3AgIKCiIiPRL6cvszR+yPXMXBZX5dErsRNfErrhrnspULwKjqprG/+GcHcz7Yje7Nt9Kk6ZRnlqsnjYE7cUZExPADde1Y+jIubRqEwuySt8+yVx9VWtKSq08/fQyFiw6yKGDuQwZnErTplG89c5mPpyzg+++vpKdO7K5bOznvPX6MEaNbHIe8/b5+C+hA00ze/SRntSvF0LLFlEIokBgoJE2beJISgrl7ZnDWPDNPmRF5e67u9O0sWYU9w8wcO/dXelxSQNGDG+MIPw9vmq/By3BoeIJXL9uYhuCgg0cPVoAQJwrZjQoyEijtHCcLp+xiVe2BrRU1cHBJpIahJKUGMw1E9oSFmb2aCKXXdqU8nIbBlewvqIqxAXFaunTwxsyoulwkkKTAJgy4AUW7P+eYksx3Rt0Z3SL0QDc1fUuYgNjAGgR3ZxXh0zXUhiZNN+1xx7tSf36IRgMkidaKjU8jfu634uiKqSFa5MQKWHJvDn8DdaeWE9SWAPGtLichKAEAG5qfxMhZi0G0y0AFFXxFD12o6CgApPaXUuUXxTHCo7TLKoJY1qOIcwvzOOw7A4+9+ynaOFymlkiHZ3+3Pdfy64Bd93RhYhIPzLPlIKiEheraW5339WVTRtOUulU6NA2jsnXtkdRVBITg3ljxlASE4JJTAjGYncS5omj9Qk1H7X5zZCquiYCNIEhXpQ2jvJyO5NuWMDUFwfRMCnEs/yPTmh8NGcn+w/kMu3lgZ5lf1Q78I63PF8oqoooVI8Drcu593zifkTc537lhPnccVtnunRJxGGXee7FVXw+fx8vPNWXK8Y0R1EUV5Hpc5zDn5xccqc4utieOR9/jJohVQ9fyJAqt5d7TURRG0K4nSglSfBoZe6JArdt7mJ44HQ6kfwCCz26v02L9gnMem0YSUlhqCrVtA1R1LRLRVGRvVwGBNcxRFGgtNSKw6mguIbX3rbDuiIPvF0ovGNA3RqSW+ty1+70LpisqiqyqqDz8uB3+8x53xdREDz51dze/gLaMgUFAdFTYUsUxGptOBUnOlHHy+te4b1N7xOoD0RWFSRRpMxWRr/Ufkwb8jImnckjlAW0qAKHQ+Gxp37hq3nbkSU9Dz2gzR5LOpHrr2vHleNaaVlsAeE3hLkn7RCAWuXsLMvas+R2yXM/U7JXuBb4Ykp9/Db/ySD4igo7lZV2REkkJNj0p4bHTqeCoqieoeaFwD0c/LttRJWOSiodFkQEj7BVUDG6MueeS/srLbVhsTgwmbVsyn9WsJxL83L7ygG1BLqP/w5/q8b2X8Lf34C/f+3YzD/Cn5kAcSrOWr5hbm3MqThrLf+nsnr46f08vmk1UVUVh+rweHboRJ3nIdPy5tVO2OhOD/R7H8ZzCURBEC6qGXUf/17+c4JNUVQ2bc7k2NF8AkPM9O2VRFCQ6bzbA92V5b0F4LmydQiCUGeA/L6z+wjzCyMuMK7O/f6JIZcgCOiF2n1VFJX1G09x9HAu0XHB9OzewJNs81whaTVx34OtW8+QlhZOsKt6mdvmduJEEes2ncLPpKNThwRPzVofPv4onpoHsqJ4/NcEQUBRVXQue5rmVe6y60ha6hrNHqJ4yuy57XA63T87hLBandx972L8jCJtOybSqX28S7CpHlcNd+pzt8BwOBRPGh/3+Wnno3jOzb3cTU2HVFVVWXj4Bw7lHMIm29FJOi5vMZq08FQsDgtvbHiLSnslJoOJEU2H0TSyKc+ufI4Bqf25pvU1KKqCXtRXy5JRU2t0a31uAeq26elEHQ7F4TkHURDRSToEBM8+iqq4MnFIdQpgt03taMFRvtv/PRW2CkLMIVzfYRKBRi07yp69Z1m25CCbd5zlf+ydd3wU1dfGvzPb03uDJHRC7733DhbsiiJFEQsWLIiooPRib9ixoKIgXQHpvfeQQAKhhPS+2TYz7x+zu9kUUBSV198+fPIhuTNz594pZ+499zzPWfbD3bRtW/2aFlTU6yjw2BOrmDunH21aVwNBQBRAFDVcvFTIr+tOs2zpcV6f2ofHH+twQy5QeXHjwykNDlqNCFW4k1wPo0ajraKs7IAbxZkrywr16obx1luDCXHmIwC1j1X5yxRFzXnpIXQCuPqjqbSv4nR2b9+eRk6umaFDElAUsMk2ZmyeQaghjEaRjdBpdG6jMmvrbHJL8tCLehJzTnIs8zBf3fY14b7h+BsCKkkauUYwX39zhGZNI2ncOBKoPCL0NII6UVexC1UeA5WVesudW5Ex280U24rZmraNi8UXmdlvBhqtyPiH2zL+4baMHrMM2T3lvvZ7HhHhS0CAEYOhfNs6d4qnc6d4xhkN7qTRXnjxZ+DOBL9+fQr7D13i/Pl8mjeLZuuuNB4a2YoB/euxZ88FJr6wFtkhcfsdzXjskfasXHmKnbvOM21qL0RR4OTJLJb8dJyR97egevXAf5UvarGoyWf8mkaiEdXVTEEQGP3wMk4evUxYTABvzRlAfI1gBEFg+qwtrF5xAsGkY8QdzRgzujVbtpxj2/Zz5BSY2bM9hTvvac34h9u6Hdzbd5wj+XQugwfVB1SDEBcUx6s9X6FBeINy7dl6div3txrBiGYj+PH4j3yy/1P1GFnmclEG938/kqySbJ7s+jh9avfB5nCg12r55tsjiGJTGjaMQFYk3t3zHv4Gfx5sORKAtUlrScpJYmybsczYPJPtqTuxO2z0T+jPU12exKDR8/Xhr7E4LCw/vpIiSxEPth3Jvc3vQZZlBLFM8tvl76sfVp+Xe00BYHXSKqZtmq4G8DoT7VgsdgoKLX/p/gjAkSPpPPr0SkKDfXj1xR40bRqFxepAFARy88xecrsXfwkiqCOQDz/eQ1paPlarxPc/HCM8xIedu86zbfs5nnpuLePGtuOlyT359vujfLHoEPUTwvluyVFOJakBr2vWJnP+fAEhIT7uVa9/C67RmV6ncU/PnnpmLc2aRDFjRj8G9qvPI0+sRJIU1q07Q+LJLCZN6sGrk3vSrZsaVHvhUiGTX15PrbggXnqpN2+9s5ONm1LdI9OQEB/Cw3zcf2tFDZklmQz8dAj15jTg2TXPualM39/5HVtTt9JgQWN2X9jDouFfAqDT6Pl03yfc1/JeWlZrztQNryEhYdRrEUWBiAhfgoKMav0aLb46X74+9BXFNjXn6ucHv8Df4I9Oo+POJnfwau+Xea3fNPZd2sfiI98CsOXsFj7cu5CnOk9gUIMBrEpaRXphOq6k1p6QZAlZkXn5t1eoM6ce0zfN5Jvbv1bDPpzTd4NBW+UHy6Xnd3WoO5gtdj77/AAvPd+datEBvPjyeiwWB3qdBr1ec0OM/L34/w13lqqgQCM3DW3AqaRs6tcLo1WLGHbtPs/q1Uk0axLJnXc0ASA5OZekU1ncf19zunWtyW8bU4iPC2Tb9nOMuK85Pj46ZzaiG+Ph1GhErBaJfQcv8vPPxwiK8KMgqxi/YB/MZjthYT4cPZlB9odmflx8pzvLkSwp3HdPc8Y7k5G0aXWEw4fTOXQonQVvbsUiqRzUrxYfpG+ferw9fxA/3rmEQkshOaU5PLnqKeZuncfz3Z5jzra55FnyWXznV0xa9yLv7Xmfyd1fxOIoZWy7sfSu04tAYxBbz28mO7uEic+uY9OGZIrsMqvWJ2E0iEya0Jvhowbx88mfOZZ5nGBjIDmlOQyoOwCNoOFUdhJTfnmZCL8IDqYfpE/dXgAEGAIY1fJButXqRrda3SiyFmHSmdRwiwrTSFEUQYFxbR/m7iZ3cTTjKA8vHcfiu78hWB981UTLf+w7pu6k1YhMeLITfXrWJirMlycnruXChXzq1AlzxweWhX54A3K9uHa4uaIGg7qsb7NJGI1aLFa7OlWp8FC54rtUmlJLPv3sAA0TwgkMNNKvb91KQav/NgRBoKDIgt0q8dmnw+napUa57S1aRHNw9yOkpRXQpfcnhAf5sGbVCGw2B+FhZSERpWYHeoOGsaPb8PBDbVj48T5Sz+UzfVpvBEHAYNBiEkIJ9QmlJjVpGNmIpJwkzHYzvyT9whe3fU7TyKY83flpxv08nic7TsBX70OYTxiKolDqMKNFT3CwSoIXRYHRY3/mpmEJDB5UH41GRK/X0CW+M/sv7UeWJfrX6UeUfxSnc8/w+ubXWTN6JZG+Udy5+O5ySZIDDAHumDl/Q3nieblr5YyMjfKLIsovipqhNZny28tcKrhEcETw1cQ91EzvAoSG/H7+Uq1WQ716ajBvqcXhdFuoU2FRFPDx0REQYPSO3Lz403Abtty8UkpL7RQV29BpRcxmO1arxPBbG/LEM2v44osDhIT6sHx1Ivff28KZtzEcu8PBjDlbGDIoAZNJi0OS1YWIGwR2h0REuC8dOsTy9ru7KCq2AlC9WiDNmkaRllbA8ZOZIMBDD7Zm0TeHADAYtRw7kcGqtUmknsnl7Pl8+vet605o4nDIWEodZSM8RWFn2i7yS/M5l3+W/Zf2MrXXVHx1vkT4RfDNoW9Jiz/PhjMbaF2tFX56P7JKsim2qmKVdslOtjkbQQCDQYtWK1JUrCp0mEw6t7JG55qdeGv7O+RZ8pna6xUACq1FFFmL2XRmC7Iisf7MOrrWVJkBRdYiimxF7ni6K8G1unk69zQnMxPRClqOZh6hW41uNIxoeMXVT0FQP3ZPPbeWTVtS2b5hNNVjr+5jzck188NPx2hQP5yvvztCQoNwatUK4dSpbJJTcjh0NB0EmfAIX1q1qEZoqMm7OurFNUELoNNp6Ne3LnWcWdA1WoHICD8MRh0dO8Qx7ZVezJ29GVlRePSxjtwyrCEAISEm7r6rGUuWHee+e5oCuHmM/yYUBWw2ya14CzB/zgAmTFzNvAXbAejbuw7NmkZx9GgGb76/E4dTjWLezP4A6HUajh3P4K33dyFbHXz47lBq1Qpxv7CNG0USHuHnPp+MpE4TL51AEGF6n+n0rdMXgLkDZjN942wOXniH2qG1mD9oHgBda3QlITwBgJiAGG5pdIvqxHdewr69a1OjhpPA7lzy7Bjbid3V9+KQHbSNbQtAy+jmPN7hUT7b+zktqjXn+W7P0SRKdR10ju9MbGCZ7BGoYSOSLKl+NtTTOWQHOlHHngt7+XTv55i0RuKCY3l/6HtqH1EJ8Faro5xj36Xm0r9PXX768TjZOWaqxwbiykPrCdejMXhwPTZsOMPatUk0axHDrGnqdTp85DIffbaPGrWDyMgq5oOP9/LqZH+nYfOqeHjxx/EnSfCKWzXjRnvWiottPPzIct56czAhwWXhHte6SvvlokMknspm+mu93WU3Agnesw1/N/kdPPtQZqhGj1nG6NGtaN9OJcF/t+QYn3xxgB5davDCc13d8uk32rPhxY2Bf5RSZbfLbrFJQWVRozgFJSVJdss+ewaqugjKkqT8oQS6/wREUSA5OYchgz+jZds4np/YhWoxAe5RnMuOewYaq31zcRRFdDoRs9lBSkouVqvkDETWllsQkSSVUO8ZRGuX7O4po1bUuuPMZEV2060EQUAn6hAEoVzCZFceAk+Ggt0ho6kQHygIauIYlPJp8lwBui5DKooiGkGDQ3aoVCVBg6RIaAQ1E/xPR5fiq/VVDZcoUmIroV1sWx7v9Bg6UYeCqr+mE9VzOBwK7364m19Xn+DA0SzGjlGVeEWNgL+/nltvbsioES3R6TTOfl75HtntknvU5xIwdT1LnvLiFQOpvfjfwPUI9HEbNp2uzHnrhvN3NX9A1SMPddt1aMl1gsmk5Z23B5NyJge/QCMB/iq3UVWQqNzQioHGrvHrsKH16d4tHoNBg6JoKr2oVV2PK+UVFQWxyryinsGzoiAiVqhTdwW+qsvYVCr7nQBd0blDs8im6AQdelHvNrY2yUb1wOoYtAa3YfMcDYqiQLs21QkPNvBkVACNGkUA6nUYNqR83N7vfeBcbJWKuNpz5oUX14L/pLrHP4GKGmUVyytuu/ZycE3/qlLBqHhM+dtYdsyVyq8nJElGVkCr8SpyePH7+L2paMS/re6RX2DBarHj46OqabhGe8XFNoqKrZhMOvz89P/4KqlL7RVBQPM70xiLxYEoCpXoVp70qfLlVMp76YmKRqtM/7+80RKEK/vsysr/+LmrMrCqn6vyvqo2nFJpzO/ScLsS3NcVwSkrpJZrNGJVbDwvvPjXUM6wubJyux5eNb+lS6CxTCfLNV2YOXsrX32xl8Bwf5Z8cwcNGqjTky++PMjcN7dSVGJn8Re307tX7X+MYqVq8Kv5oAUBFKch8BRtlGXFHa83+aUNREf788Tj7Z06/Ro3Basq2+UqO3L0MkFBJqrFBJSL2zt85DLmEhvVY1UZa5cxSjyVTX6emaAQHxLqhbmNXVpaAZcuFWAw6WjRLNptkEpL7SQlZRNTLYDwMN9y5048lU1+gZoEpm7tUEwmHSlncykpsSMoCg0bReLnq0dR4FxaHplZJcgOmbBwX+rUDi0zXtd4O9T75x2ReXHjw23YylQvKj+4FVUmXEZu5ut9GDe2DQ8/shxXBIAkKYx/pB3jH2nH4KFfuSlN/xQEocxf6AlP340oCm6StUYjoNEKzj6q+1xpJCXLCnl5FpYuO8G0mZuIiwvkx2/vJCLCD0WBjz7ey+uzNxPqp6dW/XBef6UPCQlhrF6TxISJq/HRCoREBTDlhR5071aDg4fSeWj8cuxmC4YAIxPGd+TO25tw/EQm3313jDff3M6Do1sxf84AAKxWiW++Pcw7H+xG1ArIkszM1/pTUmzjlju/pn2HOPIvF9GsVSxvzh9IZIQf/QZ9iYyCUSugaDTMeb0vA/rXc69se+HFfxEiqMGl6ijBwQcL9/Lq678xY/YW8vJKsdskPv38AJNeXs+kyb+yaXOq+6WXJIWcnMqEZVlWy+32f9aogbq6u+Dtnbz0ynrmv7WDlBQ1M/2v605z4UIhAKmpeSxfmQg4p3fAJ18c4PXXf+PkyawrTA9Vg5idU0JmVjFvzxtEXHSgW+UiNTWP6bM2s3X9aA4efBx/fwNTpq6nuNjKxBd+YcHsARw69AS33dyIR59cQUmxjckvr2fooPocPPgE7y4YwiNPrCAnx8zJk1kkNAjjuee64eejR5LU+7Nz13len7GFb7+8nX3bx3Fg13j69q6NJMsMG9SQnRvHcvLk0xQX25jy8gbMpXZq1wgh+dgEjh56gpsGNeCDhXvL9ckLL/6LEGVF9bXk5ZXy/Au/smZtEtk5ZjKzSpAkNR+ArMiEhPoQEmRi7hvb2bP3glvttCqlWVEsm8b+U3CNIr/48iD7919EURQuXy6itFQlok+fuYUDBy8BsG17Gi9OWQeAwaTl8y8PkJycw/FjmTw0fjlZ2WZnfZ5OevX/+vXCmPR8N+wOCYtVchvB7TvSaN2yGvHxQcyYuYWtW8+h1WpYvTqJGnFB9O1Th8XfHeGtd3dRPSaQ1WuT0GlEbhvemK1bz/HwI8upGR/CbxtTGH5rI+6+syk5uWYcDlfiHIV160/Tq1ct6tcPczNDXB+VErMNm01CkmRG3d+S1LP55OVZKLXYGXLLV9x117ecSMzg1ck9XVfMG2fmxX8WWkVWp2ObNp9l38GLbFg7EqOp/JpCyxYxvPvWdnT+RvbsOMfZs3m0bVP9X2ry1XEmJZekpCzGPtiarl1ruMujY/zd9CcfHy3RUSpnUnJING4UyczX+gDQvvNHHDxwib596zj9guXrdzgk50jH6YNz2r6CAgsmg5Ypr2wgOTmHl1/swfr1ZziTmqd+EOZvZ9u2c0x5sTu/rD3NqaQcQoJMLF16gs1bzvL4Y+3Z+FsqOTml7hg5z6Q5igwXLxbi52/A4ZBVhohHAh1RUBdAFOcQNCDAgOIUyGzWJIqwYBPHErNYvymFps2i3MbSu4rpxX8R7tc2J8dMbFwgRiff025XSdSJp7KZ8ORqOnauyZAB9alRK6SSv0oQKotMXqn874LrBX1uYhdem9qHn1cl0rTpm/z662kASs129z56vRaHs382m0z3rqpUUanFQVSEH8VOPumVzqPTlS0wiE4/Va1awazekExhgZWPPhhGZKQfFquDDu1j2Xv4Env3XWThhzfRqWM8mVnFdO4Qy4XMIn5adoIF8wZw3z3NuZxRTHx8oDt42PP6CaJAZJQ/ly4XOTNmlR8Ru/omCAI5OaWYDFr8/PTodBqee7orEyZ04uYhDdjhzNjuhRf/ZbgtVJ3aIezbc5G1vyRjs0lYLGqkfOKpLDKySnjwwdbExQRy+myee6HAanVQUmKj1GKnpMSG1eYyFlK5cou1fJKTvxOBgQb69q7Di891o3nLaiz56RgAsiSTnJxNQaGVqdM2YnVGuEuSTPrlIsxmO5s2pZJ4OpsuTgWQKy0glJbaKTHbKS21Yy6xYbdLtG1TnegIf26/vQkmk44PFu4lNj6Qrl1qEBpkYsiQBKKj/Xj/wz0oAnTtVpPwUF+6d69JQkI4X317mAuXC+nRvRalFjvmUmf9pXaKi61IkswdtzXm6JEMvvn2CKUWO4WFFjWGTFYoKlEzSO3Ze4FXX99I23bVCQw0UlBg4UxKDoWFVg4eTldHrkatWxLICy/+ixAURVFU/TSRpUtPMvHFtdhkGaNWw/rVDxAS7MPIsUvZtfU0bTrVorTYzpMTOtG3T23uvPt7tu9JQ6MVkUqs9B2UwAdvDeXlqRv56tuDCDoRudRBkxYxfPDWEOLigv62sA/XtOqhcctZtT4JvaKQ0DiK+TP7k5AQzrp1p3ls4mockkyHlrHoDRo++egm5r+xg/lzN6MLMCIK8PmHt9Clczx2u1xuROQK20hNzWPwzYuwOFT/mlxiY8zD7XhpUg8OHLzEXff/gDnPTJ+BCbw9bxC+fnouXizktnsWc/5MDvWbRPPFwluoVi2AkhIbI8csZefWFAIj/fly4S20bBHD198e4YUX1iCaXNp2Igum9+fmmxvy49ITPPr4cvyCjFhLbLz79jB8TTrufXAJRl8d1lIHUyf34MGRahb1gUO/5GRyFlglWneI4+N3byIk1PSvKhx78b+NfyJA18s88MILL/5R/OPMA5dyqQuuL3rFcA5X8GrlctyS0xXN5T81Oqh4btd5y/VN1VOssq2CIJCVVcJPP59wz9Rcx+r1GoYOTCAsrLyYYlm/PalW5aeyntfK81p4lruua8X7cLVtVVGqPIOLK94j7yjNi/8FlDNsV6LrXOlluFri239rse1qjIErUZE8eZWCAEVFVrbtOKeKAChlUtUmk44eXWoSEeFb5Yri1ahW13INr07Z+mOUqt87rxde/Jfxn8xx5qKAqbF2fzyezmUcatcO4avPhv+hff8KXGKP/1ZG+OuFshysamyj15h68W/jP2nYqgoavhYoioKtCtaEAFfVnXMTywXX/kL5beov7uM14o1JHfckyJcj71+hf1XlYPXCi38TbgvgSp+meEy9PN086t8Vy8pXdiMsQ9hsEiNHL6V+/bkMvuUrzp5VKVUucr/rxxNl/VXc5HSDM32f+iO6U8NdbaQm4CTPUzkDlLvU4/ipG6exKmmVmpHJpbhxFSjOf1X9reDRvyr2qWrb7/aj4lT7Cv1b+Ml+6tadQ/O277J+wxnAJURw7fC8F+XLlUrPYEV/o+sZ9sILt2FTfTdlPidPZ7W6XfAoK3OQe+JGCGK32SQyMop5482hLHxvGDHVAgAQRc8+VJYQ8uyfCxWviedL43DI2Jxxe6DmDBi++DZqz65HwrxGNHu7JRtTNwGw58Ie2rzbnrqz69NgQSPe2f0OAMk5yeSYc9zT0YrG0GqVnFM8Z3sqGBTPvz2NUVX7VLXNEy6jYbabGf3TWOJn1qLhgiZsObsFUKWOXt84nfhZNak/tyHfHP7GeSDccVtj1q8fQ9OGUZxLy3dfu2uFy8dZpVH1uHeuTZ7+xrL7eO3n9eK/By2oL2lpqZ2CQisWi53AQCM5OaXExPgT4KTwHDuegSwpxNcIIjTEh5wcMzabRHS0Sk2y2SSys82EhpowGP7dGa6/n55atUKJjvJ3j08EQSDxVDYF+aWYfHQ0bRLlLIeLlwq5dLEQjU4kKsKfmBh/iops2GwOioqt5OaYqVEzhJBgk5ORIfD+B7tJSc1jzqz+CAI4cGCTbHxw63v0qa3mSbBJapap5355ntf7T6Nv7T4sOb6EBdsW8Gi7R/HX+6PT6DmZmYikSNQOrYVJa8JidaARRe4f+RPDb23IsGENEATIMmdg1BoJNqk5PktsJRRZi4j0iyQ17yx55jwURaZaYDViAmIAyCvNQxAEzuefRwHig+IINAZWUsiVFAmtqGXJsSX0qtuT94e9yycHPuG5X55n29itfH34G1Ynr2HP+N0EGANo/14HaoXUon1sewICDAQEGIiM9PtLCriCIHAmJZfsrBJ0Bg1NG0eh1YqUlNg4fSZXzRQvCjRuGIHJpONyRjEWi50a8cEIAmRmlWAusbkT4HjxvwstqDzHSZPXk5iUxaVLhVSPCeTM+TzGj2nDuIfaMXPOVpYuO45BJxIR7c/C929iz+4LvPraRrZvGUNgoJE1a5L5+LN9vPv2YOJi/75A3D8CWVawOmlDkjPAdc+eC8x/awdFuWYUvZY7bm7I/fe35OKlIp59/hfSz+eTWWzlwXta8tSEjixbnsjLr6yncdNI0s5kEhoZxOKv7iA8XA31UI17qVsiSZIF8krzWJe0jmJLMY0iG1EvrC4Atze5nVWnVmG2mjmdk8KIliMA9UVecXIFiw9+x9HLxxjWeAgLBs7H6Pww+PnqiYzwdUuEz9g8i5zSbBYN/xJREJm1ZRbF9hKm93mdzw98zsnLp7A6LBj1Rl7qNZmmkU14+beXSclNpdRqITn7NN1qd+HDmz7AqDGCWOYnc0mIj2gxwn0dG0c0psRmxmw3s/fCXoY1HEqkXwTTt8wgz5zH1rPbaB+rJpRWFMrlK7jW+yUIAieOZzL7jW1kXypA1mkZ0LsuY8e0Jjk5h5lzt1JcasNcZKV1y2pMfaU3K1ef4oUp61j67V20a1edm279mtYtq/HmgoFeDuz/OLQAPj460s7nc+vNjSgpsXHseAbjHmrLsROZfP3tYbZtP8fJo08A8ODYZSz8eB+vTe3Nex/uYcfO8/TvV4d160/Tp2dt4mKDkCT5BtKuV8dsz734K00ahjN0WAOOHUrnmUm/cvvtTdi//yKXM4p54qkuDBuS4D7KaNRiNGr54K0hxFQLoFO3haxcdYq6dUPYtu0su/dfIi+vlJmzN1O3bjiDB9VlaMJQDp4/xFvn38YqWXh76Fu0qtaK7jW7sTl1Ex/s/pBgn0Cm953ublqxrZjlI35m9/ndjF8xnsKSUlatSuZcSi4Hj6Vj+1xi++40enSuw5h2I5mw4mnOF1wgzCeEXRd2M3/APExaEy90fZ6fTyxHp9Eze+tsNpxZT9PIJuhEHeG+4Xx236cU24pZcvxHiq3F+Pj5uAnznnDIDjSCFkGAD/d8xIOtR6IXdRTbi/HV+zBt4zROZJ7klqY3cbnksvu4K9mRP5LsR1HUj+Cr0zdi0oncM7I1F87m89LU9fTrV4fmzaOZ9Hw3Dh+4SG6Rjdlzt/DIw+0YPbIVigxvvr+Lakv9GdS/Pi9O6uas0zst/f8CpYqfvwoRVA2zsBAfYqsHUlxso0njKByShNlsIzkph/59amO1qtOyAX3qotdpsNtlht/SiM1bz5Kamk9GZjE9e9W+Pq26jtBqNc6RlYaMjGLW/pJE+uUiXpvaC0EQ6Nwpnu7da/LN4sOMGP0TPyw5DkBxoZX+/eoRGe2PxeKgZbMYcnJLyMsrJfVsLjl5ZgqKLKSezeNyRhGCIjKx8zN8c9dXbBy7gQaRDXln17tYHBYeWvYwzaNbsHbkamoE1+CBHx/E4rAgITGm7RgcsgOzvZRgH/WjkJFRTGpqLmazjYysYlLP5pGfZ6FOaG3qhdVn36V9bDm3hRpB8dQMqkmJvYRxyx/hy4OL2Hp2K1a7BV+9qrorCiKD6w/GJtnw1fnxQIv7ifBTlY4rGhpZkdGKWopshTz40yi0opaH2zyEgkKYMZSPdn9Msb2Yr25bRKhPGCat6XevvyuD/ZWMmuxUICktVfOVFhRYWPtLEsdOXGbK5B5ER/mzY2ca4x9fwZq1pzh8JB0fXz2CIGCzSYx6oAWF+Rbeemcnjz3aHodDLsu05sX/LLSgftlkRXHzEtVpnICPj56YaD8WLznGpBe6YzBoWbnmFDHR/uh0IgP612PylPWsWn2K6rGBNG4UgeR8UG8UOCQZo0lLcbGVZ57sRN8+dcptNxq1vPRCdwDmLtjOc5N+4bbhjUBElQoXBTQGLRu3pjK7fx8GDqzPkMEJfPfdUZKSc3hpcvdK57RLNtIKztEpviOiIJJvKWBYgyEA9K83gBWJqxAEAaPGQK45B62oRStqcDhkAgMMTHisIwAPj1vB/SOa06FDrLvujnHtOZR+iCJrEX1r98HP4MeuC3vYfWEPiRNOANDlo67YJXUqLggCxdZi9Bo9siwjKTIaUVNpEUFWZAQECm2FPLnqSWL8o3mtz2vu7dEBMfjoTMzqOwuA7458z9yBc4Cr5zdduSaJDRvP8NLz3QgJ8UGWKScFJQgCDqeab6nZzvBbGjHygZbl6vhm8REaNYjkg3eHcGD/JX7bmIIggF6v4eNP99G4YST1aocxa85WXp/W27066jVu/7vQgvoQFBerKhVmsx2tTjVuRUVW7n6qE/sOpZPQYD4Gk5YWLaszfpyagTw2NoD4GkHMWrCV7xbdcWMutyvg66PjjbkDGTFqiTpyUGDokARmTe/Hjz+eYOrMjaABfz8D99/XHIAAfwOLvjnI9n3nyb1czPDhTejdqw42m5qDNO18ARcvFaoro4KAoJF5fOXjHLpwhAJrPh1rtOfxDo+h1+i5p/ld3PTlrfjr/VFQmNzjRQwaA9nmHPcKs112UGgtxCHJOKx2tFqR9MtFnD2XR6tWMQiiGp83sP4Aliz5iWJbMZO6vYCCQq3gmsQFVqfenAQSIuuTXpzuDvo1281qHlJUI6IVtM7L4gpIK0/FmrtlHp9u+ZSO9TvTMbkzOo2e1/q/ygMt7+d8wXlavt0aq8PGTY2H0r1Gd2dcm3DF0J/MzBLemPMb7VpV5847miBJUrmYN0FQCR5avYa5s/pz78gfmDVnM4JWQ5eO8Xz43jB696rNhGdW06DBPOJqhyMiotNp+Piz/cx/awcrl95HcKCJ9l0+pKjYypvzvT62/3UIiqIosqyQnWPG10eHzaZGw2u1IjabREiIyZ1YRFYU6tQJw9+vLEdmcbGNzOwSat0gK1HFxTZGjVnK1Fd7U79eqGc8KWnn88nJUZOghISYiI8LIifHzPmLhe7pS8OECAwGDV99fYTlK08yaVI3kBUaN4pEqxXdI4HCQisOh0xIiDodU1BIyU2h2FqCKIrUCa3tnqpJsoPTOWcotVsIMPpTK6QWANnmbIxaI356PywOC3mleUT5R4GihjRkZZXg66vHx6d8HtGM4kxAIdIv0l2WY87hfP4FAo0B+Bn8MGqN+Bv8yS3NRa/R46f3+0PX73JRBhZHKSU21SBqBQ1xwXEEGAIosBSQkpuKTtSSEJGAVtSWGxlNfO4XGjWK4IERLXA41OQ527afY/RDy1j81e20bBnzu7kWLqUXkZFRBAgEBBioXSsEWVY/JHm5ZqJjAhAECAv1ITvbjN0hUb1aoNr2jGIsFgc14oP+UF+9+HdQkQT/3N9FghdFgYhw1Sfj61uxEWAy6WjWLLpSwwD8/PT4+VVOBvxvoqjIypkzOfj76wkL80HvzE4eFxtEXGxQuX1DQ30IDfWpVIfFYic4yERzZ1gIlJ/eBAQYyu0vIFA7pHa5MjetS9RSP7x+pXOE+YS5fzdqjUT7R7sqAyA83LfSMQoKkU4fWbl++IQS6hNaqTzEFFKpLK80j0JrISKi2/DLioxJ70OUf2Sl/V3nDTQG0iKmebkyECgotJKXa+ZyRjEJCWqfNBqRd97bxby3dzB7Wl9atoxxuzquBEVRiIn2J8YZQuSCKArUiA+qZLAiI/2cx6l/R0X+MePtxX8fHlmqqBCQW7HMHRFWKcBV1c+/MYb+er2GqGh/npywnLqNonhn/iBq1Aj28O149kP9rWL0uigKRET4Ub16gMoKkF2KwOXPVdGPUy5XZwWyepWKHBV8U5X+rsJPJCC42QOVKFtV0J0865RkCY2o4dMDn7Jw96f46/yRFXVqWGQtolednswaOANfrS8ysjtzvCuwtyLVSnDKpHy/5BhzZm7EJ8iH++9rAaiLAo+Nb89j49u72/h7VDfBPaW92j1yBiRXeFZd18vzby/+d/GX9NgcDhlJkhFEAZ22bDlfkmQcDnVqp9WKNzQp2uFQBSVvpAWP/wrKjNS/p/bixY2Hf2wq+qcP1opVfoU1GhHNv8iJvhZ1jyuNIlxZz6syeC6SvCio4SSu+mVFUVMOKgqiKLqDdxUF7HZJbZMooPM4xvVx0Go1bt+T4qzH9c3R6TTlPg7uD4qg5l8QBJX54TIkapYwZ7ldQpFdFDgBnU5ERi6f79W5hiAK4p8i5pepe6j33p2nQXBV7oUX/yz+kmH7cOFetm05Q8OmMYy6vyUREaqPY+myk/yw9CjVqgfy0MjW1KkT+o9mRPoj6h4uZsTKlacICDDQtWuNcm28UtZz1z4GfWUDIFYo92Rf6D3KXWNk1aBV/jgIglBuf09c6Zgr7a/XVS7XoEFzHb88XnUPL240lHs7FEV9GV0/ZeVlZa5RhKIo1K8XRrVqQSxadIjLGcWAenxcXCCtWlTjh++PcSop2133PwXPPpQpQZRXhXDRf1avSWLrtnPISvn+XaleQRDIy7UwdPjXTHltA0VFZRmt0tOLGHjTIjp3fp+Zc7a4jZrDLjFi9I907vwB4x5foQaROkeDn31+gIFDvmD9b2fc9Zw4kcWtdy2mc8+F9Bn8OcdPZLq3aTQi897aQefO7zH01q+5cLEQs9nOPQ8soXv/T+nS5UNen7kZu5Og/9TENXTr8wmdu37I+AkryM+3uPvihRf/VZQzbILg+vqWFwt0pYFzpdRzoXu3mjzxRGfq1AxxjyAUBVq1jOHpCZ1o2TTmiiOJvxOefShTgiivCuFqV1CQkaAgE6J72nol2o9ax5GjGTz6xAqqRQWwc/t5iotVorvZbOfekUto1jiKqVP7cvxEJm++tROAB0YvRSMIvPpqbwL9DTz5zGpEQeD5Sb+SeCqb3FwrJ09kuc9TrZo/Tz7agWkv96Zl0xgee2IlpaUO7HaJJ59eQ2pKLtOm9eOpJzoSEmwiK8vM/n2XmPxcN156qSfLVpzk80WHAFi/IYUxI1szbWof0tIKmfr6Rvd5briYQy+8uE4QQY3OB9i27Rwt279HXN051G/yJmlp+ZhLbNw94gcatHybBg0X8MTTqykutiEIArKscPlyIVa3f0eFLCvk5JopMduvOgL6O5CYmEXrjh9QO2EerTq8z9at5wAYOeonNm5KBWDlylPccpsquyMrcOpUJv2Hfkn16jOYPlOV6amcc0D9qVM7mPnzBjB0UAKhwT7uvKK791ygIN/CjNf60LVLTVLO5rFmfTJHj2aQlJzN66/2plevOmRlm1m7PpnzaQU8OaEjU1/p6YydK/MKBAYa6dwpnh7datK6RQz+fnqMRi1bt6Vx4OAlJj3XjR49atO9a018fHTIikJs9UB6dq1Ft261iK8ehNGoGu6wUB+6dIqnR/da1K8TismodffP69D34r8KrSQraDUihw6l89Sza3nt5d706FELySHj66tDEATefWswZ07nggiPPr6C1WtOcfttTRBFoUrnuigKaK9Bkvt6wOX7+uCjvfTpUYsnHutAVJS/26mdm2fBYlFpRkUlKgcTwGDU8MOSJDasexBLqZ0ht37NwAH1aN4sqkq/oMmkw8dHT6nFrk5nnfbv+PFMmjaK5PTpHB56ZDnBASaio/z45ddk6tQIwWy2c+fd35GXb6Fl0xhOnMykXz9V/cPs8QFwOCR0Og3zFuzgzQWbCQr359OPbkYQICOjCKNRywuT17Fx3XEaNo3nm0W34e+n53hiJrWbLMBRZKV3//r076vWXVRkpUOPj9A6ZOo3ieKDN4cC3lwIXvy3IbpezP0H0qldO5iBA+qh04oYDBpAwGJxMO31Tdx++1c89vRqkhOz3aMLh0N2r/bZ7ZLbb+USYXTxT9UVvn+mQ10612DlmlNMnrKBDetPU1ig+sAMBpWIbbdLBAca3U5+c4mdJx7rQGz1QGrWCqFpg0hOJ+cAVU/VJEntm4tsbbOrYpB+fjqSU3J5fMIqRo5oyfTX+lCQbyEwyERRqY1HH19F0yZRLP7mDixmO0aTzl2Xoig4JBmbXUKj0SDLCk9N6EBa2gss//Feht/9HWfO5CErCucuFPD0E51IS3uJ6Eg/vv/hGKWlDhrVD+f00QmcP/8CPiYdr83YjKJAYICRnZvGkpb2PDcPbsCTz67BZpMQReEfH0174cU/Bfdwy8dHR3JyDg67uurmCiPYuDmVzVvOkpLyHDs3jiGhSaRbOVarFakRH0yAv5GaLj+bM3YtPNyXQH8jsbGB6HTiVWk01wOukdWttzTk6IHHmPhsFx4et4wFb+4AVM05Xx8dOp2GXXsuIDqZ2KIoEBRsQqMRUGSF06m5VHOq7lYFrVaVCK8WE0BQoJHY6oFoNCItWlRj597zTHq+O/fe24xlP59EqxcZ2K8uew9cZNCg+kx6oRu7dp4nr8BCgwbhbuWL4CATMVH+6HUaRJFyvswaNYLw99FjtTnw9THQuV0cTZuq7IDgYJOaDV6W8fHRuUfPMdFq2xRFQafXEBaiMhhiYwMJDjQ6pcL/nvvghRc3ArSCoPrEOneK46elwQy6eRF164WiEUReeqE7kRG+FBZbGT36B9Do2LP7Asp49aV76+1dbNmeyrpNKYwevYTefevx4IhW/LD0GOt/O82vG5MpLDLTo1cdRt3fkvDwqtPWXQ+46v1o4T72HrpIiL+Blu3jCHMKQ7ZoHs2kl9fRrHk0y5cmEl1Npe2UljqYP28r+w5eIvFUFu3axdK+fXU3A6GsftXHlp5exJz52zh87DJHjmbwwAM/MPSmRgwZlMDzT3Xho8/28vXXBzhyMpvnJ3ahWvUAJj3TlR27z3H86CWOJeVw2/BGRIT7svi7o2zbmsrS1YkcOHKRnfsvMOGRDpy/WMCXn+9HY9KRk1nCXXc0oWGDcMJCffju+yPcMvxrYmIC2H8onfffHopep2H77jTGP7kSwS6RklbACxO7IooCyadzGDN+GSH+Bs6k5XPvXc0w6LXuFV4vvPgvQiuK6iJAbGwgH70/jC++OURRsRWtRh1ltWwRwzsLBrNn91kSGkZz2y2NaNBA5SoGBxtp1aoaffrUITezmKBAI6JGJS/XqBHMrBn9KMwrJTjE5BF39fe8TK6XNDjYRFxsIA6rg0H963HvXc0AmPh0F6ovOUJRkZWvFw1XA2mBUSNbUiPOH7NdplbNIMaNbgeUMRJccBk212h0QP96DL+1EbkZJfj76dHpRF56sTtvvrsTa4mN2+9sRo9uNVEUhSce74DhYy1Z6YX06FOXO25tjKIoBAcbiYz04+WXulNaYkNGrd9k1BIV5Y+g19CgbhjjHmqLoihERPgybWpvliw5it0h896bQ2jeLAqLxcHcmf25lFGIZHFw970t6Ng+DoA5M/tyMikLySrRu19dbhrSwH29vHbNi/8q3JSqK0l5e3Wt/jxc17Titb3WUavr+KqOu9J9u9ZyL7z4p/CPUqpcL6CaNk3l92m16sqmJ0UJQKNRfUCuchcnx7VKKkmKk7Kjll9r4uK/AkmS3cGnnudVHfQqidsldKjRiOWS/Soo6LQiR45kcts934JGcAf2KpKCn7+eLz+6lYYNIzyuh0qf0jj3dTiUctfC1Y6KNC+1reWvE4K6mqwoZW3y5LG6QmxcK72u8wLY3Su05c9ddo9wy1F54cV/HeUoVRUDc907XeFluFK5RiNcV8rOtUA1ZIrb4HoG6Oq0lftWFR2oYcMwtmwYXWlfQYCQYJObA1p5u4BOV/kcrilspXJRQStWDgpWA6Krvn5Xoi/prvEe/RmUMTPKBz9fL7gYLlB+AcULL64V/8lM8Ffief5R6HSaP6Xt5ZAdZSEUAmgFrVOKR8GhSO74EY2oQRREt8rtjQhZkZEUCY2gcbfzr17X34M6mvUas/9FXO9kLv85w6YoCnv3XSTlTA5+gUa6da6Bv7/huvsKXZnlPUdErhR2FSEIAjqh8raTWYkEGQPLBCYrwKVC+0/7xBSUSoZXlhV2773AmeQsIqMD6Ng+Dl/f6yMw6pqinzuXz669F/AxamnVMoaYmCuH3XjhxdXgznkgSbLbnyQIArKioNWU+cwcDjV2TaNRlSVc/iGdUz3C5fvRaq/Mt/wnUFrq4NHHV6HXKLRoG0uLZtH4+xvc7XO9RJ46cXZ7mYyPq3+evixXJiVPI6aOLMovCKxOXsOpjCRskhWtRstNjYZRJ6QOFoeFD3Z9iNlmxqAzMqjBABLCEnhlwyv0qdubEc1HICsyOlFXTjao4jTSIavMCZcBlWQJBQWtqMUu2919EAURrUaLgOA+RlbUvmtEzRUNsGs/URDJLc1l5clVtI1tS0J4fWRZ/WD8uuYk+49k8fOPd9O2TfU/Fb6j6vWpbXXxkLVagXNp+Sz9+QQrVpxkxrS+PP5YB+/ilRd/Cu4sVVfTJVN9ZtoqyspewhtFukaWFerVDeWtNwcTEmx0lwsi6Kvw+ymK4vSZle9/Vf1xGX5RFNi56zy5uaUMGlhP1VuT7UzdOJUgXTANIxqi02qxOFTWw5ytc0kvvIxO0HKx+BKHMg6waPgiwnzD8DcEoNeUH/m4Vi4Xf3eUpk0iadhQDa+paJA8jaBO1FXsQpXHwJWzSinOfw7ZwYvrJvPJnk95Z9jbJITXRxQFHh/fnsfHt2f0mGUe6iDXbnVUvb7Kje3apQZdu9Rg3CMrMBr/c5MJL/5BuDPBb9yYyoHD6Zy/kE/zJtFs253G6Ada0q9PXfbvv8SzL65FtsvcfkdTxo1ty6rVSezZe4FXpvRAEAROncrmx2UnGHFvc6pXC/hH9dcqwmJxkJKSi1+TSOdLJCAKAg89upyTRy8THuPPglkDiIsLQhAEZs/dyuqVJxFNOu65rSmjHmzFtm1p7NyVRna+mT3bU7jzntY8NLq1msJOgi1bzpJ8Oof+Tr6npEjEB8UztddUEsLK5zf4LWUjo9qM5N6m9/LTiZ/4aO9CQE3vl1mcyYNLxpBjzuaJLo/Rs2ZPbHYHOq2WLxcd4t57m1K/fjgyEh/u/RB/oz/3N1eztf+a/CtJucmMaTWaWVtmsz11J3bJzoCEfjzR+Qn0oo7FRxdjcVhZcXwlRdZiHmxzP3c2vVNNt+eS93ZCkiW0opY52+ciyxLDmgx15ycFdWpssdgpKLT8qfsiyzKiKPLV14f5ZNEBJKuDmnVCmfNaXyIi/bDZHCgI5OaVemWVvPhLEEEdgbz30R5On86hsMDK198ext9Hz/btaezYmcaTE9dw/70teeapziz6+hCLvjlMndqhfP3tYU4lqbzKNWuSSTmTS3CQ0SME5N+BS5ZIr9e4p2cTn/uFRgnhvPpKb/r0rMtjE1YhSQrrN5zh2PFMnn66C88+1ZkOHdXA1rQLBTw36RdiIv15+uluzH9jO5s3n3UbyvAwHyIj/ZwjVwGtqCGjOIOBnwymwbxGvLD2Rfc08Ps7F7M5ZQuN32jK7vN7WDT8SwB0Gh0f7/uY25reSoOIBF5ZPxUZCaNBh0YjEBXlT2iIDxqNgE6jRafR8+WBLymxlQDw2cHPMWqNaDVabm54M5N7TmJK78nsurCbxUcWA7AxZSPv7X6Pce0fomftbiw9+TPpRelqDgMPXpXLqO0+v5vfUjYyqfskggyBWKUyvTmtVsRg0F7R5/d7NC3Xh65TpzheebEHU1/uRXiIDy9P+825XcSg1/zjPkUv/ntwTkUFggIM3HJTQ5KSs2mQEE7rVtXYtfs8q1adonHDcEbc2xyAlLMFnDyRyX13N6Nr5xr8tjGFuNhAtm4/y733NMfXV+/MRnRjPJwajYjNKrF73wWW/pRHcLQ/+RnFGP0NmM02QoJNHDmeQV5BKUu/v9s9JZclhXvubs4Tj3UA4NvvjnHwUDoHDl3ijTe3USopSA6Zr749SN/e9Xhr/kB+uPN7CkoLyDZnM3HNs8zbNp9nu07kzZ1vkleay+e3fcqUDVP4eN8nPN/tOSwOC6PbjGZAvf6E+4Sz8+I2srJLmPjsOjb/lkyhTWbV+lMYDRpeeKIXt44azIrEFRzLPE6IKYgscxaD6g1EI2g4m3+WKb+8TLhfOPsv7qd33Z4ABBgCGNlyJL3r9KZ3nd4UWArw0fmUG60pTinzElsJH+1byL1N7ybSL5Lc0jxskg2rZEUn/P5CwR8doEuSwqRX1mMutZF/qYhW7ePd7XCJg7p+94Z8ePFn4Fw8UNQvsSBgsUiYTDosFrs7a5CnP0SRFfVHgZEPtOTzLw7SMCGCgAAD/frWce5/4zyMgiiQX2DBbpNYuPBWenSv6d6mKNCyZQyH9jzCmTO5tO3yITHhfqxcfh82m4NIj/R3VpuMTi8yelRrRj/Yio8/3c/Zc/m89movRFHAaNJhEiKI8I2gLnVpHNWExKxESuwlrEpczWfDP6V5VHOe6vQU41c8xmMdHsVX70OErxrsa3aY0WIgONjEO28MQhAExo5bzrChCQwaUA+9XoPBoKVzfCf2X9qPrEj0r9OPaP9ozuSmMHXjNH66fwnRftHc+/197pGqIAgEGYPcmd4DjYGVrpGsyGgEDfsu7WPv+X3sObuPGZtmk2fOY1fqHk5knuCtQW86R6BV39u8/FL1XIHGKreDS4EYRj20jAmPtOe2Wxsza/YW9h9KB8rEP31MWvz9Dd6Rmxd/Gm7DlpdXirnUQUmJDatVxGy2Y7VJ3HJTA56cuIZvvj1MaKgPP686yX13N0cQoFHDCGw2B7PmbaF/33r4+OhwSDLaGyjjk90uERHhS9s21fjo4z1Izhc+OsqfRg0juHChkFPJ2SDA+LFt+ezLAwAYjFpOJGay7rczpJzO5czZXGb16Y1Br1EljxSw2yT8/dX8orKisPfCPgpLCzmbn8q+i3t4pdcr+On8CPMN58ejP5JZlMW60+toEd0cP70f2SU5FFuLVDkl2U6OOQdBAF9fPRqNiLnEjlYjquEqqO3uUqMT7+x8j7zSfF7pNQWAfEsBRZZC9p3fj0NxsOHMBrrW6gpAkbWIImsRoqAyGqpaOHAtQnSr0Y0jjx9ylw/9ehhDE4YyutUoZNm5+ipJ5Y51MVMmPLOGrdvOsnX9KKpVD6ySRiaKIqVmO5ZSO4eOXCY01JdF3xwhLl41tqdP55ByNo8jJzLQ6gWqVQ+kWdMoQoJN3tVRL64JWlADUnv1rE2tWsFotKrPKCrSD51OQ+dO8bwypSdzZm1CVuCxxztx2y2NADWb+p13NuG7H48z4l6VbC7eAE+foqhZm2x2CY2TP/Xm/EE8OmElU19T/Tn9+tajUcMIDh1KZ/47O7DLqkGeO6M/AAa9hkOH05k5fyuyxcGH7wyhdp1Q9wubkBBOsCsLvAIyEt8f+56jF4+DCNN6T2NAvQEAzO0/i9d+m8H2s7uoE1qLBYMWANAxvgP1wuoBEO0XzZAGQ9TYMaevqkePmsTFOkdYigACdIrrzI6zu3HIdtrFqoT9VjEtGN/+Ed7Z/h4tq7fgqS5P0ihCvUcdYjsQFxTvvjauEBBJlirlPXVlqXIt/HSv0Y0aQTU8RDBlrFZHOce+JKuxfP1612HJkmNkZpmpVj2wkp9VpYPJ+PjqmPJiD954ZwdHjmcwwum+ANi37xLvf7KX6Fh/zp3PZ8E7O3htSi+nYfNOS7344/jdvKJVkaYlWUEjCjfkV7S42MbDjyznrbcGExJUNi2SFeWajO6Xiw6RmJjN9Nd7u8uumbzujAm7nvj3XvAyQzV6zDJGj25F+3ax2G0SPy49zsdfHKRju1hemtTNnTviRns2vLgxUBUJPvLvIsHb7TIajeD2g7gI12owbllApWegqiCowZaSpMaC3QhfVFEUSErO5uZhX9KybSwTn+ykRrDLYJMk9+jDM9BY7ZuLo6jmAzWb7ZxJzcVqk5AlGZ1OW25BRA32LR//Z5fsyIp6nbSi1j3FkxXZTbcSBAGdqEquO2SHO8JfVmQkWUKn0ZXV55DRVJFYxy7bQaH8vs4A3TL6k4hG0OCQHSpVSdC4KVJfHf6KZceW46P1UTO+CyJmm5k2sW14vNOjmLQmJw3MgYg6inM4FD74eA/r1yay52AGY8e0Vs+jEdDrtQwaUJeHHmyDTqdxP0NXgut5Uo2f4I6j9HzOXH290RNue3Fjwm3YXMRuz4fI9fuVAirLtv2dTbw2GI1a3lwwiDOns/EPNOLnp/rABFGoMkC3YqCxa/w6ZHB9unSOx6DXoCiaSi9qVdfD09B4QhTESkG4UD54VhRExAp1XonYrhMrn+ePBOi6fGsNwhsgNVCZDi6fm12yExsUW7a/ADqh7DyiKNC8aTR+Rg0PjevgDhrWaERuublh+f7+jiG60vN0tefMi/84FI//r0MI4+9ORf/X4Sn5cyPAle1dxY0x3VOlokCr9SpyePH7qHIqGhVNrTp1qF37Ok9F/0vw1JT7s6EnLt9ieQf7v+tTLDv/X2uTizdaEYIgXNUn6JlQWhTL9PVutFG7F164DVtFtQqXD8Tld1ONhSrS6CmUCAqyAjgzm4ui4BZJdPlaXMKUoOYwVZzaihX9R38VLjK/yvNUiewuhQxX0Cfg1nV0nbtMmBI3F1QUBYqKbZxOzkZSFJo0inJm7vorbRKcIpLKVc99tTZZLA4SE7NwSDINEsL/lMKGKIh/ihjyd8sWeeHF9YLbsHmqVbgWDVy/V5TOcZW5jqn4ursMX8XRkqKoOUwrHXCd4EnmV+OmKhrOql/KqoxrdraZp55dw+4d5zAF6Bl+U2MmPt25XGLjP9Mm1SFe2Y/5R9pUWGjlxSnrWLP6FP6BBvr0rsuUF3vg53d95IO88OK/Avdb+uv601isDoYMUJUcVq9NQhQF+vetS2ZmCZ8vOoBkl+jRozbt28UCsG//JSRJZsv2s+gFGDAogXp1w9jwWwqBgQbWbTxDWIgPt97UiOBgE4IgsPTnkxw9ko7BV0+PLjWc0jd/bYrnCkTIyChh6YoT3Dy4ARGRvqRfLmL9byk0bRSJXq9hz74LBAeb0GhE8gssdO0UT1GRlWMnMlFkhYhwP06dyebWoQ356tvDXLxQwKnEpwCIjJtJyxYxDBxQ74+1ydmn/HwL3/14jP696xAXF0hBgYXlKxNp2CACP189+/ZfxGjSEeBv4GJ6IT261cRcYudUUjbFZhtx1QI5fiqLwQPqsW1bGjt2nud00tMA1Gm4gIT6YTz4QCuPYAwvvPBC6xpF5OSW8uSzq/n+yzuoVi2AZ579hcmTupF6No8XXlyHqIEAXz1PTlzD9Kl96NG9JjNnbeFSeiGt2lRj/+7z7DlwmU8+uokXXlyH5JBo06E6y1ckcvDQZd57azBbtp7jhx+OUrNGIOcvF9G8kZof8y/HZinq2p7NJrHkp+OsW3eaH7+7i5df+Y2SUjsBPnqmzthMjRqB7Nl7kbq1Q5CB3Cwzq39NcoaI5BAV4YddlpFsCikpedw+vAk5OaWMfmgpAf5G9u2/+IcNG87cnQ6HzLoNp1m8+Ai//TqSWXO3cfToZR4e25bXZ24mIsKXw4fTiY8LxiFL5OWUsm1HGkXFFtLTi/D1NaAIUJRvIb/Aws3DGmCxOBjz0DIUBU6cyEKSZO9qohdeeEDrile76/YmmAxaXpu9Gcku895bg+nevSbTZ27BanOw9Ie7AZg8ZT2//JpMl87xhIX50KFDdZ5+sjMOSWHv3guIokBEhC/DBtdnzJg27N5zgQlPrSYvv5TcHDPHT2XRvn0sr7/Wz92Iv+pncxnF2NgA1iy7j/tH/8SAQZ9Tp0447787hMTEbCRJYs6M/jw8/mfGjGrDpUtFmEvtCMALE7vy2ZcHaNQwgshwP44ez0SrETh/voCnnl5Nq5YxNG0cRXZ2qfucLrL2lRYnXG0KC/NhyTd3MvrhZQwY/AXRkQF8980dKoXNbOf1qb2Z8soGBvavhyQpZGWVAAqPjmvPjp1p6HQamjeNYvfeiwgo5OdZmPDUaqpVD+Chxm04lZSNJCle570XXnhABCclSFbo0imeogIriYlZdOkSjyQpZGYW07RxJIqiYLdLJNQPx2jU4HBI6PUaGjdSM8NrNQId2sei12twOGS6dq2J3ZlVPizEh8zMEgYPqs8b8wZisTho2vZd5s/fDuBWqv2rUBTQ6TV0bBfH2tVJ1K8fhkYjkpFRTGxMAFarA0VRqWA5uWYAQoNNaESR0lIH0VEBZGQWExJswi9Qz8Iv9tO/X10mT+pObl4pUZFlpPgyH+PV4aSm0qtbLX5Ze5rq1QPw8dFx6VIh1aL9kRwKNptERIQfOTlmFBSCAowY9VoKi6zERPuTk2vG11dPWLgvn351kObNopj5el9KzDZCQkxuFWMvvPBChagoqhqu3S4z8YVfGHl/Sx4Y0ZLRY38GFDp3imfV2iQuXy5GUWDxD0cxGnUYDDosFgdFRVb0eg2SJGOzlxmovDwziqKwfGUiigZq1QxBEAV6dK3JxKc7M/aBVnz7/RH36utfjaZzxXf9uu406387w4bfxvDVV4fZtfsCISEm8gusyLKCzeZwGjg1VZ651IHDGfFearFjs8kEBhpo3CCK+nVCueOOJpw+ncuqtafo3bu281wKz7zwC8Nu+5rCAlWvrCphRHWKDXv2XOCLrw6yeeMYftuYytpfkgkN9aXA2Sa7XRVwVNskY7E4sNlVRoe51I7DoWAyamjePJoacYHce09zMjJKWLzkGN2713CvnHrhhRcqtK4p09TpG8ktKGXUyFaUlNjoNeAzXn51I69N7UXKuTzatH0HUSPy4Oi2PPNUZwACAw34+KjR6YIgoBHVt0uSZW66/Rv0GpE69cP47MNb0OlE3n9/DzPmbwEBgoJMzHiltzu/wF9xsbl4oMePZ/H0C2t5c85AevaoyS23NuSp59bw2MPtqVEjCI1GJCzUF5NRh7+/AYNeS0iICYNBQ3CwCV8fPQEBduwOmdtva0Ty6Wxq1JyNpIHpU/t5LHQIREb4Mm/eVpKfz6ZVq2qVSN+uleO0tALGTVjB8093pWvXeMaMac2kKet4ZkIXatUKRtQIhIaaMJl0+PkZsDskgoKMmExaggKN+PvpMRp1FBVb6d2zNmMebE3DJm8gywrPPNOVgf3rO6//n79+Xnjxb0Kp8Pv1+EZfV+aBixw/eNhXzHitD02aRF6vqm8YOBwyyadz+PDjfaRfKuTjD27Cz19fLgbNCy+8uDIqMg+enfQiUU7mQa3rzTxwTeVcFXomHL4SjedKYRpZWSWUlNgq0ZHK11O+rusFzxXWsvOpEbmuHJ/lp74V/3a27Ar9FhD44afjpJ7L470Fg/EPMLi1/K/WpsrX8mptosrp5dXuhRdeeFEGt2GrSNXxtJgVt5Uvr/z3AyNaUK1aQBUZzquu53riyu0Wym0v263i3551eR6vQqMVmDKpe7myqxm1P9cmqvz7Sm3ywgsvyuO6ckVdemfjHm57Pau9ZjgcZflDVW2w61+/LP91qSaX2OONnBH+j8AzB6uLVne967/RJOe9uLHxt5Dg7XbpX02cfKUcqX93/S7pbRc8E6a4dNo8yzU3QB7WqlBVWytuFyjj//7dOWW9vksvrhXuN9TJYy/34wk1WbBSrrzyPur/Op3mXzNqdrvEmIeW0aDBfIYO/5pz5/IAF8mfSn0APMor9+9Kx1QF1+jL9eNpEKoqf33TdNYkr0FBKWdMrgRXQuOKZe5trj547KN4/lMqH18VrtQHz+2e9/fjT/eTkDCPVh3eZ8NvKUDV4S9/BJ7X2zUKXPT1Yd55d5ez7MrPYFXPrRf/m3AbNgGcyrllP1D2oHiqnZaVla/sRnBkW60SFy4WMnv2QN59YzBR0f6AqkriUgb2bKdrAcSzfy6UXYvy/QY8lHdVOGQHd3x3J3XnJNBgXmOav92KjambANh3cR9t3+1A3TkJNFzQhPf3vA/AyayTZJVkIVD1dNQ15XW3h8qjJ9ffrhFUxRGW4PmvitGXZ/sBtpzdQvv3O1JnTn0aL2jG9nPby20/nHGYVm+3ZsbmWe5jb72lEatWPUBC3XDOOj8kfwauuD/X9XYZzwsXCkk9m+ehFFP5GSy7j3/69F78h6AF9cuoBtvasFgdBPgbyM0vJSrCDz8/PZIkk3gqG1mWia0eRFCQkby8Uux2mYgINRrfbpfIzSslKMikZnH6FxHgb6B+Qjix1QPL1g8FgdNncikqtGA06WiQEO4sh4yMYi5fLkLUikSE+RIZ6UdJiQ2bTaK4xEZ+XilxcUEEBhqx21W/2Psf7CH1bB6zZ6rUMAcOSuwlvDXsDQbUUxPCuJINP/fL80zr9wr96vTj+2Pf8+aOtxjXdhwBhgB0Gj2nc04jKRI1guIxaI1YrQ40GpERD/zErbc2YNiQBiBAriUbg8ZAoDEQBYVSeynFtmLCfMI4X3Ce/NICFEUhOiCKSD811KbAUoAgiFwsuAhA9cBq+Bv8K2Wrcinndo7vzK5xOwBYuG8hT615mm1jt6ITdVwuvsy8LfMpsBciCGU5HYKDjAQHGakW4/+XOKuCIHAuLZ/cHDNavYaEemGIopr42t/fwPkLBeTlmqlVKxQ/Pz2ZWSXYbBLVqwUgCJCTa8ZsthNbPfBPt8GL/wa0oCpQTJ6ygROJWVy6VEBs9SCSz+by2ENtGfdQW+bM287iHw5j0IpUiwvi4w9uYsf280ybsYntm8cQEGBg7dpkPvpkP++8NYj4uKAqk8D8U5BlhdJSh3s6o9WK7N9/iVnzt1KQVQJGLffe3pT77m1Oenoxzzy3hvNnc8kqtjHq3pY881Qnli5L5NVpv5HQKIyzSRlExYay+MvbCQ3zASA4yEiWr8Htb5MkgUJrIVtTt6HICgkRCdQKqQnATQ1vYk3SWmRJITXvHHc3U3m3giCwOnE13xz4lmOXj3Frs5uZ23+uWxrJZNQSHurjPsdrG6eTZ8nhi1u/QBREZm2ZRYG1kBl9p/PR3oUcTz+J1WHBz+jPy71fonFEI6b8NoXUvLMUlRSRnHOGXnV78MGw9zFoDCBSzri5MlUdyzjG2dxzpOSmcHvj4ehEHTbJxtSN00iIqE9scCzFtmIcsoReI+KKQLHb/xw1zpUY+VRiFtPnbiHjfD6yXsuwAfV5+KG26HQiu3ad52RSNkf2nyWhcSxffX4ry5YnMvnVdSxbfDdt21Zn6M1f07JZNG+9Ocir5Ps/Di2Aj4+O1HN53DysAWazjaPHMnhodGuOn8zim2+PsHFzCknHnwTggdFL+eCjfUx7pRfvfribHTvP069vbX5df4ZePWoSHxd0Q6hNlE1L1DHbxBd+oXnjCIYPb8zRg+k8/fxaht/aiL17L5CRWcKzz3dn8MD67uONRi2iRuC9N4YQGxtIx64fsWLVKerXD2XnzjR27r1ATk4p89/YRu3aYfTvV5sBdQdwIO0gW1O3IiPzzrC3aRHdnL51+vLKby8zb9t8IvzDmdF3uvs8uZZcVt2/kp1pu3h05aMUmkv5Ze0Zzp/N48jJDD7/+jD7Dl2ia4dajG77AE+ufIYLhRcJ8wlhx/ldzO0/G5PWxOTuL7Ly5Cp0Gh0ztsxi3elfaRzRCA0ago3BLL/nZwqtBfxw7EeKrEWY/NSELZ4zUxkZDRo2nd3EsqPLCTD506X1aAB2pO3AqDUwqdskZmydgVbQoffI8XAlO/JHkv24tPNenvYbvkYto8a158LZfJ6fso677myGyaTlXFo+O7+5naAgE81bv8v6DSmMHdUKySHx5nu7qP5zAP161WXKlO7OOr3T0v9laEH90oaF+BAfF8S+/Rdp1jQaSVYwm22cOpXNgL51sFod2OwSg/rV42RiJg6HzPCbG7F561nq1wsjPb2IsaNbXx8+xHWEVqshN7cUrVbkbFo+6cuOo1FgyuQeCIJAp05x7Dt8ic+/PMDSFScZ0q8+N93UgKJCK4MG1CemWgAWi4NWzauRnVNCUKaRo8cyuHS5mOJiK0ePZaDVahEUkRe6Pu8+74M/jebtnW/z3tB3eWjZQ/Sp24cXb5/Es788ywM/jmTN/auRZImH2z2MQ5awOCyE+AQh2WXOncvn+LHLFBZZSDufj4JMQu0oerSqQ93Qeuy7uA8fnZG4oFhqBdfCbDczfsWjXMi9SL2wepitJfjqVReBRtQwNGEodslOgD6QUa0edLexoqHRCBokWeLRdo/yaLtHuVR0iW4LexDoE8CL6yajRcezq59nY+pGdcSnwMQuz1w1qu73ZMNlWVVetpQ6kBRVdGHpsuMokszkF7rh56ensNDG3Xc1w9fPgMMh07JZDJcuFWKzSYwd1ZqlP5/kh++Pkp892a2Y7F1J/d+GFlwR7aozXKsVsVodCAL4+OiJivRjydLjTHqhOwaDltW/JBEZ6YtOJzJwYH2mvLye1WtOERsbSJMmke4H9UaBQ5IxGLQUF1l57pku9OpZq9x2o1HL1Jd6AjBr7laeenYNN93UAERQZDX9ncaoZdO2s8zo15vBg+pz09AGfPfdUZKSc3hpcvdK55RkBxcLL9Auth2iIJJbmsfwRrcAMCRhKKtPrUEQBIxaI7nmXLSiBq1Gi8OhEBho4JknVS7uw+NW8MCI5rTvEOuuu2N8ew6lH6LYVkS/2n3wN/iz68IedqXt5uSE4wB0W9gdu6Q6+wVBoNhajE6jQ5ZlZEVGI2quuIjgGYLikB2E+4URYgxhfLvxZBVlYZVsBJuC0QgaQn1Cf/f6r/4lmU1bUnjhma4EB5uQZXUhxwVBEJAkBUEUMBfbueOOZtx/X/NydQioiwY6rarCsm1XGqNHtUKv1/DZ5wdo3DCSujVDmTd/O6++0tO9Ouodsf3vQgvqQ1BUZMVmkygpsaHVabBYHBQWWnnqyY7sPXiRRo0XYDDpaNQkmnFj1QDc2OoBxMYGMmPeFr794nZV/khREG+kyHgFfH11zJ09gJFjf1RT2ikwZHACM17ry9KlJ5g2azNoIMDPwL13NwPUBYhF3x5i58EL5FwuZtjQhvTpXRubTc1Bei4tnwsX1VEDgKBVmLBqAocvHCXfmkebuFY83uEx9Bo9dza9nWFf3kKgIRBJkXih+wsYNAayzFkoinq8XbJTYMlXlUasdrRakUvphaScy6NlqxgQ1XR8A+sN4MElYyi2FfNsl2dRUKgZXINqAdEkzG1E/ch6nC9Mc4/GSmwlah5SnHk6hapDFx2yA62o5bODn/Pujvfx1fogaGBG3+k0CG9Ag/AG7n2zLVn4G/x5sNVI1yWudMddq5bpl4qYM309rZrFcMftTZAkqVzMmyAAgoLBoGH2jL6MGPUjs+dsQtCKdGpfgw/fG4qoEZg1azM/rzlFRkYRI+9tRfv2sSz8dB/z39rBih/vJTjIRPsuH1JQZGHB3AFeH9v/OARFURRZVsjILMbfz4DV6gAB9DoNFquD8DBfSsw2Tp7IRJYV6idEEBhgcFdQWGTlckYx9er8/tf7n0BxsY1RY5by6iu9SKgfVu6lS0nNJTtb1WELC/WhVq0QsrJKOJuWr4ZVCNCscRRGo5avvz7C0uUneO65LiArNG8ag04vlpP8tjskwsPUKZ+CQlJ2EkWWYkRRJCG8Pj46daHBIdtJzEqi1F5KoCGAeuGqCm9GcQY+Oh/8Df6U2kvJMedQLbAaKGpIw+XLxfj56SvlNLhUmA4oxATEuMuySjI5m5tGkCkQf6M/PjofAgwBZJdko9fqCTAE/KHrl16UzvmCC2gEDX4GX+qH1VcT0CiS2yeXZ85DEATnyE3rHhlNfO4XGjWK4IERLXA4VD/r9h1pjBz9I98uup3Wras5RTGvbHTOXyggPb0IgKBAI/XqhVFYaOXcuTwsNgmNRqBFs2gEQeDipULsdpka8UEAXLxUiKXUQe3aIX+or178O/jHSPCiKBAdpcZ7eb5E/v4GFAV8ffS0bl29UsNAHdkE+Bu4kVBcbCMtLZ+QEBNBQUb0Og2yolCrZgi1apZ/6MPDfQkP961UR6nFTlioD21aVnOXeU5vgoKM5fYXEKgfVr9cmTt5i6ijcWSjSudwhWQAmHQmqgdWd1UGQFSUX6VjFBRiAqIrlYf7RhDuG1GpPMw3rFJZobWQImuxmwLnaqtRayTaP5po/+hy5RVHehF+ER7b1etdUGAhK6vEnc1MoxF5571dzH1rBzNf7UPr1tXcro4rQVEUYqsHVgrXCAgw0KRJVKX9q8UEuNsAivtvL7wop+5RMfCxfJmnooTnC6Fuu1GG/nq9hrAwH8Y/spR6jaN5d8EgatQIRpFBESsri1RUHHHJD4WF+RIV5Y+iKM7QlfKc06qClMspQAlUuE7lqVbqWZVK4Ra/l8dUQFDZA0qF+p1l5c7v2td5FkmW0IgaPtz7EQt3f4K/zh9ZUaeGRdYietftyewBs/DV+bpj1Kq6ry72guC8ht98d4TZMzZiCjRx913qVF6WFR4b357Hxrd3H/d7VDeX0km53lZxjyqqt6h/u471Kp54cZ312Ly4Njhkh5u65MWV4cpfeyMtSnnx5/GP6rF5UR5/RlHCLtndnE91CqpFFEQ1X4Rsd/uotKIWjaBxR/v/05AVuRI3VUFBRB2hOWSHxzRa6za8DllCclKrtBq1D/8EPHPeeuHFH8F/zrBJkszCT/azZ9c5omKDeOKRdkRG+l8zE+L39lUNX/lRhM4jYNUTgiCg11ROarz0xDJqBtegeXTzStNS4G+Lyfq9UWJVbZUVWQ1L8VjRdBm/VWuS+O7bg4RGBjD6gVY0ahRxXZgnrjq2bjtHSYmN/v3qVpque+FFVfDwsVVQTQBEoczv4cq2JAjqS+/a3/XwulQZ/u3ASIvFwVdfH6Jdm2o0ahCBXl9mu12jsIpkeFc5uMjygrs/UObr8uyb+nvZ37IiM33LDPad249DdqDT6ni++3O0q96W9KJ0Jqx4ikJLIUa9kXHtH6Jvnb58c+Qb+tftR9Oopu6of8+XtqJPyjXKchkll1qHKIjubS4DWXEf1zbXqKwiXP63vRf3Mm/LfPJLCwgyBTNn4ExiA2MRBZHlJ5fzzo73EAWRqX1foW31tqBAVKQfrVtX56vFx2jUIIJGjSL+tMqG+14IahyhKGrYuCmVrKxi+vap42a1VPUMugQD/u1n0It/Hx4Kuld2uqqCjZXLKith/PsPlKJAfFwQE5/tRlRE+XR5V0JV267UH0lSZcCX/HiMS5eKePyxDgDYJDu/nl5Ht7iudKvZDQWF+KA4ACb9OokedbpTO7g2Oy/s5I3tb9C3Tl8ifSPxM/irI6gyoRV3qMTLr/5Grx616Nq1htrOCqMsT7WOK43ArqboUe4aOI+vGVSTh9o9hENysOzkMp5YNYGf7v6RDSkbmL11Lg+1GUuoTxgvb3iFd4a8Te2Q2rRqGUOrljHk5FrR6UT39fszKHcvnKNDf3+D87oLFWLgyj+DXoP2/xNKFT9/FSJATo6ZOXO3cdtd39Gm4weqnlnzt/js8/0ALP7+KHG15xBfazbjn1iBwyHz7eIjDLvla+x2NcB0x440Ro76idSzqmzNn9Xjuh6w2STSLxUiSTIOZ/hBfp6FIbd8TYOE+bTv9hG7dp137zvu0RXUqzePuPrzmDVnKwDLfk7ktjsWM/zuxcTHv86jE1bhsMtuRd7MjBJSUvPKcVIDDP60j2tP7zq96FOnN1F+zhAFQSDPmkefur2J9o+mepDKJJAUiaOXj9L7437UnZvAR/s+AkCrVV/YkyezKCgsdZ5D4blfnmfy+snufi7cu5Dnf32BUnspT6ycQKu32tJ4QTMeXvYI2eZsAGZsmcEzayfS+u22xM6I55UNr6pxabJUSRQT1PCQHrW606dub1pXb4VBq4byrE3+hTbVW3Nfi3sJ8wth//kD/Jq8DlDvtcMhk19g+VMjNdfIy1Lq4L6RS2iQMI9m7d9jzdok9/ZLFwu5+/4fiIt7jUkvrQfg7fd306rj+6Smqs/ciJE/8vAjy//VZ8+LGwMigMmk5Zf1ydSID6Jzx3hSz+bx4L0tST1bwNJlJ5i3YDubN4zh2OEnOJOSx4K3djCgf33OnsvnwMHLAPzy62mio/z/dWUPF1SOoojinEOPGfczvbvX5Ktv72TMA60Z/fAybDaJNWuTyckxs+irO0g79TTPTlTpTDa7xNpfkxk3qg3Hjj3Dps0prFh5ipwcM6eSssnKKaHEbONUUjYXLhYiChr89f48vWIi1afHM/zr293G5Y1BC0jKSqLm7DocSj/E/AHzANCJOtYkreHbu75iap+X+Wj3QqwOG2fP5XPqVBZ2h8SFS0WcSsomN9dC91rd2HFuBznmHGRFZsWplfSo1R2TzsS03tP4+NYPWXTHF5wvOM/io4sBuFhwkUPph9j00Ea+uetrCm2FXCq6hEbUUHFB3CE7UFB4acMUYmfU4ON9nzCz7wxK7CVkFGfQulpLlp1YxuMrnqBHne6cLTgLqCMlrbZqSXBZVnBI8lUNniSpOmwTnllN7RrBfPXtXbzyfA8ee3IVeXkWAgIMLF+ZyNOPd2T37sdZ8tMxNm1O5aFRrWnZLIb5b+/kq28OY7fJvPxST+c09S89Pl78P4dTj00hIsyXju3iOHQkne7dahEfH8TefRfYvj2Nfn3qULNGEJKkcO8dzUg+nY2/v47+fevy26YU6tQO5vCRyzzxeAdEUXA7vW8EaLUaiots5OaX8sEHu1n45QEcpXaat6qGzSbRpHEEhSVWnpq4mucmdqVFs2hiYwMpLbEz4t4W9OxZG0GAzu3jSUnN5WJ6Ae++t5Mii4TdLrF951l69ajD3Jn9+fb2bwBVh+22b27n9Y3TmTNgNmOXPYS/wZ+kZ05w3w8jGL/iUT65+WMsDgvPdXuOcN9wqgfGEejjT0GBlddnbmbb5hSyimwcOJrO2x/s5JlHujN8ZFvCD0RyMP0QAUY/RFGgdUxrJEXmvd3v8eGuhcQHxZOYfZKbGg0F1MDfUS1H4af3pUuNznSp0dl9bSpOX7WiFkmRmNrrVab1msr+S/sZ+uVNfH/PYsJ9wll08Gv8jX58d+difjzxExcKLvzu9RdF4aoUO0VR0GoFHHaZnLxSNvyaxJKVJ7GX2qlTLxS9XkNRkY1RD7aiRcsYREGgbavqJCZm061rDd6cN5CBwxbxwYe7uZAykchIvxviw+rFvwu3j02jEZHdK07qip/RqMNo0HL0+GXnPgInT2Vhs0toNCL33N2MufO2sWXLOaKi/OjWtab7Qb1RoCgKNrtEYYGFb7+9k+bNykft+/mFsHb5CABuv/c7Xnp5A4f3j0eSZUymMrpQYlI2HTvGMuK+Fjz6SHu+/uYwp0/n8vKUHpXOadAY8Df4Y5ft2CQbiZmnWD5iGTpRz9Odn+ae7+/DKlnxN/hhc9gAp09P1hAaamLh+zcB8NC45dx7d1O6dKnhrrtrjS4cunwIi8PCoHqDCPUJ5fDlo3xz5BtSnzsNwC1f34pNUuvViBokJx+1Yq6CquAZwpEQngCiglFjJMgQxNm8NBKfVIn2P59Yzti2Y373+ieeyuZsWh69utVCp9dUGXQsy2C1S+Rmm1nwxlAGD6pXbruiQHCwyc2USDqdw+23NUYQBA4dSqdWfDB6QWTL1rPcNryxN0DXCxcJXnHmArWTl1+KTidSWGglv8DC44+2Z+NjqYwa/SMBgUYSk3J49ukuANSqEYzRpGXyq+uZMqk7oggOh/K3J1O5FkiSQkiIiVEjWzH64WW0b6vSltq0rs7997Vg587zfPfjUUStSFz1QLTOt8LXT8+v65KZ+KLIhbN5+PnrGTigPnaHjCIrpKUVcC4tXyXBC6qf++N9Czmbk8al4oukF19iYtdn8NH50LJaC8YtHU+jiIaczErk9ia34avz5ULBRRpEqORyi8NCenE6kiRjs9nRaETOncvnXFoB7ewSCAo6rYZetXvw7JrnKbAU8MFN76OgYNIZ0QgaHlwymiBTIBvOrKd7re4A5JbmUmwrBriqUXMxDTakbGBV4hqMooFLJZd4oOX9xAfFc1OjYaTkneHp1RPJLckh1BRC3zp9gMoMirJrL7Ni1SmefXo5a9aMon//em7hTxcEQUCSZXx9dDw0pg2vvraBNWsSEbQCCXXDeXR8e2x2B59/uo/MnBKSk3OIjw+id6/a/Lr+NM9O+pUFswcQFurLkJsWkZVt5pGH23rVPf7HoQUwmXQ8/VRnatUMJiEhFFEUCAww0rhRJHXrhPLOm4NZ/M0hJFlh5ut9adZUdYr7+et54rEOtGlbjZtvUl/QGyU63OGQ1SmxRvW3PDy2DX7+ek6dygKljBOr02kICjLhkFTJ79nTValvRQa9Xouvr46EhDDGjG5LWJiPOs3RigwZXJ/CIit6pwy6rEj46Hzw1fuSEJ7A5B4vUi9MHXnM7DuDxYe/I680j5sb3sTdLVQF3XHtHqZagMpFbRjRkNf7vI5W1KI1qLFrzzzdidq1QtDrNG4yf0JYA8a3G4+syG7FjXqhdVkwaD4bkzdRJ6wO3931HfFBNQAY2WIkIU55IZdRkxTJPXpz1SvJElpRi07U46f3Qy/q6RLWmVGtR6EoCk0im/BYh8dZdnwZoWGhjGx9P+E+4W6JIIcklXPay7L6gbtpSAKz5my+6ihRq1HFBW6/rTF6g4b9+y+AIBDo5OMOG5KARlAosUq0bhXDow+1x8dHh16v4flnu9Cje00A3nxzEJbSsuBiL/538buUqqr8Fa5Yohvxq+hS95g7ZwCx1ctI0ZKsoLkGv8vnXxzkxIksZs/q6y671hdGUqTrHp3vGllB2UjpSiOm6wFXfJvneV2oyM2c9OJ66tYLZeT9LVAUhc+/PMjcN3dw+82NmPR8V2e4xpXzvF6L8rLns+eNX/v/hYqUqol/J6VKkmR3YCqUkd81GqFcQlxRFN0PnyC4kuUqzjyif6kt1wVarcjljGI6dniXpq1j3SR4lLJEyqC+BBqNWK5v4KRCaVWjnZNrxm6XnKMPTTl6VVWUKxcVCVTflsuoyYqMJEvu+jWCxjkFK0uY7JIG8qRZue5JucBgQXSHarj2FVDrkhXZ/UC42AWSIrkDdl1Gau72eVWS4HvV6cnMAdMxaUxqwLAH7ctVl+xcZdaIGrehW/jJPmbP3EhusYP33hwCqM9O7561adAgghbNotDpqvaveUKjEcvdI9e9qHiPXAG6kqygyGWuD4dDVilrN8iswYt/D/9JEnx+voXCQgtanYbwMF930Oi1wGaTcDhkfHyqpkldD/wRZ/7fgQJLAYXWItUZ75yLyorqqws1hV5zewoKLeTllmI06ggJMbmn5564EUf3Xvw7+EdHbP8lBAUZK+mlXSv0ek2VL+jVIMkSMop7UugambmFGlH9WZ4Jif8NBBoDCTRePUWdq80V26mgBvd6lgcGGAkMqHy9XbS0q7Fa/i6oUvdqHLs6y/Ba1f8l/OcMm6IoHDyUTmpKLn4BRjp1iMXPz3DdRwySpHIwPac9GlFDVabwSpLcSdnJBBoDyglOeuLfSkyiUFlc0gUBoZIqSeKpbA4fukRgsInWLasRFuZTjpP7T0NxatXpdOVdB14f3P8O3DkPJEl2U1sEQUBWFLQa1Q+lZj1XfUQajYhWq5bJsoxO5/QjOf0gWq3GqZQquBN1uPZT/ScuCo3qG3H56xwO2e1HcZ3jz6C01MG4R1YgKBIt28XSuGE4fn4Gd/vccjwekfJ2u1zmO3Ke29Ov40pQ49mmilI6iqLw65l1JGcmY5VsaDUaBicMpnZILawOKx/v/QSzrRSjzkD/+v2oG1qXl9a/RN+6fbiv+X3IioxO1JVLplLxGriysbsMi6evzS7b3X0QBRGtRouA4D5GVtS+a8SryyW5FiLyLHmsTfyF1rGtqBta1z1ttss2Vp5cTVxQLK2rtwbg6PEMPv98PwePZzLztb48MKKF85pdmyGx2SVEDx+n3S656ygTMHA9myKgVFGuPrPFxTY+/nw/JYUWuveoTacOcdfUFi/+f8OdpepKhsT1gGo02irKyl5CT4Kyp0/Lc78rncNl5K5H/JssK9StG8pbbw4mJLhseiQIXMH3ozjbW/7cFQnXrn1dahJ79lwgN6/UKaUDdtnOlA1T8NMEkBBeH71Wh9mh5leYt30+53LPIaIhvSSdfZf28sXwLwj1DcXP4F9JJsg1uljy43EaNYpwZ62vaJA8jaBO1FXsQpXHwJXjzlzTTICX1r3ER7sX8s6wd6gbWhdFkRFFLR/u+YgJK59iYtdnaFW9FQICt93SiNtuacTUaZvco+I/M1DTe3wkRVEod7+qTuFXWZwBoKTEzpPPrOZMai51awbzxls70GpE2rWtriYb8jr7/vPQAhQUWNiy5RwHj6Rz/kIBzZtEsW1PGqPua0HvXnU4eDCdF176FckhcfttTRkzqjVr1iaxb/8lJk/qhiAInErKZtmyk4x8oCWLvz/K4EH1qVUzmPUbznDseAYTHu/IZ18cRHLIrNt8huIiK88+2YVuXWsgCAIff7qf7749BAYtwwYm8Ogj7f50pywWBykpufg1iXRyRtXp3CNPrCTx6GXCYvyZP7M/1asHIggC897YzpqVJxFNeu66tTEjH2jJ9h3n2bPnPFl5ZvbuSOHOu1szamRLZFlNALxxUyrJp3Po07s2ICApEjWCazCt11TqhZaPnP/19K+MbTuWu5vcxdKTS3l/9wcAKLJCVnE2Y396mBxzDo93fpRuNbphtdvRa7V8+tkB7r2nKfXqhiIrMh8f+JgAgz/3NLsHBYXfzvxGUk4yD7Ycydxtc9mRuhu7ZKN/Qj8e6/gYOlHL98e+xybZWXF8BcXWEh5ocz+3NR7uXkH1NHCuWLb52xdgdVgZ2nioR35SLT+fXM7eC3u5s/kdhPqGuEe/DklGcshk55iJi7+6764iXHVYSh1MnPwLrVvEcP+9LbBYHDz93Fo6toslPNyXTVtSycsrpWFCBLv2X2DMAy2x2WQOHUrnZFIWbVpUY8e+Cwy/qSFhob5s35HGiSOPA9C9z6e888Eu2rS+FcHJI/Xatv82RFBHIO+8v4sTJzLJzirh8y8PohNFtmw9x67d55nwzBpuu7Uxjzzcjk+/OMDXi49QIz6Yz788SHJyLgBr1iZzMjELPz89331/lMwMNdr98JHLLF95EoANv53hpZfXc/stjWjXOpannltDaamdvXsvsmVLKqPHtOGxce3o0jn+L3XKNTrT6zXu6dnzk9ZRv3YokyZ1p3uXWjz+5CokSWHDbykcPnyZ8eM7MP6htrRurQbMnj2Xz9PPriE02MQjj3Rk9rytbN16zk2uj4hQcyK4DKdW1JBemM6ATwbTeH5TJv86xU1l+u6OxWw8s5Fmb7ZgV9oeFg3/ElCFKT/et5AhDQZTMySeKeteQUbGZNCj0YjERPsTHu6LRiOi06ojr8/2f4bZVoKAwCf7P0UjimhFLYPqD2Ji16d5rvuzbE/bwXdOEvyGMxt4c+eb3N/qftrFt+WHYz+QXpSuxr95LIi7jNqeC3v49fSvvND9BYKNQZTaSwFIyz/HJ/s/YVz7cTSKbESBpdC9eKDRiBgM2itOPa++7q6GE+l0Il071eDlab9x6lQWb769k7zcUlo2j2Ha65tIv1zM6TO5fL/kGFpBZMNvqSz+7ijrN6WgyPDeh3vRa0Q2bT7Lli1n6dmtJhaLg1tu+5bCAiuCIpCZUew04/+5QAAvKsCdpSogwMCtNzci+XQODRvYaNu6Gjt3n2fFilM0qB/KqJGtADh/vojjRzO4586mdOkcz4aNKcTGBrJ161nuurMJPj46/P0MTl6gQkCAkZBgNQ2dyahj0vPduPWmRvTvY2f9ujMcP55BWKgvSSm5XPr0ACt+vAeT7/ULsdBoRGxWiR270ki/mE9ojD95l4vRmnSYzTYCA40cPn6ZwmIry364u+xAReHuO5vx9IROAPzw40kOHLzE/gMXeeOtbZRKqlTPV98eoG/verw5byDf3bGYvNJ8ss1ZvPDLJIK2BfJMl6d5b8/75Jbm8sHN7zFt0zS+PPglE7tMxOKwMLLVSIY0GEx0QAx70neTlVPMs8+uY/NvpymwSqxYl4TJKPLCE70Y/uAwViau4ljWCUJMQWSaMxlSfwgaUUN60WVe+mUKYb7h7Lu4l9511CTQAYYARrYYycD6AxhYfwC5pXn46X3LjdZUgVARs93Mx/s+YUTz+4gLjCOvNB8EVfL884Nf0DymOa2rtebbI4sJ0Adgl+3qFPh3cLXRkWuBQXZOaR02me79P6NF4yhW/nwfpWY7/n4G7rmjKb+sO014uA/xsUEcPpqBn6+ewf3r4++vx2DUMnxYQ9auO42sKGRlm3lw1E+0bhnD2NGt+fCjvW4JKy/++9CC6tMwGrRoRAGLxYGPjw6zxe4OwDUYyvw0oqjScBRFYeT9LVm06BANE8Lx9zfQt29dQHX6+vjoEASBggKLe2Rgt8vUqhUMQGmpWr/VJlOzVjC7towlLa2Avjd9iajAhrUjr4vPTRAF8gosOOwS7793E92710R0Br0qCrRuFcPhPeM5mZhF8/bvER8dyM9L78FqdRAVWZb+zuGQ0WgFRo1szYgRLfjsswOcTcvn1Zd7otWIGI06okVX6roGNI1qyrHMYxTbi1l+YgWf3LqQltEtmdBxAo+tfIJx7cbhozcRHRCNrMiY7SXoBAPBQUbemDsQRYFHHl3BkCH1GdC/HiajFpNBR+f4Tuy7uA8Fmb61+xDtH01KXiovb3iZb+7+ihj/GO5fMrJc7oVgU7Db+R9iCq50jWRFDcbdc3EP28/uYEfKLqb/NpOc0lwOXjjEisQVlFjNnMtJ46fDy8i35KMoCkcyjrD83p+vynkoMdux2SSCfzf8Rg2GMRg0RIf5ITh9mXaHjMmkGk+rVcLHpKPE+ezodBp0Og3mUjs+Jh0WqwNRFKhXL4xpszfxxQe3cOedTVjwxg4CA42EhppcT8Uffn68+P8JNwk+P99CqcVBSYkNq02k1GzHZpMZNjSBp55dy5IlxwgN9WHpihPcfWczBEGgcaNILDYHcxZso3eP2u78or5+er5bcozWLasxfeYWOnVWhRU1WoHt28/h46tn7a/JGH21dOoYR1ZWCYlJ2QgiPP5wO+Yt2EZmZjEx1yFPpN0uERnhS8uWMXy+6AAGg+ptjojwo369MNLTizidkgsCPPFIexZ+sg8Ag1FLYlIWm7aeJeV0Lklncnh9Wm9MJh0mk05lZEgKIcHqyyIrCgcvHaLIUsTZ/FT2XNzNlB5T8NP5EeITwooTKykwF/LbmU00i2yKn96PXHMeRc4pnV22k1uSiyAIBAYaEEURi0XCaNAREmxCQTVUnWt05P3dH5FfmsfkHi8CkFeaR4GlkJMZiRxJP8rGlA10r9UNgGJbMcXWYje7oaqFA9ciRPca3Tk+4ai7fMjXQxlSfwhjW5dX8Xh05WP46fyY2W8GUHUmeFBDYt79YDfTZmzkt9UjadOmeqXcomWr5LBqbRLz39zOd9/cwfSZWxg1ZhnPP9uFwoJSLBYHxcVWiopt7lVPc4mdkhIbCKqf2GqVKCyw0r5ddXp1qQUibPwthR+WHuPh0W0wmXTesI//EWhB/fJ17VrDmVFbJXlHR/ohiiJdu9RgyuTuzJ6xCRl4/IlO3HlbEwBCQ03cfltjFi85yoj7mrkrfenF7jz30q/s2X+B557pjMmkjvgMBg1LfjjKpp3niAz3Y9EntwKqUuyrMzZhsTvAITPtld5/yagpisocsNklNKL6Er3z5mAefnQ5z036BRQY0L8eL73Yg717LzL37e3YJRmdVmTuDJUEb9Br2HfgIi+//huSxcH7bw+hbt1Q94tRt24Y/s6gVEUBGYlFhxZx5OIxEBVe7fUqg+sPBmBO/5lM2zCdDac3Uie0FgsGLwCgTfU21AmtA0CUXyT96/VHEERkSc290KVzHNWq+Ts7JYAAXeK7sj11J3bZQfs4NWdny5gWPNx2LLM3zaVVbAse6/iYKjkEtKnWxk2IB9whIC46V9k1U3MnaESVcC8i0CW+CzWDa7oNomtk1zK6BQat0e34l5yLB5LHVM9Fgh/Qpy4vvrSO1NQ82rSpXknc0pUno7TUwbIVJ3nyiU7UrRvKqy/35Onn17DvwCUGDqxPVJQf7drFEh3lh49Jh6+vHqvVQUx0AAiqfHhcXCAtW0YTFxvIG/MHMvqRZTjMNu67vzUj7muh9t9r0/4n8KdI8K6ya11dGjtuObcPb0zvXrV+d98/u3JVXGzj4UeW89ZbgwnxmP5cK4H9y0WHSEzMZvrrvf90HVURx/8qbjTlCs/7NO21TcTFB3L/fWoc26YtqXz8+QFEBd55cxABAcY/xEL4q32sWvPNO1K7UfCPUqpcUe6yolKCBEFwf3UlSZUAAtBoRXe0vSCogb2SpK5quRojywp2u+x2DDskGZNRS06umTNnctyrnnq96D6P3SE7F6vKB+5eK0RRIDk5h9tu/YqWbWN56vEOREcHqLFmDgnFqQThGWjskGT3QpkoCuh0ImaznTMpuVhtErIko9NpywloSlJZkLELdsmO7ExHoRW07imerMjlcnXqRNX/6Jkw2UWU90zhVxXzQBAE7LIdlPLp/lyjMJchFUURjaDBITvcxHuX2sg3R75lxYmV+Gh93MbXbDfTunorHukwDpPWpFKSFDVgtqJCiUN2ICCgETUIAixfmcjXiw6wY98lpk7p5WopKFCndghjR7YmKMiELCtXNWp2u1ROnEBNaiO4YwfLji9b0S3LCq+493EFWNvtMq5EyzeSRqAXleGZxOV6LPG4DZvrxnvKOLteKFeIQ1VQt5UvE0XB7ctS61breWlSN8LCfMttc+9/jbzMK8Fo1DJ3Tn+Sk7IICDLh46MGvwqC4A4ALd/+8oHGrvHroIH16NAhFoNeg6JoKr2QVSXxvVJeUVEQq8zV6Rk8KwoiYoVrfKWXsaqVSK2orTIY17PM5VurE1KbnrV7oBf1bp+bTbIRHxxftr8AuiooVRXrBDUrWK9etbn1tqZ07VxDPVyAnj1q0bOHOjr/I6kZdbryAd8VA6rLH1+xLqHcPhWfQS/+t1BpKnq9ghe9QZBeuOh0LpkhL7yAqqeikc6paO3adQj/O9Q9rpcxqqoe11Ti7/YRuaaJgoBb2NBqlSi12NHrNRgN2t990Som4/0jMJvt2O0SRqMWvV7zt/fzz0JW5EoKui7i+58RxpRlxS32qNGUyTBVHA174cU/BRFcJHiFwkIrWVklbi0y12DO5e9wVFj5UqVhZPePa+ne4ZDJzCyhqMhajtwuin+/9phKinZlPsd97u9/OEarju8TVWM2Py8/6d73Sqgo8OgJl8+x4vV49bWNNGw4jzadPiAxMdu5740XFCoKKltBJcRr3MT4P6v260q/p4qN3pjG3Iv/LYiAc7ogsPaXZJ58ag16vcb9kLp8I64H16WoC2UKp2UPdVnZ6LHL2Lgx5S8tBPypDnm0VevhNL7v3macOf4kvTrVVBOw/AW4nNGu6+Ey6LOm92Xr1keICfd3U7m88MKLfx5aUBkBa35JZunSY6SeL2T67M0YjTpuGtKAWjWDuXixkC++OgiKQteuNencUV3VLDHb+OyLA5jNdkJCfLh5aAOsVgc/LT/JufN5/Lj8BMnJ2cTXCmHooAT0V0i/dj2xcWMKu/ZdQJFk6tQN47abGyE4V8scDgWHdPWVud+D1ergp2UnSU3LA4dM9+616NghTo1lk9VR7403RvPCi/8tuKeiFy4UcuFCAXkFpSQmZXM8MZOSEhvp6UW88+5uHHYJh13iw4/3sWXrWQA+++wA23emceFiAceOZWC1SphL7SSeyiK/wMLFS4UcP55BWlq+x5Ts73ntXdPPnNxSbHYJh11m8Q9H+fSL/e59VP/Pn61f/d/hkMnNNeOQZBx2iRlztrB//0X31NWr1OqFF/8+tKAqYTw8tg3VqwWwYkUiH34wzL3Dxk2pvPfxbkbc1wKNVmTlz8eJiw2ia5caHD+RSVZ6EVMn96JuvVD3Me8sGExeloX7RzRz80dd+Lt8MK56Bw6ox86953FIMudOZ7EryIdRI1s797qyUf09tVpXs3199XTrVpMP39uBzs/I3l3nSTqdQ6tW1a5nd7zwwou/ADdX1OFQuHixkOISOzk5Zvz9DWi1IimpuTRrEkXHdrHYbBL9vrqDFi2roSjw0os92L7jHLPmb+PokXQWvj+MJk2jsFgcFBRayMpWFyJchOW/E64R1X0jlxAXH0TbVtXIulTopnP9Hn4vgNM1hT59Oofxj63k5iH1iIkNYuum1L+9b1544cW1wUkhUF/s2NhACgstFBRY3IsH9eqGU1Jsp3eP2tx/bwsGDKhPVKQfggAxMf7cNrwxM1/vQ0ioiZ9+PokgCBiNOmJi/ElJyS8nwf13wWV0MjOL2bf/IqNGtOKeO5tx7kIRVpvDuY/iXt2VJLlciMKlS0V06f0x736w+4rncI3Yjp/IIiOjiAkTOtOqWQznLhS46/E8h+fqrBdeePHPQgTQiKryQ/9+dalWPYAuXT6kTpMFbNqSSpfOcTz6SHsaNX2TGg3nU7fhAg4cvATAbXcsplqdObRr/y4+vnoeGFFGNH70kXZ8/s1B4uNncv+YnygutgFXD7H4s1BzoCqEh/ty9x3N6NPvE9p0+YDQYBMRYar00KzZ26jVYAH7j6fz1MQ1dOvzCclJOQDERPlTkG9h0aJDVzyHy0Z16RxPQkI41aq9xpPPraFR/Qj8/VRVk7vu+YGBN39JYko2/ft/yphHflbVJ8Br5Lzw4h/EfzKv6LWgqNhKUnIOjz+5ivvuasbDD7X9t5vkhRf/afwTzIPrFmBWlXX8t0ym67xVnV+NOSsLnM3OMvPq6xvp0b3WHzZqnvVe6RxeeOHFv4frlle0Kvv6bwWhXy1TkqvMFZZRs2Ywy5fcA/xxuRzPXa52Di+88OLfQZWGzeFQJYf+ScbA340rhXMoiktiSSiXNvB6QpLUHKWuNIde2pEXXvy9qNKw/Re1q67UJ0GoLI/ze3BRqP7oau8/RQZ3LcxUJQzqWjn23HalcnV1V1Xx9TTCsqy4XQ6ih5iBa3+EiuW49f2AciKTVzq3F15cD7jfdtfDKTkUHnxoKW+9s5OybeV/bnR4ttVFgn/+xV/Zvft8lX24Wt+q2ub5Ml7terjO/dHCvTRq8Tbd+n7Cvn0XADxCRK7t3FfDlQKMXYyIituuVC4IQjmVjnL7O388t7n2r1wOGmebVAGE3z+3F15cD7gNm0oJUhOuJCVnc/58AWXbyv/c6CjfXrXBR45mkJtrqdQHl7zRlfrmuc21gHzsWAb3j/yJjMziq14P11T+1lsa8fnCWzAX2snMKvlT574SVHklhdSUPFq2e5+BNy0i/VKRe3tSUg6NW75NXNwM7rjvO/LzLADk5ZbSa8BnxMXNoHOvhaSezQfUXBFvvbWL2PhZvP9hWVzfmTM59Oz3GbF15xJbazbffn/UbXTfencX8TVmERc/i08/P+A+ZvXaJGrWm0tc/Xk0avE26zecAeD8+ULadfmQ2NgZ9B/6JRnOHLR/RyiQF/+bcBs2s9lO8ukcTiVls+iT4bw0uQeg+qZSU/NIPJXFmdRczp7No9gZm3WjIiU1jxMnMzmdkuuOn/Pz1aPTiSSfzuHsuTy31LkgCOTmlZKYmMXpM7nul8tqlSgpsZGRWUziqSzOXyxAQCA7x8yRI5dJPp3DkaOXSUzMIifXfNX2hIb60KJ5NJERfm5j51qoyMwqITExi5TUvErHpZ5Vr/vpMznu9laEIAicv1DIC5PXMfbB1ig2GXOp3dkHmbvu+57HH2lPaupz1IoP4dEnV6Ao8MDon2jRJJozZ57lkTHtuef+75FlhVlztlJSaqNnz7rk5Vrc56lZM4S1K0ZwPvkZPv3wFl5+ZQOZmcX8ui6ZlasSOXzocXbuGMePPx5n9ZokJEnhxcnrWbP8ftJOPc2g/vX57AvV6I0YtYRhgxI4e/Y5BvSpw+iHl5VJTXltmxfXAVpJUtBoBE6ezGL8hJUUW+2kJWXz2OMdeX1qH3JyzDzy2ArS0guwWBxknC9kxfIR9Ohe84ZLLAKwaVMqz7+0DllyoNVpmTO9H506xaMo8N0PRzh8MpNz5/J57KF2TJ7UnaTkHJ54ejXnTmdTqijce0dTprzYkyNHLzN12kYsdgcXLxWQdr6QlT/ey/GTmcydu4V8s53HJ65BsDp44cWe3Hd3s6u2q6TEXs44aTQix45nMv6JFWRdKsCCwKNj2jLhiY7Y7RIffrSXDz7ZC4pCcIgPS7+7i4gIvyrrjq0eyOJvbmf79jRWrT6FK3/Mnr3nMRq1jB3dhlOnstmwMQWTj5btO9IoLrbyyMPtKCiw8uNPx7icWcK+fRd56cXuADz8yApETfl8ApczikhMzOLgocsMHZRASLCJlNR84qoHERRkIijIhNFHx8FD6QwcUI/+/ery9eIjdOtaAxS47dZGnDuXj7nYxmPj23M5o5iVq5O4nFlMYmI2DRqEO8VIb6xnyov/f9C6wh5atYph19axAEx+ab07YUtkpB9rVo4AYOnSE+iNWqdRgxsp8azLyC756TiNGoQx47V+RET4lu0gKBQW2diz5SG+/+EY89/ewTNPdebxJ1fRs0dNnl1+HyUlNjp0/YjhNzcmOMhIRmYx06f1oXfv2vz880kKCi2MH9eO3j1r8/wLv/L5Z7cQGPh7iYCdp/dwmgMUFll5ePxyxo5uzYh7m3PhQgH9hy7ittuacORIOl98dZDNv44i3LMPV+m7ooBDksv55M6m5hFXLZBf151h9pwttGtTHXOxjS1bzhId4U9ycg7vf7SHyEhf2reK5UxKLm3aVCvXTs9re+BAOgve2IbOoGXEvS2wO2Rq1Ahi4Wd7eeedbdjsAvsPXKR9u+oADL+lES++vI5f1iXTqV0cvXrWZtu2c0RH+rNn70XmzttGQr0wwkJ8SEnNcxs2r9/Ni7+KcosHpaV2bHZJ1RTzUM+VZIWPP93Pjl1pdGgf6xRq/Gu6Zn8X7ru3OVabxBNPreLZZ9eQnKzSpiS7wlNPdMJul1AUhZgoX9LTi9BrRHp0q0lxsRVRKzJ4QAIZGUWYS+20almNhg0jsNkkhg1rwLChDZAkhfT0Iqw2iYuXCikutmK1Oq7aJodDxmaTkGXFne/0xIksQgJNdGgXS3GxlYAAA/171iEzo4jTZ3Lp1DEA/rGbAAD5pklEQVSe8AhfiottFBfbrkrJUhT1HHa78xx2VQE5LMyHE8lZzH9jOxOf6cwzT3UmP99C3Toh5BSW8urrG7l5WAM+eHcoZrNNTcysqH42SVazd1ltkjuT2E3DGrB54xjWrx3Jy1N/Y8vWswzoV5eXXujO5s1n0Bk0NEqIwNdHT1GRlTvv+Y5RD7Riz/aHOX4yk5de3kBYuC+XMot4bfpmRj3Ykhmv96WoyEpoiPqBuBGfKS/+XigVfr8eP+UWD3Q6DXqdxmPFzzkFuVzE+bR8Xnu1NyHBphtSz9/VnnZtq/PV57fxycKb2b3nAm++ra7uiqJAbp4ZnU6DRiNisUpERvphtUvs2XsRPz8DOlFk1ZpThEf4AwJ2u4TN5kCv12CzSdjtEhqNQGCgEVlR8Pf/P/bOOk5qo43j30mydu4Cd4e7uxUrtFQo1KDu3rfu7u7u7k5bahTaAi2lUNz9OA4597u1JPP+kd09B0qxtvvjs9zuJCOZTJ4886iDqCgHDsfO7Zw1TSEpKYLoKAeZmbHYbSpduyZTXFbDshV5REU58HoMfvhpPcnJUcTHufjll2w8NX6iouxERdl3Ot+qapmsZLSMJTrKQbs2CWiawqBBmWzdVsGN1w1n3OEdeO/9JXj8Okcc0YGt2ys4dkIXzjqzD9NnbCJ7SykDB2YEsjtpxMc6SUmKxBG41w25qNTkSKKjLR/Z4yZ25dNPz2LScd0pLK5hyOBM8vKqEKrg+GO7AnD0UZ1YunwH7drGU1RSw7nn9OHEE7rz2RerKKvw0r17aoBb+/eZGoWx/9HsEymxiEVhYTUnnvQx6zYVMufPXMoKqrjxxtFMOrHbfhzmrhHcLl1/4zR+nLmR+AgbrhgHYw610r+VV3hDblQ+v0FBQTURETZuv3UUV17/HW+/+Sc+ITj1lJ5065rMokXbqa7yhbZ1dUOld+6STOfOSYwY9QrJKVFce9UhnDS5R6MxmaaJoig88NBsPvtyBctXFbB4SS6DD2nN048exT13juGK677l4Qd/QVcU/nfJYDIyYjj66I7Mm7eVXoNeIDbOQWy0iw/ePpHk5Ka3pUVFNZx21qds2lLK1q3l9Ov3LJNO7sVtN43i9ReP5eY7p+O/zoMtysHjDx5JdLSDl54+hjvv+4WPPliEB8EdN48iPt7Fa68v5JVX/mDt5jJsNoV3Pl7Kc48djdujc8VVU7FF2PF7dC6/ZBCDBmZQUFDNJZdNZcPaPJJbxHHPnYfSu1c6Ho/O8GGt6dDzKRKjnQibwsP3HU5CQgQvPT2Bex+exZOPz0baNB6673CiohwYhiRM18LYG2jSCf7qa74nMtLGffeOxeczWLeuCJ9uUFNjJept1zaB9PToAzHeXWLNmkKKSt2YukFiYiTduqYAkLu1nPg4F1FRdioqvZSWusnKjEMI2Jhdwo5tFdhdNgYGAka63X7KyjwkJUU0GW+tvNzDmrWF+P1ms/NRG8OthPzCKqKjHbhrfNgdGl06JeN0aqxZW0hRYTURUXb69m4Rquv16ixdno/Pp2OzqfTtnd5s3DddN1kYiLjictmoqvCQnBJFu7YJKIpgwcJteNx+WmbG0qZVfOglsHJVAaUlNcQnRNCtawpSSrZuqyBncylRMU4Mw8Tr1eneNQXDgJWr8hGqwGFT6R+YJ6/XYNXqAqqrvLRoGUvbNvGhcVVV+VixKh/db5KWHk37tgmhOVmyLI+qCg8pqdF07JAYTtf4H0JDJ/jrGmSC3xtO8CHCVl3to7raR3GJm0mnfszD9x/O0Ud23CsXcjDjQGp2m+u7qXLTlBQX1zQZbCA+zrXb7mDBtvfVde9Ouw2JWJio/bewPwibFlxUn32xkrvv+QmQnHFGP448vH1gEACW1i2QgLKea8zBhqCGEOob6NZ94ILXZF2HqK0jQKlzYTt7SINuVVY/O5+PuufWHVfdvuuO1Sqv2z5s2VLOMce/h9unB4yFCZ375kvHMmxoViPviLrX3nQfjcsbjrXunNRmJ6vvatVUO43nqG7fzdcJI4y9Ac3vtwxYzzqjJ2ed0SdQLPH5/PD3stSFsReRkRHJ8kWXNXnMNHX8fv9+HlEYYewZggyDz7fvDP01u93eRLGg6fIwDkYoikb4doXxT0NmVtY+04JrF5x3HlCrBVVVFVVV0TQNVT34zDrC2LewduQSn2bDVBScf/OtapN2TGGi40ccRAbdYRw4SCRCKFRVVuL1evdJH1pmpy6AJeswdIOS0hIK8/MpLCiguKgovMX5j0FB4lc1OudsIcpdw+wO7ZFC7CxzYZMQgInBRttGYsxo0vVMDOFjLwZtDuMfChH4T1EUxh11FLrfjwhwbvKvLrTm+mho7lGmSzauX0fO5s3k79iBru/cqj6MfxeEaeJ1Ohk6azbxxcXMOPooTEVB/EXvdAUFn/Qyzf8dGUoWA7XBuHGjhAlbGAFIKfF6vUggvUULMjOzaN22DfEJibusuytoxd7a9HSKIqiqrMLv96NpGjFxcVgRBMP4r0CYJv6ICEyXE6/dTkJiYoBj+4uETah4TQ/aDhWX00ViYhI1Rg1KeDsaBlDHxALNZiM+Pp74hAQio6LZg+XWCJqm1Xc+iIuPQ1FVIiIiqXHXhOPI/NdgmJhRkaQsXIjD76dt+w6gKntE2Dz+GuK8CaTGp9GhTScqfZWoSji5dBj1oSgqUVFRJCUn43DY9wrJaeRSJSXExkbjdLnw7yPBXhgHMQwDGRWJMzEJrbIKrXVrUNW/TNhUoVLjryZmWwzJyam0btuGCk+YsIXRGEIIHE4nqqrsNT6qSV9R0wSbpmG37bUkVmH8U2CYYFPQnE6Ew0ZkVBSof115oCqAT6BpNpwuB1FOgaFFoYadQcNoAns77cBOKVd4F/ofRCiSrUQEPQfkXydsdb0OpLR0XXW9QsIIY18i/PoMI4ww/nUIE7YwwgjjX4cwYQsjjDD+dQhrB8JoHnUTmwZlYyL03+43gwylCdxZiPMw/tsQe7C2mkOYsIXRNBQBdhvYa80zJCBMwNz9AGqKULCrDjQhcNo01LB9bhjNwGeCYcp6ocP2FFr4BRpGPQSZM7cHCopg89aA7QYIw0S2aAF2Bfw7J25SWvSvyldJXvkOcivzqPD5w3ZsYTQJU5qkRqXj0lQ8xt8nbmGOLYz6EAJhgtmzO+q0H7Hffx9oKmg2RH4+xqFj8J9xKtidwZAwTTZjSnBqGl1TejJt3TdsKF2PT/eGo8WEUR8SbJqNwqp8hrUawVl9zkTVXNam4G9sS8OELYz6UBQwJPqI4ciIKER5OQDSaUddsgx12jSMQ0djdmxn7R2aJWwSm6JxXv+L6ZjUGVWoATFdeIsQRi2kNIm02Vmav5KfNkxjeJsx9EztSJXf/FsvwTBhC6MxhEB4Dcz+fUJkSAIiKgZl5UpAWO4ppklzaaUEAr9p1Tyi/aj9Muww/nkwATsQ5UpiVcFyVKHslVdfmLCF0TRUFbxWsmQ0xTIM8vst4ZnTaRE0pwI7iWoViN9AuS8cYz6MpmFKg2ibSpW3Ar/h22vx2MKELYzmYVcRldVor74K0VGI9RtRV6xCvvE6MjkZhMB/4YXsTEUvEGGFQRjNQkhQFRVFqOwtUw8IE7YwdgYB2rTpOG+9D5wuSyMAqEvXWdtQpx2zZy+MQwbvUksaRhj7E2HPgzCaRsAOSB8xAhkZYRG1oG2QlGCamEkJGMMGW9vRMFEL4yBCmLCF0TSEABNkXAz+S84DjweCQUmFglQU/FdetDd3D2GEsdcQJmxhNA/dBIeGfuxEQlqCYNxmh4r/2BMO6PDCCKM5hAlbGDuHBKNVK/SjDgefL2DeYeI//hhkfGzYLC2MgxJhwhZG81AU8JvI5Hj0yZMRNaXgsENVBfq55yGdNtDDlC2Mgw9aONpCGDtFILqH0bMbeo8eqGty0A8ZgtG2NYSjdYSxm7ACd+w/gawWaQtLf8PYGQI2aN27YD/zLLjhKpSrr0KkBnI/2sPrJ4ydQ2JJaH36/tM1aYtXrEb/y9sJCQg0TbCnQzUDb/qGXvymbML2eDeGpwjCDtb7Cn4/0mXDXl2BUxrUVJajr1mD8BqWh0IYYTQDIUDTNJKSkomLjcWQcr88p9r5J59IYoITm62uuE00oCW1yTyCQ/L6DYpLavZIeGxISYzDhiKgzONHVQKtSohUwa4F+g9OQN0AdE3MiRCCKq+BX5e1fjxh7D0ENaE2G3LgQMRjD4JhhOc6jJ1CYhG1osJC+g4czDdfTSG/2ofD4djnfWvLV6xk9pxqCkuqLZkJEomV/V1guTwgJEIEYjMIiSkhMy2awQPi9rjjQqDCB+3s9cvzgTwJih/LQ9YMBDeU1kcE/wbOFwL8PuiZvMdDCSOMMPYhZv4ykzsfeGC/9qmtWVfEyFFvc8qZ3TAMiSYkAouSmBjo0kTXTUw/CL/EppsI4eWTr1dQWnYnES7bbnYlkFJHaC4Wbt7KS/O2MLxDBjnxToZlxeE3rfiFlyzR2awaxKk6eoUfvVrHqAr8rdYxqnQMt9/6Xq2juiU7Kv18dHNnxvaIwzBlLQcYRhhhHDAYhoGqqhQWFux3O25NSoXBI7P44PUxwArASTkmNcRiko6Oir8G1O2Q7genH4jxsmxDPigadrt9F10EIHUM4UIt+4ibPtjO3aecQV6Vh9lbyjm0fQqmIbGrgkQMtCwbpfNUzHITtVpHuE1klR/Fo6N6/BheA8OtYxgmWp4k3tSIjnFit9vDhC2MMA4SBAmbFvBY2Z9SC00IqKoy8PlWUb39c7JbxPKH4adIZIEyAFHSDuMPScQaSW8Depk6cfHZeCrdiN0NYC8NEBqi6BPIfYJxPa7irm8W0T0jgbuP6oVpSmsggNutc5HqIrqrwO1RQUYgpYmmmZimRDckUlgmVlKDSLfg9Wl5lJb69+E0hRFGGHsKIQSGrtcTH+1rKyENLPmZXdbgU7bjt3soM7wUiihQdMsnsFISlW9S5VNQpYmjuALp13fTLkWCUJFFn2Buegyl652cs+BzBlQ5GXbsc0RoSm2SEMD06fS0KZS4BQO71QoZF6+CrCxIjLJ+Vxgwb5HJoAEKM1aV4vWae31ywggjjL8PVVWoqa6moLKawuJS0tPT0TR1nxK3AI8owVeO9G2iiipy8ZBLFIJqpFfiLoSYzdDZKzEF4C9A+nz11La6LqmsNPDpZsBoUyKQ2B0OYr2fYeQ8htrpdrLfnELR2h0MuOkN9GoPHqcdp6M2epLwGpT7TH6er9Oui5NX3jeYv1YlKaWIjMwIPv3ASXmZ5NKr/SxdUs78pSk8+oqPb9+L2HezFEYYYewxFFWlsrKSdRs3UV1ZiaoopKSloaqKFTSG2m2qbPDZU9QSNk8lGHlUobBDVJMnElGowfArlBWYxGxVKNbBVATeymIMvw+ECEWHfuH1PG67fSMdutsRwg/CQ1mFSr/0z3nlmt+I7HU37h9msGruGu6rPJnqS79kx/rNjBrdgU9fOB+fT0dzauA3kIZkc74HTXFy6RkK3tfgmkcKSIhIZO7XTuISoO/YarZt38ELtydzz+0qOVslwzr+rfkPI4ww9gFUVaWqspLNGzcgEERGRxMTG0tEZOQ+UypoCAGGB8pKcVe7KfdXU+yvolIpRVMq8bm9FBWbuEslxQg8qk5pSSGG6a+3E92yvZrb7mjFJRemsz7Xjao56BH9DUr+QmTLeyn8/Dv+mL4W9aJPeCgpisRIjS1FBTzw8AcAoZDAwm9g6JLc4ipytsexYbvk6vMFebYEjj82gY6xlr3d7D8See59uOQ0hZtfNmjRbR/NUBhhhPG3oCgKbrebgrx8omNi8Ho8eDweIiIj91mfGkLB9Hnwby9kbZGPvAg3Ho8Xr6hCV7ah56zFrJAYPkkpsEkB078DP2a99FimNLApJo98lM0DL+VwXPffeWLip7QYej/lX/7Ap28u4BHv9Ww9bw5mSTmZrZN5/JlOCKV+0HzpN/Hrkip/JZFR8MTLJqkpCg8f62DFu5uZI3VqpBef9DMqpob8lVlEx0Vg+sMytjDCOBghEJimiWkaFgOzH7wPNEUomLqHHdsL2JDnJ99eQ43Xg1epQlG2Y2zbiL9c4vdLSg3YrILHl4cuYhqEBvFjChuxDo20GJPHjp9F1qGPUPrhVD58bQFPGTfiw05mnJtKWyRpSQ4UJWiJWwe6id1m8t2vVdz3qCR/u874/2ncsXYOhzjfIa2nTlWVH2+kzi+ztuE56X9EH3kyhr9yn05UGGGE8c+BJhSB3+dh07ZCNm3zko8bt89nETaxHaMwCqMCdK+kxIAcFar1QgxbVIBjs/xGQUfBT2mNiyNazSO9uJiiF1/m7S9KeMm4gQrDjs1bTZVf4Kn24fHomFIiRJBjs7aihtcgwqHyzgMdKM0XLN+soFdI2t/anfwPEyjcuBG3kLidPtb4q0iz+QLeEQdmAsMII4yDD5pQBD6vl/Vbi9m4xUuR143b78crqkHsQFYoGOWg+6DMkGQLQbVRjGFr1cBV0MBv+lCVOH6c8hJPlvVgzraerNK7UW44sHur8fglpl/H7/Xj9+qYmKD46g1I+g0UBKeOi2NZNkybq/Lh04KEhNas6nQ/amkVftXAa+rEqW4O65nOszPKSWm5m4bCYYQRxr8emioEHt3Luu1F5Gz1U1Vdg9fQ0akAkYusqUapBFOHMhNyhKBGFIAwGzBJfjSHC6dwU9nift4vT6TSGQO+amK8XnyaDYdpYJrg1zQcdjuaQwNRfyuq+0z8ponHZ5IaI3j+doWUBEm1B3oMTkSQ2OgiqqrXIdj3jrVhhBHGPwOaaRgU5BXz+2ofWytbULS5jBq3F8xKIBf8+eA3MTDZjCQHgaACs6YKXbe2kVIRSOnjz8XbuOOq3gx68xikaiJMPwYmhgQTiTQlppTo0iQ6WmH2/CW4/eXouh74KLSKUznjyVU4FYGKRFUkHrdFRKVhQkhHYAU5VFWFKrfBhCGJ6LqOaUpk2KUqjDAOOAzDQEqJYez/hNlauzYxHHP8MfjlMXQFhDStSB4yEFojGF5DSgLkCWmaxEZrREbUOsCfeGw/7rrnF66+Zz4mHhA+ixsTXuuv4rMUBcKPUH0IxY/uLuXsyceiaRqxUZZJ3RPntKMG0INzEZSfNWGtJwT4dUgIM2thhHHQIegjmpycjGma+zVeovbqq69y9qmuWv+tuvoAAt9DPwJ6UKEiTXjllVdCDTkdKpee5WhwvgYEiJ8MeYrV+Svw1FTXa8eUEk0RfyGKsMAwLe4tHGgyjDAOHpimiaIorFq1iqioSPT9yLlp06fPQNf3rEObrTZ6qmlKDGNXtmQNolVKEIpAaxCF9S/7kImwUjSMMA42SClRFIW8HTuw2+2Y5v6zNdU++eTj/dZZGGGE8d/D8mXLGHLIcOy23Y3d+Peheb3e/dZZGGGE8d9BMB5bbm4umqbt14xm2v6IPx7GvoflqlL7u668se6C2p9yyEYLWVDPDS+MfzeChM1ms+33NI2heEGGIamq9qEIcDptDZK7hLG78Hh0PB4/iqoQFWlH2QemJ8FFUpdIiZ0IGpsiZn7Dj6qoKKLp+2yaljJmV3TQlCa6qWNXGxtI/1Uiqps6EolN+ftbFq/XoLrah82uEOGyoarh9fxfgmKY1kOyaVMJk075iKysB7jm+u/w+yyFgpTWItd1K/eBYdTxNTDqlh8cTuhSEhqTrpshRUTda9BDMePAMOqPXdetSL17guLiGkaNeYPu3Z/kvIumUJBf3UzftXUMo7Y82G9QEaMbjeccCBCcugEITLZX7mB1wRqW561gVcEqavw11nwgWZG/kuV5K1hbuDZUfsZnZzJ9w3R0U0c3dUxZ//4pDTTTUkoM08AwDauOtGwYl+xYwuSPJmNKE7/hRzet8hJ3CcvzVrC6YA2bSrJZlrec9cUb8BmWp0mwX93U8ZuWkfaDsx/ixmk34Tf9IYIZuk/SaDTWhmMyzFol2JdTV9O3/7O06vgEr7y6IDTXYfw3oAXzA7Rrl8CP357F40/+zqZNJbWB36REUUQ9zsM0rTJV3fO8ovsKVh7Dxm/nhtcQRPBNHiQqTdXdXXg8BlmZsXw95TRSUiJDBKy5MQUNjJsaa8N5NaVEYBGbLVvKEQpkZsQCUO4tZ/w746lyVxPjiCXaFcXTxzxFj9TuvL3obV6Z9xpe3YfHqOGsfmdyw/AbME0DVVHRFK1+5wFTn1WrC8loGUNMjCNwDQJVqA3GZIb+KkJBqXMtv27+lYdnPka5p5yC6gLaxLamU1pHHhh3Py2jW9brty5BAovo2TRbiJs0pGH13YDQNjUm6xicdGJ3TjqxOw89Mpuqal+jc8L4d6PeVlRKcLvrx1lTFMG2bRW8+c4ikJKRI9syfFgrAL75bi1LlueBbtKzdzoTju4MWAvrQJmUSSl55oU/qCzz0KZdAqdM7omiCBYu2s6Mnzfi9+skJkVy9ml9cEXY+PSLlWS2jGHwoEwAPvt8BW1aJ9CvX4u/bBtn2QJKyss9JCZaEX1V1eKuXn7tTwrzq0hrEc3Zp/dFsykIIfj62zWsWJaHI8LGiKGtGTCgJatXF1Je4WHzljK2bSnl8HGd6NE9FY9HRwh48unfsTs07rlzNKqqYJgG7RLb8cKE50mOqM1DaEqTR+c8xocnfUDPlJ68tvB1vljxOTcMvwGbaqfaX81L817Grto5svMRpEWm4/b4UBWFCy/6ittvHcmoUW3QNJWtlVvYVrGNkppSVuevYlT70Qxo2R8Al+Zi8fYlTF/zIwNaD2REm+FM7DKRiV0msqpoFQ/PeoS3T3ir3lx9tOxjtpVvIyM2g4ldJ6IoChKJbuq4NBe55bl8u+Y7xnc5moyYDObkzGHWptloio1JPU+kTXxr8ip3sL5kA16/lyVblzC07VCGZg21rj1g2+jx6ERFheXI/zWEXrFCWA9hkKsJBn7cvr2SZ5+bB6YEU/LKawuYPXszAGWlHmurICWvvbmQL75YadXdz4JCq0/r75NPziU/vwpMyaxfc3jp5fmYpkVsfH4DgWDO3FweeHgWAKvXFDL5tI/Jy6tk5sxsbrvzJ0pK3Ugp9zgmu6oqqKoIzcNLL//JpuxSMCWLl+Xx2OO/AfD73Fw+/HAZFeUeVqwqYEeeFXrpm2/XMu7It/ll1iYWL97OeRd+ybZtFTidGg6HRts2CbRrHY/DoaFpFoFcU7iGcz89n4u+uJTv1/0AgCIUnh3/LM/MeZZLvryUHZV53DP2XmuQAl6e/wobijfy2p+vc8eMuxACIlx2HA6NVq3iaN8+CYdDQ1UFc3LmcOQ7R/Ptmu9YW7CWS766lOzSbCLsUSzLW8Hbi99mXeE6Lv3qf8zN/QNTmvgMH3mV+VT7qvEZPry6F1NKHv3tcd5b8h5rC9fx2oI3uH/m/QgEhmmQGpXKrM2zOPvzc1iZvwq33828rfOYsmoKppQYUufB2Q+yvXI7a4rWcdTbR/Px8k9YVbCSC6ZcxKrCVQgRXM/KPpFxhnHwQ2v2SOChXru2iBdfn8cZp/VG1RS++WolmRmxjBjRmiPGdeCe+35C2DXWr8xj0dIdHH/8AQhlG+AQKyt9PPXC7wwZlEFqixgWz9/CypX5XHD+AA4d3ZY587ewbVsFBVvLyd5Uwr0S7rhlFC6njTMv+AJVCr7+4nQ6drQc7YUIyGWE2KOUfkIBv8/guZf+oF3reFq1T2D10jym5W3guusOYfu2CtasL2LY0CweeuiIUL2ISDujR7fl5ecmAjDq0NeZNSubqho/Uz5fzuYdVQgBU6auZOyh7bnssgE8eNj9bC7JJbssm9un34FTczC67Wh2VOygzFNG9+TuLNj2J2PajgbAb/oZmDmQu0bfybT103l0zkMUF7u596FfWLsqn2Wrizjt3E9JTHJxzQWjiOkQycAWA3ly/OM4NScT3pvIrM2zGJQ5GKfNwVXDrqR1XGuOeutoNhZv4JCsYdhVO5qioQglpFxYvGMxHy79kG/PnEp6dDor8ldw7XfXUuouJTEikZfmvsKcnN+49pBrOKrjUQDc8/O9fLv6OyZ0mYhX9/Luwvc4u+9Z2FU7vdJ78fARD5HgSuCQl4ezuXQzXZO7/q3lFMY/H40IW/BtF3zTbcwuoVePNIYPa4XPZ3LkB+3p3acF1TV+zjj7MwYOaEnXbilsXFOIw9E8ndyXMJEoCDZsLCY1JYojj+iE3aFy6NBWdOqSgqYpXHnNd5SVezhsbFuiXHZWrC6AwNbx6HEdefLpObRrk0DHjokhGSLwt7RpqqKQs7WUmCgH48Z1IC7BxcjBWXTukoKiCMaP70hcgpM//9xG78EvcPrknlx3zSFUVHgZOCADsMaX0TKW6ho/Awe0JC7Gzudfr0FTFSYe04mszHgcNjvjOx8T6vekj05h6ppv6J3emwdnPcizE55hdOvR3PPLPdz04y3MOPdHHIqDw9odhs/wU+WrJNIWSUSEjSOP6MDQgRk89tRcjhrXkS6dk2jXMZbfa6rold4Tp+bEMA1axrbAo3vx6V7aJ7andVxrfLoPl92FU3M2Oye55bm0is8ixhmDz/ATbY+iTUIbqvzVmKZB+6S2bCnPJTkyBQBD6hTXFDGs9TAGZPTHb/g5ofvx9Enrw685v9IxsSMJrgQqfVVEOiKxa+HwVQc7GiZs2RfJXEJPrZSWnM3vN/H5Tfx+S3PYqWMS1VV+Rg9vwxmn9uKIIzqSlhpF7pZyVqwq4JKLBjHhqM5syinDv4euWX8XihBICZ06JmMakhZp0Zw6uSfHHteNLp0tB9zffs9h7KFtOf2U3hQUu6motATKxcVubrx1Gi89N4GszDjuvX9mSD7oceuceNrHXH3995gBzeRf2Z7quklGRgyqphAb4+TUyT054YTudOtqETan08bYQ9tx840jOP/Mfrz3/lLAUjSUlbnRdZMlS/OYuyCXEcNb07tXOpMn96R3j3T69W7B5BN7MHiQRQDdfjde3cui7YtYU7SaQZkDURQVBRWn4sRn+IhxxOFSXWhCQzd1St0l2FXLtKLa68Hl0hg3pgOTJ/WkRUo0x47vwqTju9O6bQymDpW+SnRTZ3PZZn7dNIfBmYNRhEKVtwpTmtg1O17dG9KMWvMlQ7+llAzJHMr2ih1MXz8dVSjM3PwrawvX0iK6BRXeCrqndePp8U9x9qfnMHXNNygopMe0oEav4cQeJ3BK75MZ3uYQXDYXpjSp9FZafat2PLqnkSIijP8mNMOQqKqwZDmXfElhaQ2KEHw3bQ0P3H04Z5zem8v/N5gevZ/BFe/EhuDj906mV680jjmqE337Pk2Hbmm0yogjOXHfJWfYFYSAiAiNN189jmNP+gCfbmL6DW65fiSX/W8w553Vj5vumM5dD/5Cv+4t6NQhCUM3ufSqqbRtl8CEYzrTvn0iE054n/S0aM4/rx9Ol4ZdU3nv/SXccsMIkpMjqR8hoGkYhollRiOw2xXeffMEjjnhfW64fRrokgvPG8CddxzKCy/M58EnZyMExMY6uef2QwGIjrZz771/8Pk3q6ip8fP8E+Pp1CkJv9+oJwM1DIkQUO2v4ozPzmRd3gY8Zg03jb6JyT0mIxBcOexyzvr4XHSp0zaxLU8d8ziKUHDZnETYrPvl0BzEu+IA8Pr8aKqKK8JGZZUXw7AcmaOdUXy2/HPmbf6TUk8Zd4+9nd5pvViWv4x4V3xIgxnnjKvHsdlUG7FOS3trSpPkyCSeO+YZzv/sIq78+lq6pHTileNeRRUKTs2FR/cysvUI7jv8Hq6aejU+08f1w6/jqm+upuWDWUTbo8lMaMmP50zDpbmIc8WF+k5wJeBQLUWBlBLTlHtsuhPGPxtCHghJ/z8AHo/OuvVF3H3fTNq2juOhBw5HVZWdany3b6/khht/4MUXJhIdvedboiee/J3yCg9333noHrextxA05fhg2YfMy53H00c/daCHtEvUvUdPPfM7hgHXXj0UwzDDhrr7EUHPg+k//siJJ53M7ffcS0xcHG3bd6BNu/bEJyRgSoNom8rcrYt5Z+ErXDrkGrqldKDabzZrPL47qFczoOAMfZo7tjvnH0jszliDxxqeF3zDe706z700j9g4J3ffOcZK7mrKnZqxCAEbs0t5/vnf+X7aOqqqfIE+5G7Nq65bdmFVVT7Kyjwh8cBuXXODf7XlNFMuG9VvOK66qPHXUOIusThFaVhh3Zuo27CdnZU1HNPO2mr++pr+vn5DMW+9vZDvp63H662fCS2Mfz/qSft39dDuTtnBgL8y1oblwa1ebKyTV56f2OSx5hAb62T80Z1YsCCXiho/g/pnQJR9t/sPtj90SCY1AXtCZTdfWs35YIo6/+/s/Ea/Rf3ynqk9ibJbCXyUBvnJ6tZtahy7W7aztv7K+UJAzpZyvvpqFWnp0Ywc3ipQfpAu2DD2Og6MGnMfI+ieJIQI2Hn99TYsDspAAjZN3a02IiJs3HrzyEblzT1QhmkghAix3EHCNnZsu13WrTdWLNeiRl4EewBTWkojVVHr9T8wYwADMwbs9pig1pUMam379iaCMrSmvDrGHtqWsYe2rVcWtmn77+BfSdj+jltUEELUD6S5OzClic9nhNzQ7DYNIYS1eWoQYUMgQsSjIQzD8ifd3esQiCaJWsN+g9iZ7EIRSpO6EVOamNL8S8RTUQR2+1+bw7+C5tzkIOjHbADWy21vE9UwDm78bRlbw3MONPx+g4su/Zru3Z9k4qQPyMkpBWpdxnb32hqW7861KULB6bDhctpx2G0hzkZgcWXBT3DL9OCsh/hh/Q9IZD2ZlaoqzRK1pmRNOyp3cMU3V+AzfPXKG/Yb/DTVVtBM4tMVn3H/zAdw+90AoXEpQkFTtGblYk3Jv2b8vJEuvZ6mZ79nefPNRcCeO6LXvxdWH3/8kcstt81AEnShqj1fUQQOh4bDoQa8QPao2zD+odiljC2oYaof6aFxWXP19ze8XoMtOWXcd98R9O6TTlpaFGDJqnZ2fU2hYXndc03TeoSDHgm6qXPGZ2eycMtiNEXFbnPw5PjHGd1mFIu2L+KSKf+jtKYMm83GFcMu5aIBF7OiYCUtY1tYzu1NsEmWqUX9SB5NnefW3SzJW4qiKPWOT9swjZu/u40afw2qouI3/LRNasMT4x+nS2LnJreUWyu2sqZobcj2LChPk8hG42yqrC4GD8zky09P4803F7JydUGgzl9HY59d63txsZsVK/Ot7BlBM5iDeG2Gsf+ggfUAeb0GVVU+vF6d6GgHpeVuUpIiiYy0YxqSdRuKkKakRcsYYmOclJV70HWTpICzt99vUlbuJjbGuU+3H7uDmBgHXbun0rpVXOhBEkKQvbmUqkovDqdGxw5JgXIoLKwmP78KVVNISowgOTmSmho/fr9BdY2f8jI3LTNiiYl24PdbcrGXXp5P9uYyHn7wcECgo1Ppq+TJYx7n6E5HYUgDv2GF47nhhxu5e9ydHNH+CD5a/jHPzX2WiwZcTKwjBrvqILskG0OaZMVlYFcdeL06qqpw9rlfcPxxXZlwjEWEdOnDrbvx6X6Ka4pIj0knzmnZccU6Y6nwVJJfkUdiVCIpkSmMaTuG3y4ZzqrCVdw07Wa+PG0KCgoOmwMhBNsrdlDuKSfC7iIz1goC4FAdOFQHLs2JlJINJRtIj04nyh5FhaeCLWVbQAjaxLcm0h6J3/BT5bMMdAuqCkiJTiXRlQBAVJSdTh2TaNc2gc1byvb4fgohKC6uYfv2ChCC9u0TcDltaJpCXKyTkhI3O3aU06JFHPHxTqqqfBSX1NAqKw6Amho/RcU1tGwRHTb3+I9AAygr83DHXT+zcnUB27aV0yozjrXZxVxx8SAuuWgQjz0xh/c+XIxDU2jVJoFXXzqW337L4f6HZjNn1vlERzuYNm09r7y+gGefPppWWXH13JL2N0xT4q7xB8wlTDRNYfHiHdz/yGzKCioRLhvnnNqbU0/tRV5eFdfe8D05G4sprPZxwZl9ue6aQ/jiy9Xce98vdOicSPbaPDJaJ/PhO5NJSHQBEBvjJMJlC20ZDUNQ4a3kjy3zsCs2OiZ1pFW8pY07pvN4pq3/ERWNLWVbmNzzJMDivr5b+x3vLnyflfkrmNT7RB4d90jINc1u10hMiAj18cvGOVw29TJ6pvZk5bblpMSn8f7kd3HanBTXlHD/zAf4YcV32F1OXjr2RQZlDERTNKLsUbhsLqLsUaE5mr91Ptd8ex3l7goUReHSIZdw0YAL8Jk+op1RFLtLePjXh/lt4+88evTDdE/txtNzn+WPnHnYhI2eLXtw04gb2VqxlePfP4E+LfqyPHcpUZExvD3pTTondcaUJgIFr8/Yo62gaYIQkvz8ah5+7FeWL96GtKsMH5LF9dcOx2ZX2bixmJtu/5E5M1cTn5LEx++dxPoNRUw6/WMeu38cZ53Zh0svn0pBQTUfvDuJ2FgnEM5o9m+HApY2b2N2MROP6cw5Z/YlKTmSR+89nMpKPx98uIwZP29kw+prWLn8KpKTo3jp5T+ZPKkHcXFOfp+bi5SSH2dsZPTINrTKisMwDhxRCyK4HQnKfK698Qdat4zmkiuHMmxAJlff+D1ut59587dSUFjNLbcfytolV3DdNYcA4HRYMdpfeHI8K1deR0WFl6nfrmXe/FyeefZ3vpm2lrl/5vLMc3P55tu1YCiMa3cYK/NWcueMuznt4zNYmme5SB3V6WjyKvN44JcHWZq3hOO6HBsaZFFNEd+e/TUfnPI+P2/4mcoaN198uYpnnpnDyjX5vPfxUp55YS6LFxYQ4XBgmAa3jr6ZldetJMIWwRcrv0BBobCqgCFZg1h5/Upax7Vidvbs0FwYpqXQ0KUVuLGwuojLpl7BHWNuY/lVS3hn8lu8vuB1KrzlRDuiWZm3ihum3QRSMP+yPxjZZiRfrv6Knzb8zGWD/8eFgy7gzYVv8dPGn7BrdnRpcOngi1l53UpcmpN5ufOty6P5CLymKfH6jJ16Bkhp5aJ89Y2FrFi2g0uuGMr55/bn0SfnsHhJHi6Xjc25ZVx0bn9WrryJyAgb73+4lFEj2/DxO5P54JNl3PfgLFwOjY/en0xcnDOcpvE/AgWsbWRSQiStW8VTXeOnd680TAk1NT7WrCnkqHHt8Xp1qqq8jD+iEzZNQddNTjiuK7NmbyYnp5zt28s59NB2ASHKwSOptWkqJSVuNE1hw8YSPvpkOWvWFnDLTSMRQjBsaBYDB2bw2hsLuOiyr/l66hoAKiu8jD+6My0zY/F4dfr3aUlhURXbtleyYOE2tmytoKCwigULt7J+YzFCKtw66la+OOMzfr/kNzokd+Dp35/Fa3i5YMoFdE3pyi8X/ESL6HTO+vycgF+jziWDLsEwDby6j4TIOPx+kw0bi1mwYCul5R42bCphwcLt5OVV49arGd5qOL3SeuH2u+nbsjdl3nKqfdV0SenCid1OxGf4SHAl4LK7Gs1F8KFenr+UlnEt6JXWiypvFS2i0xnWajBbyrbi0lwUVOXze87vXD3sKsCKBFJYXYRpGkxZOYWPl37C6T1Pp2/LvlR5q+jXog8jWo3AZ/hIjEzEuRuO6IoicNjVZl+AUhLw9JCUl7vxuP188tkKPv5sOZdcPJAOHRKprPAwdnR7+vVridvtZ2C/DMrLLR/bQ0e3pWvnFG6/5SvOO7cfMTEOfD7jgL9ww9g/0KA2QKKuW9s2n9cI+F7aSU2N5IsvV3HLzaNwODR+mL6O5KRIbDaF8Ud14o67fuL7H9aRkRFHr56pmGbTUWEPFHTDxO5Qqaz0cvMNYxk9qr5tk9Opcf/dYwF44JHZXHXdd0w4pnMo8oeqCFSHxqw5m7n/8DEcM74zxx/blY8/Xs76DSXcdmtjuzUpTXZUbQ8FYixxl3JSj0kATOx6HN+tnYZA4LI5KXGXWJFsVRVdl8TFOrjh2uEAXHLpVM46szeDB1vyr+/XrgFhvTRcNhe/Zv/GhQMvwGVz4jf8VPuqibRHNtJaBk1LgqYnXVK6sb1sB+uK1zG81XByK3L5LWcud4+5h9+2/MoRncbRObkLJ74/mddPeJXuqd0B6JzamTePf6Ne2yU1JfgNP4Y0sKv2gMZyJ8QjMLSly/N5892FXHnJYNq0SWikxBGiNu+CoUsGDM7iiUePrNeUadbaprlcNn6enc25Z/ZB0xTmzs2ltNTN7XeM58WX5/NS74nY7WqYY/uPQAPrAa6o8OLzWQkwNJuC261TUeHlmquG8ufCbfTo+RROl41OXVK5+ELLUDMzM5aWGTHc/+gsPnhrkuV4LK0QQgcLpISoSDuPPjSO8y6aYsmvpGT80Z154N7D+PLL1dz36CxQICbKwakn9QQgOsbBex8uZt6SbRTvqOSooztz2Nj2+HwmEknOljK25Jbh9RkIQNEkV393Dcu2raDUU0KfjF5cMeRyHKqDyT1OZOLbxxPnjMdv+rhp5I04NAcFVYWYATMLn+GnzFNq5Tnw+lBVha3bKtiUXUrfvi1QVYVoVxTT1k3n8NeOIK86n6GtBjGh8wSK3SWUecpQAnZxld7KUG4DsDS2Ze4yFKFgmibpUWncOOIGLv/6KuzCjl2zc9XQK4hxxFDlqya7ZDMPHf4QFe4KjnxzPI8e/RAX9D+fy6ZeQecnupIckUx0RBQfnfQhCCjzlIdCdJd7yvHonl3el4pyD08/OosYl4N77h4TkoU2cQe5/tpDOP+iKXTp8jj2WBetW8byxcen4nRpfPjpMtZtLqa8oIqBQ1ox6cTu/PJLNuf/70uef3I8Yw5tx9gj3+KEyR/y3lsnEh3tCBO3/wCElFKapmRHXiXR0Q68Hh0hLMNKj8dPSkoUVVU+VqzIw5SSrl1TiYutjd5QXu5he14lXTol76Sb/YeqKh/nnj+Fu+8aQ5fOSfVicazfUExhoZVgJTk5kg7tE8nPr2LT5lLMgHS7b690XC4b73+wjM+nrOT66w9BSOjbp0XgjW9xE6Wlbvx+k5QUK0KGRLK6YDWVnioURaFrShci7dYxv+FjVcEaavw1xDlj6ZLSBbDszyLtkcQ4Yqjx11BYXUhWXBZISza1fXsl0dF2oqLsCCGYsXEGT855irsOvRPdNOiZ3oNIWyQ+w0d+VT4ZMRkIIdhRuQOn5iTeFQ+A1/BSUFVIZmxGPRu31QVrKHWXEueKpWtKVyRQ6i7Fp3tJiUpBEQrL85aTFJlEenQ65Z5yVheuQUGgqTZ6pvXAkAaFVYVkxFrhk7aWbyXGGUOMIyZ0T156eT5bcst54L7DQruCwsJqho54hfvvGcvkST12qWwqKqph/foipCKIcGr07pmOx6uzbkMxNTU+MCU9eqYTGWGjuKSG/PwqunaxYroVFVu/O3VM2ivG22HsHg6kE7wGFjvfskVgIUbXxoePibHeblFRdgYPzgqVm1KiiFqfytjY5gMLHgjU1PjYvr2ClOQIYmId2DQVU0o6tE+kQ/vEeuempkaRmhrVqA23Wyc1JYohAzNDZXW3S/Hx9WVYAkHXlPqRW4OcgU210yu9Z6M+0qPTQ98jbBG0imsVbAyAFi2iQ+0AeHUvsc5YBgRcm8AiqHbVHjLXaNguWCYcmQHCU9fmrEtK5wbXAAkBYhhEj7QeoTHEOmMZnDmo3nENLUTUgHrfvV6d0jIPBQXV+P21rlVTv1nLlTd8xzmn9dktoialJCkpgqSkrHrlTqdGz+6pDc6FxIQIEhMiQr+TEiNCZklh/DcQMtBtTjYiAkEc6+ayVOqw8TKgLDhYWHu7XSU+3sWFF3xGpx7pvPDUeFq3jkeaIBUZ0m0Ec2YGxx+SSkmL0CcmukhJjgzF9VKU+j6nQfOFhinqQhC1PpXNJTOuyz0F6zdMdFz3d6wjlhbR6YEtv4lQah3S654rpWyUnLip7ZeUstbIdidjCl5L0EWr1tm88bjr9j1r9mYuvvwrFCG49kpL22yaJseM78T4ozuF5m5XAv16a1BYqzTYn5W9K/jSqdXCBsdU9x4fLGs0jH2PEGHb2U0XovnjVnH9Y36/iaaJA7KQ7HaVd98+sVF50Few4XCD4w8VBb4cd2wXjju2S726ddF0BJGdRKBo6vxGETWa/h38e0jrQziktUUgGqadq+ed0MQ4mivbdZSP+l4Pu2q77vfDD2vPpjXX1js3qFj6K0vDMIJ1G1dSQnO0szFZowfQdcsLZXejpoTxz8Q+cYI/0Fnkg07kVtifPYvuEbSvOpjMA6S0fEqbyqV5MEJKGYontzOH9V1BbeZydR0aup6qCmg7WdU7OxbGvwd7lQIFBfBvvbPYcn85QAg6kavqnhE1+HsP4r5CcwmCD1YEw0Zp2p6lwTMDRGvOH5LpPwezv9ce1zRw2Ot/miNcwXoffWqyaHHjtsL4d6GejK02qqwlj1CUWtlGcGEGo8gG5R5mcPUhkICiwgsvzqdzx6SAUF4EHND3D5GwxmTFjSUgDwza6dVauYuAc3ljzszymggHJdxbkNJKSbs7po3BpRSUg1p2avDzLElhoWTMKGtbqqrWsZffMPniJ0lKEkgTSsph7EC47nIVodS2V9cp/vW3TY4bL+jbJ+iyVbstNUxCstBg0ITgUqqVzYa3sXsKuQefPUU9GVvts1xfPlH3Ia/75hWifnq64EBSUiKJirIfEENda0yChkItIUTTMpoGnEQ4btfehRCwu1PakGAEt6Ax0RZBqysbE8CwIYKM1oL3PjRRFMnl56i0SAahBNdB4z6SkyAysn77of6aWK5K46UUxj8ASpBj+errNZxy2ieceOrHtG79AFdc8x0Ay5bnc855U0IVzjz3c76auhqAhQu30aPfc7Tr8gTDx77G8uX5ABim5Idp62nT5Ql6DHiOH3/cANTG9N+X2LChhMEjXqFLlyc45oT32LChGIC331lMzwHP06XHUwwY/jLz5uUCcPJZn3DW+Z8D4Hb7GTL8Fd544+/FDgujFq+8ZTJgnM6GDdZcGk1kx9MDKQnuetDk0st1Dpmo036ozosvWycbJmzfJjnrCoNWvXXuuFdHKNC7h2Di4YIhfQRD+wmOOUzQr7f1gv5ltqTTEJ02Q3TOvVynuChgMuMFux38Xjj7fzrHnqVTXChxu+G4Mw06DzcYcazBnDnWeJ98weT8i3UOP0mn1SCdx54MphLcxxMXxt+CErxBbo/ON9+u5aJz+7NkydVMn7GBH6dvQPebbN1WDljbua1by6kOJCl56ZU/OWVSd36feSG/zjifrl2SAm35mf1bDov/uJTDR7fn+ZfnAbXb132BYOKT8y/6khuuHsb7H5xM984pXH3d9/j9Jqef1osP3pnEe29P4vjxnbntrhkAPPHAkaxaXcT7Hy7lvvtnMmpEG047raflTnUQuYb9U+HzQ1U17E66z/wi+OV3yacva7z2sMpzb0pKiiRx8YKvp0muOEfhizdU3p0COVtkQOwAVTWBPkzr89tcyTW3G3z8ssriaRq6X/Dgk5ZCyeEQbMiGM87XiY0SvPO8RmKS4LzLDUYNEXz4osJ5Jwv+d4OJ3yOpqoHvf5Y8d5/Kqw8ovPIRlJbKOmYkYRyM0IK7TLfbz1ln9mHsmHYIAcMGt2LjxhJSkiOJcNnx+w1sNpWYWGdIxd6/f0uefGoOpWVeTjy+G926pRClqThsGvfdM5a4WCedOiSRk1NmdbKPWPqgBjRnSxl5hZXcce9PSEXBqPJy9LHdUBTB3D+2cMFlX2H4DfCZtOmYBBJatIzmjRePZfCoV+jVPZXfZ1+40+CTYfw1XHaBwmUX1L4gmtNwApi65LYbVFJTweUSZKXC5i0SrxvOO0OhXx/BjjxJYqwlUwvKzoKf4DZ11iyTwb0EvXsKTBNOmiD4eaaJ2w2qBo+9JpkwSvD0wyqmhMpKKCmDFz4weecrQU0N9OxqyYa9brjhKoWOHQTShNjIMEH7JyC04kxTEuGyhR7o9RuLSUmJRNclNTU+bDaVygovuTll2BzW6rzoggGsWXkV44/pzITj3uX9QCZzRRH4/cFXtMRu39ecj7XSdN1EEwrL/ryclQsuY82aa3n8oSNQFLjh5mk8/fBRrFtxNbfefqilNAhc62+/5zDp2G64HDa2bCkPE7W9iA2bJN/9ZFJSYt2jnREFKSE+xpJredywowgSE0U9IbJhgM1W/8WjqvUJZlKSYPNW67uiQM5WqKi2znHY4P5rBEXlkkefNlACiqWSIsmHTyss/EFl9WyVj19VUe0WcQuO2TCtvsM4+KEFb1pkhI0fZ6xHvVMhN7uMiCgbh41pT1mFl2q3j6uv/oqScoNFf24L3ejnX5jH+uxiEmOdDB/RBnuA4BUUVOH3WYStosJLfkH1Pr2I4Ba3Y4dEjjqyIyPGvsaAgRmYfpPxR3Xm0NFtycyM5Z6HZzJ91ka+/3Yd0TFOTFPyxNO/8/mUlXz12Wl8/MkKxh75Fm+8fCzDhmUh5cFlx/ZPg2HAV99LrrvW4KN3VU6aJND15omDwyl4/h3JnGUmSxdLDjlE0KqVoKBQUh6wHtJ12L6jVi4HUFZeS9ikhGPGK3z3i8FZlxukpghWrZCcfaqCwwGbNpsMHqDw/GMqE0832JSjc+8tKhedr3DJ9QbDRgASenWEs05VKC6GoHup32/1bYZFrwc9as09AEVV0FSFNm3iefiiQcTEOoiJdfDIg+P47tuVHDGkDSce343u3SznYodDwxVho6LCy3ETu3Dayb0AuP22UbRtZ4WHHjeuA90C5yui+cCDfxdBk45HHhzHE8/8TmFJDdhMbDYrQ9G9d47l0y9X4PUaPP7wESgB+VlCoosnHzuSlJRILr6oP4rNip9vEcvwnmNPYcVTg1OPFzz9fGND2qYrWZpJVYXDxgguPdN6YU08WuBxWwsnKVHwyN0Kycm1C2nSsfU9IlqkwXMPK7z2scTngxuuVBgx1Dp+/VUqWZmCtq0E772kMn2mxNDhvNMVbHZYm22NIyLgCnzqZEGEy6qbmSF4+G6FqKimvR3COHggDMOUiiJ4461FrF1bFIjhb+GfGN5lF9HAmsWBDGX+b8U7H5i89IHkyCGSSy9RiYsVNJVUR9ctw9qLrjA47ijBEUf8PdGFKQNmGnUQtH8LnWPWNy8JjiGMvYeG0T1u29/RPcC60UVF1fj9RiAJrRqy6TKM2gTEUGuVr+tmPef4oKW/rpuoqvUW3VlS230CCX69VgWnKBbHZpoyZL4hhOW7qalWJOCgPZ6UVpJkVd0zS/kw6mPUcEG79oK+PQQu184zggH4ddiWb235JGDTggEnazlAS/ttfQ+2ZVjpQ0N2aEqgTtC0RFFqiVpdX1HDsIigplpETddr5WnBOoZRq5gI9h0mgAc/tOADfPppPTn5pO5NJgm2sng3UbkZYqXUsWrc365JQjSd6NgaR+PyutfQXN0w9gxZmYKsQDSlnRG1IKF45lEVm2bJ4II5RBta+gvRmLA0tTabc3SvW1dVQW3mWFNtN9X3/oBZRwPc3PGwN0R9hG6T06GBY2en7j4OJLcTzFgO7DTbehj7HnWJ0+5INKIia7/vbp2gR8L+lpgEuTcgkF923xGXXbUbJmqNsVenJChqX7GygKqAEe/+RjBjuaZoqIoaVgAcQAS5rT0hOuUVsHSF3KXNWN0t6f5EkHvTNGvLrCj7Rluq67B8lSS/oOmJ8Plg8TKJZ9fR2P9TqGfH5vcb+P0GXq8ecn+SUtaxSSMkgwvW8Xqt830+I1TnvAumsHxFPl6vvssUa3sbM7Nn8vScZ3j81yf5acPPjQIohrF/YRjWw7e77xe/H7w+mDtfcvJ5Bj6vVb8u0TDNwHle+HOhZNu2xjZypmm14/UFZHaycbnXZ3lGBI/5An3X7U83rPrBY0Ezk2074NX3TJ55w+Txl03WrbeCJ0isc/x6bR/BtkzZeEymWX8MUlrHDMM6lpcv6XmIzvMv1XfdCM7T1q2S484w2LpVhuY72Eddkxhdtz7BY025tv2bENqKNiWDCmoK68qd6n5XFIHD0Xirl5wcSUy0PZT4d38gqMEtrCpkdcEaqryVfLl6Cn58HNH+CEzTDG9LDwAaGs/uDHUNYDu0gZQkcNSJOl9X8K8oUFwMz79kcMxRCiccJ0KCfcv+0ApjFERdpYCjieyAug72JuzrNJX6grgAfpltcteDJieeoFBUDD/+aPDsQyodO4gm5XAyoKmt27cZGKe9gQyxrp1fRkvBtx+rtMmsZUuDRsoAbdtAZro1TtNsPN9B+VtwTP8VvYcWJAhz5+ayYOE28ourWfhHNied0o+zz+xD9uYyvvpqNVddOQSAJ56aw9AhWQwelMm2bRVcce23VFV5yciI48Zrh9OxQyKmKVm1qpDrbvuRtJQobrzqEDp3ScYw5D6LnhHkzCb1mMSkQKq7sz8/mzmb51iEDRO1qRUaxj7FjJmSGb9JrjpfkJYmmhV0B+VUDz1jMnu+pLQMnDbBsmWSn2dLTj9ZkJRk3eMVKyXf/2RyzqkKCfEQ0SCdgRCwZQtcfZdBjR+OOASuON/SFOTmSq57wMTnA6cLWibApWcrtG0ruPEeg2VrLTu4u65UyMwSTJkqKSqULN0g2bIDLpwE44+y1tHpxwkevse6mONPk0z/ySQ9XeXrqQZllTBjruXCdfe1Ct06C4qL4fJbDUqrYXAvuPNalRUrJR99bnLN5QoJ8YKSEslb75ocfaRCVSU88rJJekvBGRMsQ6agdvjDL0ze/UwiFcgtsCKaKArMnCN54BkTocFZxwpOnaTg98OnnxvUeOC7X63JvuFShcH9xb/WfVAJsskbs0u58ppviY12cO65A3jg4VksXLSdosJqPvtiRajCp1+sZO3aIgCeff4PunRK5rJLBnPCsV1JTLCsGt1eP6+8voBzz+hLQUE1Dz72K1ArTN6XKPOUceTbR9PtyR7ERcRz88ibMUwDTfmvvKsOLvw6V/LwMwaFBc27VOm6pUN/9DmTmTNNzjlZ4ehDBXYNKqskH31qUFQET71gMu9Pyfw/TX76WeJ0Cvz+xrKtdesl519lMHyA4NyTFL79UfLki9be6/o7DDplwVmTFAq2SrKzJcnJcNkNJmUlknNPVkiIgYuvNTANycJlkmtvNRjUS9CnE9zyYFDuJ6gMONQUF0k2bZUkJAgUAc+/LPlltuSMSQrCL/noI4MtWyRnX2bQvQOce5LC4iWS2x8wSEuzvDPmzrMmZuUa+G66JDkJ0tLglOMUpv9gMnNWYOIEfPWd5IVXTCYdIzhlgoLTbhkUL14meed9k+suUbjuIoXPvpRM/dZEVeGdDySfTpGccaJCQiS8+65BdbXV3r9RDB1ygpdScurJvbj+Gium/qdfrGHRou0M7J9BUmJkaKuXnBSJy2URCUURfPThUnp2S2Py5O4hKZZNVbn6qqEcOa4DVeVevvzGCnP0N+ztdhuR9kgeOeIhfLqfd5a8w2O/Ps7th97WZIKTMPY9brhS4bILFRLirN8Nt6XB7VNVpeTHH03+d6HCseMFK1bCL7MkLdMF/fsI1q03mTXHIiLpKTBiSMDYl9pglmbgxfnt9yaxkXDVJdaC06sVfvvdpKoKcrcJrrpIMHiwYO6vgvgkKCuT/DnP5KN3VNq0EowZpnD+pQa5uRDpgssuUjjjJIWtuZIvvjHQ/VaMuA++lvy+yqAoX3LZWQrHTVCoqZG0awvnna0waoRgwmEa5RWSr78xMTySW661np04l8J7H5jExwlOmij4ZabJkYcpTP3GYMQwQUKCxd0e2xK+/driSk0JmNb1jR0lOOcUBY9b8tzLlkxvU7bksx8km4tNpAF/LpKMH2dt0TNawDFHKUw8UnDckSpFRRKns3EOkH8LQqTG5zNIT4sOHZCmZeOlGyY+nxHa6tXU1Go7H7jvMNasvJqcbeWkpD/Ad9+uBaxtYWZGLIYh8foMIpz7z3PYptjokdqDfi370jOtJ39u+xPDDIz/X/hmOtjhsFtEYGcWQEEjXCFqTT5ycsGvSxITLUf476dLJk+AbdskCxdJunQKGOpqEB1ptW8POMfrOrjqmC4FNaeqCkP6wgW3mHQZaZBXCldfopBfIHA5ISg+DhoHB41801IsgllaAS6nJc+qroHjxwl++khl8U8aN12t4HRaygaX07oOwwRFs8ZvmuCoMyZFseRkZWWS889RWL8JVqw0yc6Bs09TQnJCqG1TEVaEakOvnafNudZxKWHLFskRwwVT31T55m2Vyk0a556phLwqYmOsMZnSChSwu7LPfyJC+zO7XWXd+iJ+m5vDxvUlrN1YxBNjjqCq2k9+YSUzZqznzwU7+GnaOi692MotuWx5PtU1Xg4ZnMmfo9uydEUeRx/diYoKD9VVPlRV4Hb7KSvff7roxTsWU+2tQSJZuH0hR3Y8ElVRw8qDAwDThGdfMbnhfoOvXlU56iilketSkKjFxAoyMgQffC5xRkoeesKgsBKiowSuKMGXb5pcfrHCjh3wzGuSyy61wgiVlsGvf0rskRKPD9plwZHjFD773uC9T0xatRJ89JVkcH+B1yPZtkPy2B0KcbHWi66iRtC/H6RnCp54weDYiSpz55lUeKF1aygtBczacRaXWON2eywCkxjf4JollJeDx2PJDHUdhAqHj1V44yODl94w6NpN4d1PJampgsQEywsmowXc/4RJSqogK8visrZth9wdkvVbIGo5dFkk6dpB0KmT4IefJQP6S958y2TtRit45ojhCp9+bfDNdyZtOwikDj27Wf7ZFRVQ464/pn+jbC2IUHQPl1Pjj/m53HzHDAyvzovPHkNmZiymKTn/3P7cdtt3DB3ZkRtvGh1KrvzSy3+yaMV2pMfP0BFtueJSS8Ew5tC2JCZa8raOHZNwe/zAvp3IoDnHc388z8aCTRgYnNX/TM7vdx6GaYSJ2gGAosCRYwV3PGAFkYTG8py6ARvvvE7h1sdMbn7Q5NLzFdask6BAj+6CY8YLWrQQjBwuWLTWpHVrgcMh6dxN8O1smPWnSWUNXHSS4JzTFR6/R+WmR0x0v+T0iYLLLhBUVwtckXD9vZKYaElxgWRQb3jyAZUXHlH4320m199j0qEVfPiyhlCgRzeL0wGIi4WjDrMIUZtWUNPPWtB1PQOcDhg8qFbREbTjy8wUvPCYylX3mNR8bjJhjODWa2ofiIvPV7nzSZNLz7PYNFWFOXMtX9v4dMHqXLj3CZOHbxZcfoGgoERy/R0m/ztHkNHC4tr69RbcdYvKXY+ZuKIlNgNeflwhK1MweKAgPb3+mP7NCDnBv/XOYtatK+aB+8aGDv4bNCam/HvOtGHsGaSEX+eYfPa9pLJActP1Kh3a1z5Y+7rvhuvWlPDHXMnkSw22LrFYxsICmHiynxeeVOnda98Oqrkx7U0nnYPted1dJ/gom8of+8oJvqbGz6ZNJZZBrWFis2lomjVLum5iGGbIVSroJO73G4EsPpa9m6apCGEZ8WqaghACw5CYUmLbT07wfsNvZSxHogo1rA09QBDCEmjHxgiuvUihVVbzph5BSBP8Rh2H94Bdm2EEbNwCNmrBmG5BeZphBpQIWPIvVbXKggaqSsBLoGNHQXI0HHmqQWwc5G6G0SMVunZW6uUoFaLWAV83rLaDDvjBvoNhyBvarDXlpB9s0zStOYGAjK1OXdOsjTASyppl1PYfjFoTtF/T9UD2LzUoD7f6qFsH6s/TgU4ULakVc8sGn4bnNCz/q9CCSoGjj+zI0MGZOOwqUqr1bkowN2RDNOcwXrdcVQXqflS72NRwiNODBWNGKYwZZX3fHUdt0cBYNWh2WNfoVAhLnhSEpjVtdKoqoDYwxE1KgtefUVm0WqIbkHQkjB+jYHc0TaQgYKAbHF8d49nmiMTOHOWbMw4OHrM3OLYz4+Z6wTrrnNNcnf9aRJKQuUerVnG0ahUHHFzs7J6grvtU2LzjwCHoFqSq+45T+Cvx96SEvn0EffuIRuV/dXxN2n6Jf6XlxD8SjRIm743IHHXjsR0I1CVm/8Rgmf8W/BV3qobY3dhnf+XOBrdqQZok2HNBenhJHdyo956S0grGaMnUai3F6+bXNIza4JKWzME6XzdM9ECdCce9z6JFO0LH9neEjfVF61lVsJqSmhIrxHfYgO2AwTRr7ax2B4ZhyYNmzZGMnqDj89YPAAm1RM80rXwHTUW2CMrDdL2+w7eiEBLgBJ3QQ8laAn3XHW/Qli14LChb275DsmqdJGcrbNoiWb1ekpcv6wW4rFs/2H5Q9mc0mBO9ib7D2HPUywTf0I8z6ARfN79m3e+WPKExD6/rVq6B/RY1F2v7aZgGby58k+fnvoRu+Omc1olnxz9DamQqUsiwdvQAQFF2PzaWYdZyeCmJAcd0OyG2rG40W1WFkhK45Q6dI8cpTDym1kYuqB2sy+3VjQvXFBfYXGjwpraoNTWSZ182+Xq25QnhcEB8nODkcXDTdWq9/urWD3GvDdqUsr4sL4y/Dy14AzbnlFGQX0VBcTUb1xUwYmR7+vROp6TEzcpVBQw/pBUAs3/dTOtWcWRlxVFT4+ft9xbjdvtJTIxg3GEdSEuNQtMUSkvdPP3CXJISIznqsA7EJ7j22bZQIhEINpdu5t0l7zH/srnYFTtP/v4kd/58Fy9NeDHMtR0gbMyWbNoCQ/pBVFTzTtdBJ/hf5kiWr5FszAabA7Zuk2zeAr17CqKirHPz8yWr10P3zgKns3HWKyHA7YZ3PjXx6NC/m2DYoKDnDHz4lYnXB5GRgrhIGNofkpMFU6dJNuVKkhLghCMUnBGwYpXE74W1OZLSSjhsiKB9e8GDd6k8CNxyl0GvboKTJlnUav4Ca50NDDiYb9wk2ZIrGTRAYckyicsFvy6QtMkQjBsFdodlQPv2xyb5xZaXwykTlVAU4fCWd8+gBGOlzZ6dw6GHv8HnU1axcOE2zj7/C7bklrN+fTE33DQtVOG6m37gp182AfDGWwuZOSubDZtKWLhoOzWB4JI+v8HTz/7BosU7uPeBmTz6xG8Aoe3tXkeg2cKaQiRgVyz1Urm7gpKqEgxpoIpw0MkDgdfekRx+lM7GDbXxwhrCCJgnfPej5JY7DRYtl6zfLHE5BevWS66+QWf7dslPsySbt0h+nGFy+70GNptstKUDKCqGa283+H66ZNFyyY13G3w51RKnPPC4wQefmcxbLLnjAYNHnzHw++GdjyRPv2SwcJnkrY9MbrzLGuh7n0qOPF7n17mST78yufR6A4/b2v76/FBZbSVb9gViqM39Q3L5DQYej0WU7nrI5L2PTPx+OOUCg5vvNFi4XHLnQwYvv2nl23j1TZOVqyRV1bBgoeTp5w38vv0TNOLfipBW1O5QGDggk5eeOQaHU+PwI99m1qxsevZIIzXVelWapiQ1JYqoSItwLFuWT2lxDQ/ccxjtAun2ghg5sjVXXj6EN95cxGdfrgSstHb74i0UTJXXMbEjbeJbc9jr42iX0JZVRStpE98WwzSwKWEzkAOB0yYLevdWadU6aANZ/3hwPXjckqdfNDj/DMF5Z6msWSO57CaTrAxBz26C7dsljz8vOfQQiI2CkYMFdnvTOu+p31qEYtZ31t7y6RdMvptmcvgYhak/SGZ8ppKcLnjsMYMaHaKi4NGnDN59WaF3L4UdOyQnn2NQkCdJiIdDDxU8/7BKYZ5k5AkG1dWSuHgR0vaqam0st9NPUfjme4Nly006dxJ43ZIbblGJi4PUFLjmMoVxhym8+pbJt9NMzjwFXvlAkpEJnTvC2k0w4xfJuWdIEgI+pv8qrq2hoVpThm3U+buHqGeg27dPOg6nhq6btMqKo7raZ2WZCnBaiiIQgexUAHfcNopff8vhgUdms3pVHi88O5HevdNRhOCoIzvi9VnRdWOi9lIyhZ1ACEFiRCLPjH+aaet+JMYRQ0puCturtmNTbaHoHmHsX3TvIujepXbiGz6kQVMLjwc0AW3bCrw+KC6znOATEiA1VTBjpskRowRLlklioqB/Pyv5clP3dOtWSe9An14fdGwLW3OsfsYcIhh2ooHTKYhzSl56TGHlKklmKqSlWX3bbNC1HZSWg9cDwwdbBGZ7IcRGNB+lRkrL/Wr0SIXf5krWbYQuHaFze0FFBcRFwdBBVh/xsRDthHXrTGIiJCMGKSQlQo/OCt07QkzM/vHS+LciNG1CCCorvUgJubnlzPw1myGDsxCKIC+/Er/f5Jtv1jLt+3W4Iix6mJERyykn9+SRBw8nJtbF51MszkzXTUpK3DjsKqYp8fn0pnvfy5BI4pxxnNRzMv0z+zN361zGdxqPKlQMaYRt2vYzpIS3PjDpM0Zn7lzrZdhwKxr0FY2JFSh2wbw/JQ47PPa0QXkVxMUKYuMEX30rGT5M0CpL8PsCaNfW4v7NOlvRINEcNkxh5nxJTo7V1pTvJX4hqK6S7MiTvPiQwsuPKLzzokrXLgq9eihU64LvfzRx2GHBUsn8lZY/qNcLZRWB6CAKeLz1xx/UzkIglZ8NJhytsGWL5NvvTPr2VbHbazWebo9lpPvNDEl8qqBHDwW/X5AWC2ecqHDqsYKeXQVaeIPxtxBygo+JdvDBh0v56bdsqss93HPXWHr1SsPt1hkwoCVt295H30HtGDQwE6fDmvVJJ33M7wu34BTQq28GZ53Rx2orxhEKGe50aETtB44tqJi4ZOqlfLvie1rEtuDhox5kZOsRGDIcaPJAQAhIT4Ulf0pWr4MhQ2oNduueE3RBuvEywZV3mbz2uc7kMZaZjqJBYrKlSGiRLhjUHz76RtK6tUBTJB4TLrjVJPExk4oquP5cwWUXqVx2vsLQ4w1UARMOFdxzi0JEhCAxAa643SQyUlBSCCeOhwduV3nmQYVzrzO442mdjBR49UkVu1OgaZLoqNqwR7Ex9bnOyIjacEQC6/q6dxPoqmBzoWT4YIvw2u1QUArDjrPkbyP7C+66QcHlgjefUzjhPINbnjbRvXDBZMEdN6nhJM5/AyEn+LffXcKCBVt55qnxSNk4K3qz2iwJcHAZwQa1pGEcOEgJO/Ikv/8peelFgztvUzlkqNKIsDVX968up4ZcW1NtLVwoOflSg7nfqCQlC1aslFx2jc7jD6r066s028ZfGUOw7hkXGPTtBVdfpmKaUFkJk87Uef81laQksZNn6d8jU2voBH/rPfcSExtHu/YdaF3XCd6uMi/XcoK/ZMg1dEvtQLVvLznBV9f4KSvzhLYGDRdXc5NtlR9cdyJM1A48hIAfZ0jemiK5/3aVYUOVEGe2O3X3pL/myoMC+Lg4MHV45zNJy5Yw+zdJapqgfVtRL/TQnkJKmPOHZMp3kqJiydmnqpiydrtdWFw7lqaI97+FoB0MCGlFe/VIJTba0naGJziMvYGzz1A4+wzrezBix4GAolj9t2snuPVyhe9/l/gXSjKS4In7VWLjRCjx8t/qR8Bvc01KKuC5RxTiEwLtqtZ29bTJSqPEM2HsG4SiewwbmsWwoVkAf3tbeaB9RZuCrpuBFIMHz5j+7Qi6ItUNxbMzBN2vwLLE35sawSCXdO7ZCueeXf/YXiO6Am66prahuu26XHDdFfW9dv4KpLTmxhaWue0WQtNkGBIp5V5xg9qfrlS7i4NxTP92/FUn+IY5Nvc2hLC0nHXjrjnse5eA+vXa+GgN2/X7a+Om/VUEY8SFsXsITb2qCjRNIRA3crcRlMdZDsVWxauv/Z61a4sOmOV03TEFHfhvuX0G8+ZvbTSmhsMLW3rvfexqToMmID9MMxkxwWDIRINvvjcb1W1ubTa1zuqugbrHHA4rVV2EK5AgRWm6zu700VS5TbM0oPXaDR6z1anTuKmmryNQvmy55MKrLC+Jv/qM/hfR6F0lqH2j7M7kBQWuQlieBQALFm6jstL7t4Wxe4q6Ywpew5IlOygprmk0puDXphQmYewd7GpOg0Rg0ECFVx5XcBlWvs9G7TTTVlPrrN66DN1kmHiqTsdDdNoO0TniJJ2N680m61Bbpdk+dlZel0iJJs5vakoa9S1rr7nGDfMWSKTZRMUwGiHE3LrdOoZhUl3jo7LCQ3p6DJGRdvx+k+pqH3FxTgDKyjw4nRpOp1U1O7sUv27gcGgkJ0cS4bIRE+1AUQQbNpbgitBIT43er7KtjZtK8PsMomMcocQzUVF2bDaVTdmlqKqVHlBRBNt3VBIT7SAqylKcFBRUYbdroesN4+/B4wG3F2Kimt+WBh/m+HiIjxdkptWPJltTYz3kFVWSGje0SBW4rFxBeL2wZbtECIh0QmqKZUqxbbvE6wdNE6iK1X9UFJQUw/vPqLRtI3j5TZMb7jb58HWB2yvIL7RCJTgdglYZgbFh+YIWFUtUDeKisTJLAdVu2LZDoigQHQFJiYLKSisHaHD8pgnlFVYKQlWFnK2WR0V8rAhluKqutoh7fqHElJCSJIiKtOaltByKSyVbtkFUbXbMMHYBLRia6Ispq3jgoZm0bpfAxtXbadMhjc8+OplVqwu5+dbpzJh2NgDHTf6A887uy+mn9ubrqWu46/6fkVISG+vi2cePpkePVHTT5M23FzFj9ibKy73cdfMoLrxgALpu7nNZ1/TpG3ns6d/wVnmJSojgmsuHcOjodgB88vlyFi/PY+u2Ci67aDC33DiC62+Zxvr1Rcz5+QJ25FUx4tDXuPuOMZx1Zm8Mw6wXpimMv45HnzW57xmThd8pdO+xc5OPoClEUE4F1u833jN5/U2Dlm0EazcJ+naSvP2yBgKeet7k82kSXUDf9pY2UiiCq28yWZcHmJINa+H1pxVOPkHB6YDO7SA6Fnp1FfwwzXK7+ulng5c/AgPQPZLzJgnOOE2loACuv9Ng7Rao9sCZR8P116hUVcODj5lMnyvxGjB2ANx6rcpJZ+pccYnCiBEKHo/EXQOTzjR48yWV9RslNz1gojgEiZGSh25ROWSY4KHHDJavkBR5YMtW6NYevn5fI3c7nHWpQXE1eP2SpCBhC29Dd4mQ54HNruD1Gjz/5Hhat45jwJCX+GHaetq1TQxxZ6Ypcdo17IGcBp99vpKRQ1vxwH2H44qo9QHx+Q10Q7J68RU8+fRcpny9mgsvGBBwVt832z0prSQyV177LRdd0J/WbROY8tkKbr5tBvPmtEMIKC528+dvF7Nw4XbOufALzjq9F++/eSInn/4pd9z7Mzu2VfDwA+M4aXJ3pJRhorYX0LOb4LQTBXFx1k3f1b1v6rjNDjqCd57VSEiE3iN0fvvdpGtnwa9zDM48XuXyi+rfq0/ftdbozz+b7MiTnHyCZYDr9cNzb0vi4yRffWMycqRCZAQcf6xKSktJcQn8+rvJi+9KzjgNfptjUlQouftqhXFja/vYtFGyeKnBJWeonHOaVe7XoX1bKCuXvPa2yYpVJhefpdAmE9auldz/lMmcry3j4CeeM3j6JZMhg1UiXOA14LepGn4fvPiKQWmJ5Lb7TEYPhXtuU1mxUnLhNQFhpOAfR9xkg+/N+cA3PL6nCNmxVVX5mHBMZzKzYvF6dQb0yyA/v4p2bRPQFAWfz8BuV3FF2EIC+TPP6M0rr/3JBZd8Rds2cVx84SBatIjGrmlce/Uw/H4Dp0MlNqaOz8k+gCklihCsX1+M06Xx6+85/PLbZlyK4JKLBwKWgPrKy4dQVeUjPsFJ26wEsnPKSE2N4v67xtC933P07Z3OW5O74/cbzSaqCeOvYeJRgolH1c7lzjSQhmERh6DZhy/gkF5VCScdJ4iOtcr7doLszZIxIxWOP17lmx8ky9cY9O4uuOBMBS2Qxf27H0y+/cHkzls1vN5AdncJ85dInE4YP07hf4E8nq+/ZfLqRybpLQVVVVZ2LYBhQxQWrYOX3pD8MMvksEPgqHEK7dvCkUepfPW9ZP4Sg0G9BWedqtCrh2DFKsjIsOK4/fizpHdPWLFCMrgXJCULqqph2EBBbrZphTcCTjha4NetzPZXXKZSUS6pLJOMGqFQVW0R5LCl0u4jtMwklsW+qggcDo3ffs+hc6dkdENSXFaD3a6yfl0xC/7cGuLOxo5pxycfnsyjjxzBl1+t5s23FwHWW7ekxI3NpgZs2fbtHQkqCRISIvDU6Lzx0vF8+fGpfPjhKZwd8F9VVUFUpJ2oKDubc8rJ3lJK505J2Gwqz734B3feMprYGCfTp2/EZgvHbttb+GmW5Jo7DDast+bT3Inw22azzC9ioiA10ZJTBe+tQoAw+SwH9c4dBUKF805TmPKuyumTFe57zGTBQjMQBgnmzze5/w6V9LSAP6eA6Ej46DmFD19Q+d95Cn7DcqR/5X3JfdcrTHldZfxwCASwITUN7rtRYcoHKmnJcPUtJlVVkogoweXnK3z5nsq4QwW33GuyebOkYweF2b+bpCTBoSMFP/5ikpqiMGSI4I8l4HVLoiJh4TJJzg5rXBKoqqk15/D7wekUeHTBtm0QFQkff2biC6QZ/KdxawcCoa1obLSD9z9cwp/Lt1G0o5KxYzswfHgrKip8xETbGTjwaZLSE6iu8ocW50WXfM2fS7eSGOWgVZt4Bg+yJK5lZZ4QYXC7/ZSVuffpRYhAeqD09ChuumEEXfs8Q2qLaEyfwWUXD+a8c/tRXu5h8ikfkpwaRXmlj7tvHU1yUiTnX/Il27ZV8tAD4+jePYWTz/qEF54az0mTe2CaJko4bsweQ0rYlCN58kGT3h0F7Ts0beEflLt98LHJKx9Jlq6CafMkb39j8NTtgsREwW0Pmvy82GDHVslxRwmGDFHIzpZcfrNJhd8iWIeNsqJ/uN1w6nk6vy6D5VtNtm+DC04VnHeqQnEJrM+GDh0sDkgEkrkcOgQuuMkkq5XEU2ASEWsNcuq3Jo+8KFFdEOmAE44R2GyCZcsk199t4hGW4mD8OEFcvCCxCpauAkUVjB4uuP4eE8VmhTIaP07S5wiD2GhBQiTcdIXFXZaUQVJgToJeEqoNzpgkeOh5k1c+laS5JKaPei5aYTSPkBP8u+8v5YsvVnL1NcNASgYNyAxF6MjPr2LNmnzSWsQS4bQRG+skJsbB0qV5lFV4MPwGLVrG0LlTMgDZm0tJS43C5bJRXFJDdZWPrKy4v5QqbU8QjPCxcPF2qqqsEKRt2iSQlRnLltxycnPL8OsmCfEuevZIQ5qSFasKSEuLJjnJ8nVZtiKfhHgXGS1jwuYffwPBuVu7XjLpNJ17b1fr5SVo6tytWyF7qyQq2opI6/dBn66CNz8wmbdQctH5CgowqI9A1Sxt6fJVEp9pbVu7d7S0ooYBq9ZIfBKqqyxFRKsMaJ0pyN4CLdNrtZbBvquqJKs3WP22amGVZ2YI8vJhQ7bEDMi1BvSyNLLl5bBqnUSXFofVu6sgId5SRGRvlmS2tMKWb8iWpKUIYmOs0EV/LpV4fdAmE1plWIsrv0CiqZCYKOqNSZqwYp2ktAx6dhZUVEoyM5p2oD8YUdcJ/oRgJvhYKxN8XSf4aLvKH7m1meC77k0neLdbp0WLGEYMaxU6GJzg1NSoUBTduujVK63JRtu0jg99T0yIIDHBIhr7+n4EXbj69WnR6FhWZixZmbGh31Jadnc9uqfW/hbQM/Dbam8fD/hfDCHg+ZcNnn1HcusVCkcf2TRRC54LkJEBGRmNJ72qGtpkwCED6h+LiIBB/euXBd2YenRr+ua1aVX/d7DvqCjBgN6Nz09LhbTUxm3FxsKQAY37dtitbXIQndrXEitNgyH9RL3zhbCIcVNjEgr06Fx7LKiACWPXCC2zhHgnCfEuK2KutDI6BbcMwZyjtQ+6CLDDsl6olSBhqZu05UCENQp6QFjjajxWqM2fGtwyB8dnmjJUJ4y/h0suULnovN2PKdbQ8j6YnT05EUoUaxsmzfq5QM066rO6Bq6htgKcVl2D7Z0a1NYxnq0b6YY6Zbvq2zQDW9zAOaKJthqONVjWEME+QsQuvC53C1rwAT/xhG6ceEI3AJQGvFVzD3pz5YYhUdW6x/fv3WjKGDg4Fl03Q4RP05TQuXXLVVVplIrwvwa/32iUevGvQlH+qh+mREpLrmmaQRtCwXln1s1h16CPZnRT9az4Rf3ypvBXPQt21nfda1Ya9N1cH82huT6ag9lAO/NflRHvk0zwB6vDudmMk7+1Tfj7Y5YSdN1AVZV94mkRTGYdfP3bbOo+8+g4EOYuVm5bq1+1jhVvMOl2cEymaRJM4BP8DgQCpCq7fJiD9RRFCdU1DCP023oWLM7dNM3Q9+BfRVFCnH6wryBBCR4zAg6wdccTLGs4TsMw6vURPNaw3Ho5155T97qtF4H6nyVkDVEvYfLfZXODbP57HyxlzOi2pKcfXD4gihB89MlyZs7cSGS0k7NP70OPHqkIAT/9tIkpX6/EACYf153Ro9qEEkbvLoTYtwTB4iTrL9y/Osbdga6bvPv+Ejp2SGTY0Fa7rvA3EXxoy8vLWblyJZ07d2bjxo2kpqaSlZXV6KUTfHiDROavoi4BDaLu7yABaVjesI2mxhS8Fq3O/jtY1rCt5sqbGtPuXI9pmixbtozY2FhM06SiooKePXvudjv/JtTj2IJcbDA0uBJIl2eaMrQ1MwwZkHGIetEzhACJQFMFzzz7B+3bJpCcHAkCVGX/xWazxmuGiKyqKoFrk2zKLuO+B2Zx3IROJCRF4nRqGIakrMzNXff9QrduybRqFUd0tCM0D7oefDPXxnKz3sj1y6WUlJZ6eO31hUw4piPt2ycBu+YEg+GiGrZlmLKe/EZVFX6YvoE3X52HB4H06Dz22FF07JgUqh8ck7XQg5xHUI4YEDZROye159fn1N01fi6+fCrnntknRNiaWx+7vh8yxGHs7BwhBH6/n5kzZ5KQkMCiRYvo0KEDWVlZLFiwgNLSUoYPH47T6WT+/PmkpqZSVFTE8uXLiYqKQkpJTU0NHTp0YMiQITtdb9u3b+f333/nkEMOIS0tDY/Hw4IFC+jatSsJCQlUVlaycuVKsrKyWLVqFbm5ucTGxuLxeADo168fAD6fjx49egCwcOFCYmNjad++PQUFBcyYMQO/30/37t3p168fpmkyY8YMioqK8Pl8dOnShUGDBgHw888/s23bNqKioigrK6NTp0707NmTmTNnUlxcTExMDNXV1TidTrKysvB6vfTu3ZvoaItxyM3NZf369YwaNYrly5cTFxdHTEwMq1evpkuXLv9twmY9DKFf1JZTT95U97sQTT+4KSmRREXZD8iWNEgE6pdZD/qyZXl07pjIvfccVu94bm4FLqfKS89NqFfenHzJeiM3lkPabSpffrWaUSNb7fa1W/PZuC2tCRnf3N+3sHFzGbfediiL/tzGSWd8yrtvHE/3bpYmt6kx1ZdxinrHGp4fRHSMg/UrryLCpdU7v6n1sSvU5X52dg6A0+kkKSmJiIgIYmNjSUqyXg7btm1jwYIFdO7cmczMTNasWYOiKGRmZuJwOFi+fDlCCPr3709sbOxO+5NSsm7dOqqqqli+fDlpaWn4fD5WrFhBVlYWCQkJeDweVqxYQVpaGh06dCAtLY2ZM2fStWtX0tPTSU5OZv78+RiGESJs69evp1WrVqSmpjJ16lTat29PYmIif/zxBzabjW7durFy5UoGDhyIy+Vi0aJFREVF0a1bN9q3b09MTAyzZ89m9OjRpKam4nA46Ny5Mx6PhxkzZtC/f39SUlKIjo5m9uzZVFdXc8QRR+Dz+fjhhx/o1q0biqKQkJBAVFQUkZGRpKam1uMc/0sIOcF/PXUtn362HK9h8uecjRw3qQ9PPHIEy1fk8/Qzc3ntlWMBOOeCKRx/bBeOObozixdv5+wLv6C62kfLlrE898R4evRIxTQl02dsYMJJ7xMd5eTx+8cxdmy7/eJUvnFjCSee+hFlhVW075LCO6+dQGmph/Mv/ZJ1awowVYXMzAcZe2QnHrjrMC696ht+n70JnxBktHmErFbxfP/VGcTGOnni6Tm88tIfeIFjjujCE4+OQ9NUvp66hhtvnQaGyTETuvLw/YfzxZeruOaWaZSW1jD5rE8RHj9nnNOfO289NMA91dWCWT98XoPzL57C/Lk5GJrCdVccwsUXDuDHHzdw9U0/4PHrSFMSF+1k+jdnERXlYOiwNhw3oQvHTejCppwynn72D159aSKzf83h7Au/QPp0RhzajleencCsX3OYPn0Dc+ZtoVVmLJU1foSAz94/iSlfreb+R2ehe3ViE1w8+dCRDBmSxcyZ2dxw2zS8lR6uv3E0p5/aC4Bvv1vHhx8tQ5cm837byHEn9uaRB8ftkoAvXLiQhQsXMmnSJOLj4+tpzIMI/o6IiODUU0/F5XIxfvx4nE4npmkSERFBp06dKCgoICUlhcjISGw2G6mpqaSmplJZWYmiKHTr1m2X68Pr9VJZWcmYMWOYN28ePp8PTdNwuVwhzkZRFJxOJy6Xi9RU66WxZs0aunXrFvpts9lC2z8Al8uFpmksW7aMxMRERo4cCYDb7WbDhg20adOGuLg4evbsSXR0NDt27GDr1q1069aNrKwsMjIyWLNmDX369AmNtX379gAsW7aM3r17ExVlmVyNGTOGb7/9lsLCQrZu3Up8fDxDhw4FYPTo0aHr6Nat23+XsAVVzTVuP198uYrPPzmF5588muGHvsZR4zqQEB/B5pxSwHogN28upbLCSq744st/cvKJPTjrjD7WtjOAGo+fn2dmM3/2xdz34CyefWkeY8e2A/aNE3ywzdzcCk44+SPuuXMMQwdn8OQzc7n86m955/Xj+WbK6bz33lJ+nL6et944Hrtdw+XSePPV45j5SzZPPzeXF547hrTUKGJiHCxevIO5v+fy+OPjGTmiDQ6HhqoqLFqcx1PPzOWdN09EVQU33fwjDz36K9dcNZQuXVL43+VTue7qoQwalIndroU43LrXbBgSTRN88NFSVKHwySen0rVLSmi7NnJkG3754WwUVeGhh2fTv38G8QkudN2gutobEgcM6N+SlSsLmDkrm6uv/55P3zuJVq1iueTyqTzw8Cx6dEvj86mreOS+w7jhlumcd1Yftm2rZP6C7Uw6sRvduqfg8xnMmL6Bu+77mWnfnk3/AS354euzuPjSr9m0qaT2ntb4+eLLlUz59FTuvv1Qxh75Fmee3ofezdgyBuH3+6murm6krWsKiqKEHt7gXyklHo+HVq1aUVFRQXl5eUhAH9yCe73eemU72/Zu3bqV5ORkMjMzWbduHTk5ObRp0yYkqK9dUzKkOAheh9vtrmce9Ntvv7F69WoMw6CmpobU1FQKCwvJyMgItZGWlsbatWvxer2YpklBQQFlZWWUlJSEtqLBbbSu63i9Xux2e0hxIYRA13VqamqIjIzENE2SkpLIzMxk+vTpVFVVMWFC7U4jIpxUAbDk6YDl+nT2mX04YlwHkpMjGTa4FevXF6MoEBnhwO83EEIQG+sMyVZ6907nzbcW8ezz81i5sgCf31q8DpvGvfeMJSkxgm6dkrEFubR9JGYLLraZMzfRJiuOCeM7kZQUyeQTu5OcEEFeQRUJ8S5iY504HBpJSZHExFgx4+JinSQmRmC3qaSlRhEf70IIQVZmLK4oGzfe+iPffreWbdvLA9bxZSxZsYNzL57Caed+zuZNxbTMiMHh0EhJjsRh10hIcJGUFElkpL3J8QbnvHfPdNZlF3HdjdOYv3Ab5eWWDEfTBCkpUXz15WratI7nxOO71rMLDC54RQhsNoVffslm6MBM+vVrQVJSJKed3AvTkJSWuRnSL4POnVJo3SqOw8a2ByFwOlXWrili0mkfc/LpH/Paa38ipdW+zaYSH+8iPt6Fpin4/dYDb62Pvowb14GMFrGkp0SG5Ks7w+DBg7n66qtJTEwMXPtfXwRBrq1ly5Zs2rQJn88X0go29WkKwTUyd+5cysvL2bJlC1VVVeTk5NTjIutqM4PzHDxWtw/TNBk+fDhXXHEFV199NT161LrgBYlikJgHlRx+v5+vv/6at99+m5SUFDp27BginsFPXWLaVN9Boj1ixAgqKytp27YtaWk7f7n8FxF6tZmmJDKi9kHclF1KcnIkui6pcfuw2VSqq3xszS3HZrdY3UsvHsi61Vcz9vD2HH7Um3zwwVKrUUVgBryIJRK7bf/I2lJSItm+ozL0u6TEzY78Slwuy2nfCkXUeOGbpsVB+f214agTkyJ45/UTWLH4chYs3cGwka9SVuahusZH/97pLP/zMlYvupx1a6/lzNN6h9oxDBNHIKF0c7Zwwe14nz7p/P7LhUz/7mxuuX06J5/2cWi7vm5dMVu2lPO/SwehaUpIwB8X58JmU9H9Jp9NWUX37im0bBlDdoCrBsjNLaei0ofLZUMoAsOw4uAFOT1NVbn2pmk8dt841q+8mjvuHEtQseCwqwgBsTFOkpMiQ4EMlDoKIL/fQNtNU5PS0lI2bNgQErzvSXABVVXx+Xy0bduWjRs3UlVVVU8gvjsmHkIIysrKKC8vJzc3lxkzZrB161aqq6tDHGVQu6iqKm63G5fLVc+soy7RbPgbwG63k5SURHZ2NoqioKoq2dnZRERE4HQ6cTgcXHDBBZx++uksWbKEzZs3h8YeHR2Nw+HA5XI1upa6fQWJqqZppKen06rVvtda/xMR2opGRNj46eeN3Hnfz2zJLsXuVDhsbDvKyr1UVXu54YZvKCr1s3B+bshS+uVXFrAxp5jEGAcjR7ZFCTzIBYVV+HzWm6+iwkt+YfU+vYig9nbEiDZ07JTEcSd9SNf2CSxbXcToEW1IT7W0R9XVPgoKGo/F7dbJy6uq57GQk1PGW+8uxqsbJMU66NMrnZoaP4ePbc8HHy5j8skf0b5zEhhw4Xn9ad06jrg4J336tuCaG39g2KAMBgzKZMLRnUPjCz4HQbnmr7/m8O20tdgdKv37tqS4qBrTlKxbV8hJp39Mp87J3HHfzyhCcN6ZfXF7dD77ZCnRsXZ+/20LEREaE4/pgs2m8sXXqzjvgi9IS41i/qLtXH7pYCorfGzfXoHfb7IjrxKPR6e4xE1llYesrFgefvJX5i7IZepXa3FGWLKY+fO38s0P6/js65UkJrrYllfBuWf2xePRKQzcR9OUbN9Rgc+n7/S+mKbJqlWr+PLLLznnnHPo2rVrkzK2XcHtduN2u9E0jfbt2/Pdd9/Ru3fv0HGPx7NTwhbkpBYuXEhGRgbHHnts6NiHH37Ixo0badOmDdOnT6dly5aUl5fTrl07EhIS0HUdTdOorq5G12uvt+62FKC6uhqv10uXLl1Yv349X3/9NS6Xi/z8fIYOHYrNZgttQVu3bk379u2ZMWMGZ555JmvXriUnJ4ecnBy+//57srKy6NatW2iuqqqqQpxkXVRWVuJ279sAE/9U1GpFAcOUeLw6KalR3HP3YcTGOomNdfLQ/Ycz9esVjB7dhmOO7kTPHhbra5qWGcWOvCrGH92Js06zBJ833ziCNm3jAThsbHs6dba0W8pesJXbGVwujReeGc+jT82huszNKSf14NSTeoaOjxrVhsw6/qJBjqNbt2RuvmkkMYG4cUIEuS+Jz2ewvdzDPXeNoUULi0C++PwEnn/hDysicJ1rsttVrrx8CK+8/idV5W6kuXPuxDBMDENSVeXD4bTx8APjsNlUDENy+qm9Kat0U13lw2FXkRKOndAZDZNKr86Ika254ZrhoUAFLz03gZde+gOPx89N149gzOi2rF1bRHT0UFq1iuX2W0bRqVMS557dl27dUrjlhhG88e4ivD6DB+8/rN72x+PVOffsvui6icfjR0rJiOGtycqy5i4y0sb99xxWzye4IYKyrl69evHHH380+WDuDoQQ9O3bF6fTCtXeu3dvhBBkZmaGzunSpUs9jqapNgCysrKIjo4OjUUIQe/evYmIiKBHjx7Mnz+fyspKWrZsyZAhQwIcvjW/Q4cODWlpAbp3716vjwEDBhAZGUlCQgJHHXUUCxcuRNd1Ro8eTcuWLTEMgzFjxpCQkGDN54gR5OTkANb2V9M0RowYQUVFRaO5GjFiBDExMY2uZ+DAgaEtfhj1EYru8cZbi1i3roiHHjg8dHBP3q4HEk0pJiz3rr1zDQ39Sg8GWL6tjce0P8Kw7wpLly5l/vz5dOzYkQEDBuB0OnfL/OOfjKaemf9q+KuDIrqHYUjy86vw+Q1Mw3JfqTXKNQPyGet30DhT101MaRmSBv0KhaifMDnI1e2Ph0wIa2H5dTM0prr9NjeWoLFq3XLLONck4MNfz3/UNGXAtcnidC0ZWJ1jhhmos3NfS8OQGEEBM4RcsYKyuiC/F+zDctmq32/wnoTGhBULTNOU0PWqqggR+OA2WErQDTPgoG21Eayj11EK1O27brh0v26i7SIpdlZWFjExMWRkZGCz2fb4RVlXiN+UO9TuvnAaKgPqlgW/B9tpSIga1q3rQtXcGBu21fCcIFdbV2HQVP/NEcamricMCyEn+NNP7clJk7pb+Qxs9U+yHuomKjdDrOoKmvd39vWgoWxz44La6B9BA9ag8WltuVXWnHuUogjs9p0cU3bP0tsifI3PteascbkQ7LzfBsfqzn3QGLeu+UlT42xu/PUNfcG2Gy+q+Ph44uOt7erf4f7rPtQNXZAammjsrI+miEPdsp1Z6Dcl0N/dMTZ3Tu0zsvO5bO74wcYFHkxRp0Mcm8tlC6U0+7vYn4Tsr6A5J39rC7t35H+GYdYj7HsTpmm5SNXlHOHgnW+oJTb7iqtoqt26TuxB7ih4bl37t2BZUNPYXNt1+2iuraa4uabK6/qU7srmbldt1UVDZ/y65zfF0dYNJNDwmutywnWPN7QfbNj3ru6xbOZjUhvtvOGxPcVeNUsOeiSuWVNIZmZss3ZcBwpCwLr1xaxfX4jNrtGrZxqpKVEB+7QKVqzMw5DQtXMKbVrH7RGXsS89KxoSsIOZoAWxL7dJUkoKCwtDHgp+v5+kpKRGhLTh96bGtLvcT92HvmFbdaN/NBxn3fLdJfY7k83tbnlza3hXxKjhdj+I5sZtmiaFhYVERkbi8/kwTTPErR8IhAhbUK4T/K6qSkC2Yslugtsyv9+oJwuybL8CN0oR2DSFs8+bwlOPH0mfPukgrLL99RBKaY0peEODiVl03aS8zMNJp36CTZOkpMVwyw0jSIh34fXqXPK/qWzKKSYpJZIrLxlKm9ZxoXYAFFUJbb8MQ6LrluYqOE+GIamu9rFw4XY6dU4kMSECRVGw7cKGz+83ApyX5bupqpacy5IT1r5pbTaVNWsKqar2MaB/SwAWLtqO06HRrVtK4F4Ydc6vDcFTfz6scsMwQwEOgk7tNpuKbphIs/ZtXXcd1J0PTbMijRiGiWnWPkDBtoJ1fD5rfVhl6i654qZkaE2dY12DwXfffUdKSgpOp5P169dz9tln4/P52LJlC5mZmURHR1NSUoLH46Fly5bk5+eTm5uLYRj4/X6ysrJITk5m9erVeL1eIiMjqampweFwkJKSgs1mIz4+HpvNks+Ul5dTWVlJRkYGxcXFrF+/HiklnTt3Jj4+Hp/Px7p166ipqcEwDDp06EBSUhKGYbBly5aQvLGoqIjCwkI6duzY7BZYURQ2bNhAQUEBiqKQkpJC27ZtcbvdZGdnU1FREbgXGr1790bXddatW4fH4wmNKTY2luzsbJKTk0PeHACbN28mKSmJLVu2UFlZicvlCmmEW7dujaIolJWVsXbtWgzDICoqiu7du+N2u9m0aRPV1dVIKXE4HPTq1QvDMPjiiy/o3LkzNTU1FBYWcuqppx4wB/wQYWtKrhMUNNeVNdX9rigiZG5QF0lJEURH23E49q+fWnBLWVfWFNx+2u0qq9YU0aZVLF98dmq9eoWFbnw+PyuXXFGnnmxSnhU08lXV2msLCuZjYhzcfsdPvPLSMbRIj2lUtyFMUzYpx1MUgaOJvt99fwnr1hfz2ccnA/DU03NJS43k0UeOCNyLxvPdcD6CaIqzlBI0VWkUzLG5dqRsXv4avBdNrY+doTn5VMNzwHqg4+LisNvtREZGEhsbi6ZpZGdn8/bbbzNu3DjGjBnDihUryMvLY/LkySxYsICcnBzS0tLwer3ExcURHx9PYWEhlZWVrFmzhnbt2pGYmIjb7WbLli0cdthhxMfHI4QgOzubzZs3ExMTw9SpU7Hb7djtdtavX8/EiRPx+XxMmTKF7t27U15ezoYNG5g4cSIul4tvv/2WCy+8kPLycr7++muysrLo0KFDo61ikHCvWrWKRYsWYbfbsdlsOByWOVJeXh6//PILcXFxOJ1ONE2jV69e5OXl8dVXX9GrVy8KCwvJzs5m4sSJLFq0iKSkpJD/akFBAdOnT+fII4+kpKSE7OxstmzZQseOHYmMjERKydatW/nll1+IiooKcV9SSnJzc/nll19ISUlBVVUiIyPp2bMndrs9dC8URcHr9R5QpYYWnMR587ayaPF28ourWfjHZiaf0pczTu3F5pwypk5dy+WXWX5tTz83lyGDMhk4IIMdOyq5+obvqaz0kJERx3VXHUKH9gmYpmTNmiJuvmsGaalRXHf5MDp2SsIwJeo+5NyEAK9H55Irp1K4o4JuvdK5/66x5OSUc+9DM1m0cCvl1T6OOOINBg5pxWUXD+KRJ+fw68yNbCuqYcy4N2iZEctzT44nJsbBl1+v5vXX5oNNZdQhbbjy8iFomsLiJTu45Y4fwZAcf3x3LjivPz/9vIlHn/6N7O2l/O/ab4myqRx9TBcuPH9AIwNdyx/DEuzf/9BMfv91M/YoO6ef3JsTjuvKH3/k8sSzv+P26kRF2Yl02Xj8wSNISIggKanWIDMxMYK4OEswunFjCdfdMg2/T6dd20RuvHY4LVpEU1Xl48LLvqK0oIquPdK5+/bRREU5mPbjBqqqfHz7w1pKCioZMbo911w5lC+/Wk1pqZs/l2wnf2sZF5w/iCOO6EBubjn3PzyLnK3lKKbJFZcPZdxhHfhl5ibWrC1iydI8+vdtwaJlOxg2JIvTT+lFUXENF/7vK9yVHgYOacXtN41E09Qmt0d1jVHnzp1Lx44dd8uqvl+/fiEbt5YtW6KqKjabjTZt2mCaJm63m8jIyJAPpcvlYuLEibRs2bJeO+PGjQPggw8+4JRTTgGgrKyM/Pz8kAsXECIyy5YtIyEhIeSn+emnn7Jy5Urat29PVlYWxx13HABvv/02mzdvpkePHsTFxeH3+/ntt9/Iyspi7NixOxV3/PrrrwwYMIC+ffs2OtatWzdGjRpVr8w0Tdq1axca0yuvvEJeXh79+/dn5syZjBgxAiEEGzZsID09nRYtWpCRkcHAgQP58ssvmTRpUqit2bNnk5GRwaGHHtqoj379+jFs2LB65VJKhgwZQkxMDF6v5Ut+IJUbmmlayS/Wbyzhf1dM5YH7Dufkk3tx9/2/0L1rCn6/yUefLAsRto8+Xk5cjJOBAzJ49vk/aNs6jn79WqIqCvFx1hvF4/Xz8qt/ctY5fXn3/aU8+NivvPnqcdYWR+w7J/jyci/nnP8FHTomMWZEG6ZMXcP1N03j1htHMuHozthVhSXL8zjjjD5kZMUREWnnsDHtcGoKU39YxwnHdadlyxhcLo3Vawr56qvVHDuxG5ExDlqkxaAognXrS3jmmblcdslgFOCtd5cSGWFn8KAMJhzVme1bKxl5SGs6tImnfcfkOgLo2vEGObwvv17Nxg2lnHdef7y6SZdOlgFoRkYMx03ogmZTeeudRaQkROJwaui6GTLpAELfPR6dF//f3lnHWVG9f/x9ZubWdrC77NLdKaiEoCAiKioqKmB3N6hYP/1+7a+J3Z2IRRioWAiKdEgstfR23pxzfn/Mnbt3l11CYUG9n9frwt1zZ07NzDNPP8//Rs9ujenSJROXUychwYlScNOELzhmSFuyGsXx4y953HbHNzzx2HEsWryN5174lTtvP4rKch9vvb+U0ad0Zf7CrTzy6I888fgJrI13MOG2rxg4sAVJSW5Gn9qVQMikosTPQw//SJtW6Xw+dSW//LqJbp0zefCRH+kfzhAy9Mg23P2fbxk9qispSU6mf5XLvff/wF13HMWukiFUVlYyc+ZM3G73HhG2aEddG8FgkMTERFJTU1m3bh1utzsSNSCl5L333iMuLg4pJf3796dnz56Ypolpmvj9foqLi0lKSsI0zQin9MMPP9CpUyc8Hk8kmL1Lly4RV4327duzdu1aWrduTTBoOTXbIrCta5JSRkS7I488soarSc372SJ2AwcO5JtvvmHFihWMHTs2cqzD4WD58uUsWbIEXddJTU1lzJgxCGHltAPYunUrUkqSkpKIj4/HNE127NhBVlYWW7dupVmzZhFXk+LiYnw+H8FgEF3XKS4upqKigq5du0achaWUkb2YP38+CxYsQAhBdnY2J598Mpqm0bJlyxrr+LNO2fsCkUrwCsWZp3fnlglHAPDJZ6v5/ffN9O3TlIxG8ZHNzsiIxxPO0yWlYsqUpfTp1ZSTT+5U3amuc+3Vh3P8cR0IVIX45PMVAPwFf7tdwp7bd9/lUlBQyZQPrTdu23aNePzJ2QRCJqNO6oQZlJSV+hgXjpBQSjF8WFuyGiWwYNE2LrvkUOyXTLzHQd7WMl59eyHTPjqL5FSLK9iwvph3pyxl9cYihCZYOCePHj0aM3ZMdy65oA/Tp67itJM607Xb7gOTPW6DX+bloTsELz57cqS9adNkxpzRnWVLd3D88A5ceknfSOJIIXa2zDmdOj5/iGnvruDpSScyZEhrAPLzK5nx9WrmzssjIcXNxpX5dOyeDYDbpXPKqM6cd461F6ed1o3kZDcCuPbqAVx0/iHkbSrjs+krCQVNUlI9LFi0lcnvzseZHMfCBVup8gbxuB0MO6o1ffs2obTcz8Xn9WHKJ8vIyyvhs+krmbdoM554J2uWbGPYiI4Rol7bM8B+aDMyMrj99tsjYteeXPva/dgPYXZ2NuvXr49EENjH9urVi3bt2gGQkpKCENUZb+3vtpgFViLHkpIScnNzIxxbMBiMKNJt8TkYDGIYBkVFRTz11FP4/X6OOuoomjZtimmalJaWRkRAwzAi6chrw27r3LkzGRkZLF26lMcee4x27doxcuRIgsEgmZmZdOvWjbi4uIjobhgGmzdvZtKkSfj9fo477jjS09NRSpGdnc2aNWtwu914vd7IC8E2atj/a5oWCRera36hUIgmTZrQo0ePiBhe20/vYEBEKRPwmzTJqU7lbS80FJKRzB5gZQGxb6UH7juGO28/iieemUNWk/t57aVTGTGiPUIIWrRIxTQl/oBJnKeWY9x+gt9v1gjk13UNl1PH7w9hmorSMj+BoMQ0q03dQkBhURUhU7J9ewWZmfFomqB5ixRmTj+PjRtKOPP8DyncUcFPsy5h89ZSBvdvzjtvnYHQIDHOieGwFOXbd1Ti9YWoqgrucp62fmv4Me1YMqQNv8zJo23Xxzh6cBuefepEhIAd+ZU8/sRsbrv9yGpH6bDDrX0tAoFQRA/61BPHU1Hu596Hf2DMuR8w45NzSE51k5Lk4t03TycnJwmHoUV8D0MhRXZWAqGQ5Z5il1cMBEyaNU1GKUVxURVul4PkZA9vvbOIb2bmMm36hRQUejlj3HvhYGwNt9ugvCJAQpwDXyCEVLB5Szktmicz+d0zSUx04XLqOF1GhEur7/4XQtRQcu8OdT1IQlipfrKzs8nNzWXFihW0bds28gJs2rRpnZxe7f4s44+DLVu20KVLF1avXh3hgEKhEEVFRZHjt23bRmpqakQfNWrUKGbPns2CBQvo2rVrRB94/PHH8+OPP+J0OunYseMuRVEhBJmZmQwZMoSuXbvy5ptvkp+fj67rJCQk0KFDhxrHh0IhGjduzCmnnMIXX3zB/Pnzad++PYZhRLIBu1wu3G53JCOIpQd1RYL/AdLS0iKEODvbehHav0kpSUlJoU2bNjvN92Dyq4vMxOnQyc0tYu68Tbzz7mJWrNrB0UPbEBfvZNuOcn74YS0P/e8nZn6xMqLwXrEinxUr8zl6cCsGD27F/IVbACgr91NZEUDXNXy+ICVlvv26CPvGGDKkDaUVfh6b9Atz5mzk1dfn43AaNG2SjK4LgkGT8nJ/jWIrtnW3rMyPplX7iJWXB1iwcCuFJV5uvLofpqnYtKmMgf1bUlLi48svVrFxYwmLl+3A6w0hhCA11U2zZkl8+MkK5szZyJrcop04E6gut7ZtWzmLl2wjLt7BdVf0Z9WqfAIBk+JiLzeOn0HTlsnsKKhkzq95VFQE6NAunYWLtvHtd2v5efZG/lidz7BwAs9ly3ewKreQUSM7cUivHOYt2Eyb1mnkZCfx9juLyF1bxPIVO9gRDmSvqgpSWuqLOPHaFtWqqiAlpb4w52OlPgoGTQoKq9hRWMmGDcV8/PEy/lhZgMBKLFBeHiAQMCkp9REMSEpLffTunUNigot33l1E7roilizfQXFxVY3119wTqzE/P5/777+fadOm/en7wc6PpmkaLVq0iGT1EEIQCATYsGEDmzZtYuPGjZSUlNQ41+/318joUVFRwR9//BGxKq5fv57s7GyaN2/OihUr2LBhA+vWrWPdunV06NAhbAkOkJiYyJAhQygrK2PevHnhva2iVatWDBgwgB9++IHc3Nydog5s2O4TGzduZPPmzWzevJmkpCQSExMj4uPKlSvJy8sjLy8PKWVEnE5OTuaYY45h8+bNLF26FICmTZtSVlbGzz//TKtWrSKc7Y4dO9iwYQMlJSVs3LiRwsJC4uLi6N27NzNnzmTdunXk5eWxdevWiKU8Pz+fNWvWkJeXx5YtW/Yo115DI5Ldw+Mx+OmXDWydMAPTF+TpJ0fSvHkyUirOO6c3N9zwKQMGt+eGGweR09ji7J548hfmLdmC8ocYMKgVV1/ZD4DBR7QgLc1Sardpk0b/iubAvtet2bDEM8jIiOO1l0Zx/mWf8NZr8zhiSFuefuKEiMN869apDOjfPOo8W/yJZ/ARLSNWRSHCyvibv6Tc60f5Q4y/YRCtw4H9j/xvBDfcOB3NrWMIjWceH0n37lnExTm46srDufamaXz79SrOGNuDm64bGOYOo7N7WKmJZs5cy5PP/YIpFQkJLh59cAQul86cOdvZXlBJbl4xn89Yidul8/yTJzH61K6sWlPAhFu/AKW44/ah9OvXnMrKAPc/+CMr1+YjvSGOPb4D555tiZhvvT6aced/yIxv16CCkqsuP5zzz+1tGXnCHCtUv227dcuKGCSSU9wMG9IWocGY07uxZOk2Lr74I44Z0YnLLzqU5GQ3Xbpk4nDo5DRJ5NBDm5LVOJ6ePbPJzIjj9ZdP4YxzPuDDz5ZjhhR33XokJ47siFISUY9eIjMzk8zMzJ0Izt4gKSkpou9p0aIFffr0iUggWVlZzJ8/nw0bNuD3++nVqxf9+/ePcE4tW7aMiKWGYdCkSRNcLhdxcXHk5OSwdu1aPB4Pbdu2paKigqlTp2IYBsOHD6d58+YUFRXRpk0bQqEQCQkJDBw4kOLiYvx+P61bt8bn89G2bVsqKyuZN28eWVlZkZoN1VKExXHOnTuXDRs24HA4MAwjklU4ISEBwzCYNWtW2FrtZOzYsSQmJtKiRQsCgQBpaWn069ePwsJC61omJ9O+fXuKiooiAfyapvHzzz+zY8cOEhIS+PzzzyP70a9fPyorK/nyyy+RUpKZmcnJJ58c4ea++eYbABITEznttNNwOg8yn1U7CP61NxawalUB9/23uh5AfQrevxP2ZSC//RI4UHtS1/X4uyUqqAv2GsrKyli2bBnr1q2jV69edOrUafcnHyDsyrL7Z8492LAv5lg7CP62eoLgE5w6c/MW8ObvL3D5vg6Cr6wKsnZtMYGAiWlKHE4jUlAkFJKRUCGoDtYOBs1IpWpNI+KAGQxKDEOEnSgt9rWhMk3YweDRTqfRv9UVBG+nKLITOtboB2t9tvOs/VswKCPH2k6vkd9C1UHwu1q3aUpCdqUoqoPaa4wd/s0eIxSSVgUrwIgKsq95LUTEMTjiWBvuyz7Hdsau7c9mBcZXV7mynbPt71IqNF2D8DWNjru19X32Httjh7fQcurdhbuPUorKykp69+5Nx44d6z1ud6gdrhQdsL63Aef28bbxIdp5OLqv6Jqkdo3Pusaufe6ufPZqz7X2GNGw51ffumuvxUZty2W0MaH2+NF7UHvsgw2G/UAeN7wdh/VtitOpo1RND3EjSukcjfqCxKO97euqwrQ/sbsA9boiIOpq310/9Tme1udcWxfqc27d1diGodUZB1fftdgbB10IO+hGnWv3G/29Zj/RynZR4//6xq5rjmCJS0cffTTw11L91A77ie5nbwPOdxXcXldfuzpmb+axq2Pqc2Le1brr629vAv93NfbBhoi7R6tWqbRqZemQDnIuOYZ/KGxuoK54yxhi2BvUqHlgizh7ikDAxOcL1UipDZbo6vUG96jYx/6EUgdXKpUYdg2bG4gRtRj+KiJ3kKZZVY9MU0Y83G2aYAV9y4iOxcZtd86kdesH6TPgOVauzI+0P/Pcr7Tv+hjN2/+P72atBdiJ+O0vKGUlQQyFJP+9/zuuunZqZHx7DbYOLhpWMHdUmwmUA3W5pKnw7yZWzpW62u1PdH/2xx5Ghj+1+yoDqqLOLQV8UefU1X99c4oeIxT+7qvVP0Bl+BNDDP8ARAibbXGzszlEK9JtJbit3LaVlA8/MJxvv72ERskegiHraTVNxTVXHc7qZTfQrUPjSFGXBoMg4ogaF+/E7zcj67PXEJ3x1kbEty1MFNQWkONN1G82dQ8fKAmnuw1/NKih5ddrfexzotvsobXwJ7qvUHjc58OdKpAXmsj3LYNEjePt/u18UXXNKXoMw/qu3pHIiaZFyELhMSaZqKfCi9+1f3EMMRz0MACkUmjCsnJ+8vkKCgqqMAydM07risfj4PNpf7BxUymYkoFHtKJP75wIcfP5QmGlZXWnSlkRCtCw+jrbRP3eh0spLfMy69tcWrRMAyzi/Onnf7BhfRGeBCdH9GtJx3CRGZ8vxOw5G2neLJm2rcPFMQTgIor0h6EBJQo1HYt49ATRJbzIUoX6InxcPBAHoo+AJFAzFBQAWSCOEtbOL1UoDViNRWD6gcgR4MT62HBjHS9A5Sn4DotQZYEYFD6+HNRHVpp2OoLoF84UsSJM4RZjEawjBDQFZgHe8DxhH2fmiyGGAwvD0kNZ0QIPPPQjc+flkZkZj8PQOemEDjgcGuvWF1NQ4gN/iHvu/Y7/3DmEHj2sUIu6rIxCNHwSRDtNzgMP/8B7Hy6la9dM1q8rjhC2md/k8uZbC8hpnEB+iY82LdLo0CEdEGzZUs7Qo57hsqsG8+ykkVGd1jHQFjAfkIhyi2DJDxT6rRqir0A+KGGNgGxQ3ypEN4E4BOQrCjVNIXIEapNCLBRoEzTUcwr1g4LjhEXkvgb9GX3n9KEKK117qUI9L6FSgANEJtBfgB/UsxIVDB83X0GphjhWoJ6WsALoI1BLFOJH4BQNGikwFWoqiGECEU9DGq9jiGG/wrCLfXz/w3q++S6XmTPOIzGpZgDyCcd34OUX5mLEu5g3N48/VhZECNvBAEtfJti4sZRXXpvP19POo0XLFB5/8hcWL9kKWOFfGzeXMnZMD045uXPkPCGsQsuvv30WnTtmVot1tWH7t30oEQUC7Z0wK3ePRH0pEW11+A602RoIkLeYiE4C5RWoFyT6Rzo0AbVIIe+UqHIgHRgu0B7UUIsUjJeogLK4wtp6MgcQAPUHiBagPRRVeGYFyDcU4swwJ/hrODHSsQJSgH4C7b9hv7bZFtVUPmC5Qj2vUPECUQXYyTRiBC6GvzkiAsi2bRW0a5dOYpILnz+Ekgq322DtuhIuu+Izjj6qFU2ap9A4OzHK+bPaG39Pvu8vKEATsHlLGTnZSaSmxxEMWjUxbf+7s8b1ICsngblz83jw4e+57uoBjDmzO6GQJCHByTlje1qd2Tq06M6j578VRNfwcUEQHUGtAhKA7mAebSIcApIE4nKBWqAQzYFUwA8iGUQzLANBADgSSwwtBeLCY0usK2MTWSN8fIZAu0uHuRJ5vglOgfakBhsloimITsLq83YB3ahezyHhsXQQ/QXkg/Ir5FIQpwrUNwplCERMtxbDPwSR137LlinMnr2RX37ZiNtl4PE4EEKweMk2tm2v4LaJRzF0UGu27KjE9uIQwvLItz3NozM3OBxapPTb/taziTAlapKTxJatZeTmFlFYWMXTz/2GMxz/mZrq4fRTuvLg/cMZPqwdL7z8G2AZDbZuLWfg0Jd46tm5NXVqttJfVO+U6CuQPyiLELlAzlDgEah8BT7QHtQQ/w0TnBZAb1AFoH5W1vG/KdQ6EFlYhK6UiP4Mn9UnCQK1Ulk6tUIFW6xxAUQ3EBdpiIkaLFSoRQrRUbMMAX1BjBGIkQLRMrzpJlCBpYcLW06VH2v+vyjEUZo1bkhBE/sC7tvrE0MMUH/BFrUHv+3tx9B1K0xnyFGtuPuOIZxxzoeggcvQ+WbGeRw1qCWtWqbSpMl/6XVoS1o3T4mkBjpjzAf8OGc9IVMy5KgXGDGyE89OOpE77vqON96Zjz9kctbZH9CrbzOenzSS5s1TImE3+xJ2jrJmzZK59sp+jBjxMp16ZDPsqNZ4XFbKpHvv+56nX/oVpyFolJnAfXcdHTnXNBXr1hdTVBTlA2EoVCWoqyQkAT4QVwm00Rpio8Acbloc0PEC7QornbZygbxNWpzXNhDnCbRLNbR7BPJ2CbcDzUH7n2YRMx3LMED1dyEEnAfydok50LRCpG7UEJ0FrFaYV8mw1VIgRgirPQHEeA15ooRGQBlo92mIo8OGBVuzELaQigyBdIJwA82AFIGapRBj9ulliSGGAwahajl02fGUQKQAMtQsgmwjOt6w5vfq+FDTVCgUuqY1mIXUmouoEe5jr8uOId3jalLRfme260R0e1iYV99I5H8U2gwN4RGo7xTqERPxpI5oLaqPj3b32B1CVLtxQLWvmv29dpo722eNvRwnhhj2A2oHwU+85z8kJ6fQqp4g+Ld+f4HL9nUQvI364inrihWNJg41v1fHhzZ0rGjtudj404Wb6wuLq+1DlorlcvG5gmRQUxW0FpAtqgna3qL21RF1tEUjmvDGEMO/GDHvpb8KWy3VW0M7V6K+BmUqaAriah3hYWeDRAwxxLBfESNs+woKxDVa3fQrxkXFEEODogZhs6IJ9o1zrSkVmqg7J/0/EgJLqR8dXmVbO2OIIYYGRQ3CFh0aVTtba33ZY1X4n9rtdkLBA5WFt85ss+F/9tt8HPWPcaCz78YQw78JGlRbNz/9dAU3TfiCQMDc6QEUovqhjDajCup+WC+/8nNmzFh1wB7kusatb6429oUjcX1jRO9fDDHEsH9hBcFLRVFxJSv+yGfFHwWsXFVAUpKLjEbxxMU5CIUkGzaWAJCZEU9iYnXIVd6mUkIhidOpk5kRj5SKHfmVrFixg/bt0+jcOQO320FGRnyDxY9uzCslGDRJSHCSlWmVcisr81NYVIUMR1Q0yUkCrDJ3CQlO4jyOSCk+h6GTlLRndS1rY/2GEkxTkpzkplEjq/p4SYmPomKrVmNcnIPsxokoBdt3VJCa4o4UkSkoqMTjcRAff3AVxoghhr8bDIBAQHLvA9/z3tsLCBk6p4x9F03TePHJE+nbtymvvT6fd95fBKakY5fG3HXbkTRtmszU6Su5/e6ZSFOSnOTh1RdOoazcx8VXfsaqlTtYu7mEZ5/+hYFHteHJR44nIcG5Xxx0o/Htt2u5738/4C/3kZyRwITrBnDEEa349LMVvPTGfGQwRMBU3Hh1f04f3Y1rb5rO+vXF/DDzQrZvr+SIo17krtuHcN65vTBNucf+blIqpk5byaOTfsb0BcnISeG2m47gkD5NeOfdRbw3ZSkqGMLUNO68eTBHD2nLeRdPAQVffH4OixZv46RT3ubxR47jpBM7RSpZxRBDDHsPoZRS9gP80ZRlTJ++ipdfGhU5YPYveZx/8RQefnA4uqFx8/gvOOnkztx7z9Gcf+EU0tLc/PfuYXjianqLnjHmA8aN6caJJzZMpSGlrCIyvfo+zeWX9aVV6zQ++mAJq3KL+ParC3E6NX78ZQMlRV5++H4ds3/N4+dZlwBw+tgP6NAhnc15pQwd0pZxY7tHUiDZxaJ3V4ymoKCKfoNeYOItg8jMSuCl53/FRPDZlHEAfPv9Wiorg3z+6XK2bK9g6idnEwyanHTauwwY0IwVS/M5/bSunHhix/1O/GOIoSFwwB10lbL0bEVFXvwBk23byklIdOFxG2zYWIwSilfemE8gYNKrZ2OOHd4OpWDMmd159vm5XHLFZ3Ron84lF/YhIzOeQMBKDV5W7qeiIoCuC9xux37TMdn55NasKcDp1pj5bS6hmWtwCzj/vN4YhuDV1+fz+NO/kJ2VgK8iQEqyB5RVlenB/w6jU69JHNIzm1deOoVg0IwULqmvSIoN20iRm1uI06nz+YxVBAIh4h0ap5xmRaI/8eQvvPTmfJo2SaJ0RwVtOmQAoOka9909lF69JnHKad048cSOBIImzt2MGUMMMewaEauormskJroIBkwahwsiAzidBo0bJfDJ+2NrnKgUHDOsLccMa8vmreUMP/ZVnA6dCeOPwOHQcLsNpAkJCftfX2QXTE5J8eCvMnn7ldHEJ1aPK6Vi0tNzmPS/4xk0qCWPPjGbadNXgrAiKp5+/lfuuHkwP8/eyLffrWXIUa0BCAZMnnrhV5o1SeK0UV0i644m0Pb3xCQ3SiqmvHtmjbl5vUGefn4u0z89h7Zt07j5tq/JXWMVsdU1wfMvzuOBB0bw7ay1/DZvM337NIlxbDHE8BdhAJF038OObsOb7yykZ88nSWmcwAP3HMOI4e34/vt1tGn3CI1bJKFLwdNPjqRb1yyuuOpz5i3eTKNEF63apNHnkBzs/saN7cGV13/Oiy/OoW//lvznzqHExzv2TxA8AgTk5CRy040D6dTzSbKbJiGDJldeehjnnN2LIwa2ZOwFk2nVKpXKEj+paXFIU3L5tVNZv76YTyePo2vXLE4f9z7PPDGS00d3BQQff7qcNasLGTK4dbi6fd0J2zp3yuDiC/vQpPXDNG+RTCgguW3CYI4/rj39Dm/G0ce9Spu2aWzNK6dL1yyCQclZ53+IlPDUk8fTKCOOkae8xRsvncqwYW33Sr8XQwwx1ESEsAGkp8fx7FMnsmZ1AVJA2zZpxMU5eOiB4Yw6uRNmWORr3iwZgAvO782o0s6YAZOmzZLp2iUr0vHIEzrQODuBshIv6RkJkTqc+9NhVynFBef1pnPnTMor/KAUbduko2mCe+4aymmndSEQMGnbKg0ECE1w2UV9yclJxO02OOnEjjRrdi6N0uMxTYXDqdG7ezYJbgcej83c1j//66/tT9++TcL57KBzxwwcDp3HHj6OJUu3gRC0bJ6CrlsB+jddP5C2rdPQdY3zz+tN9x6NaZqTdEAyEMcQwz8JO0UeNG+WHCFcVhu43QZHHdl6p5P7HNKk3o41TXBY36Y7te9PXy6baB5+6M7jJie7OKJ/i53ae/W0MgHbImbvXhbXWVTk5eIrP2FjXhnvvzEaj2fPuM2BdYyRluZh8KBWO7X3De+fHe3RN2o//zURGzHEsB+wU+SBHVZl/23rr6KzG9kPd+2SerUfevt30cChVdHzqmsN1QkxBVKpsFNt9ZqEEKSmenjntdEYhhYRCfeEi6p7bLVT5IEQIjzWzmPHaFoMMfw17BQEL4QgZEq0KHGoPsK0uwf9QIlTdY1rmrLO1EVarXVF/247zv7VsaUMR3cIMOwyf3UcGxM/Y4hh36DOJ9exG5+tvyN254e2N5BSYZoSw9D3iLuydGr714XD8uMzseqqVs9LKUUwKCMJNqPdVwIBM+Kv53BUn2MXzY7mVqP7ATAMPZLI0z6+druUypoTgBA4InVprbkqpRCaqDHfGGLYF9iJsCkJ701eQpPsRAYd0fIATGnfwtaLTflkOb16ZNOqVepf7tPi/HZPqOyxv/xqNdO+WEV2TiJjR3enRYuUfZocQIUj753OneckhKjRbs9JyrqPr03Q6uvHHlcpha7XPN4eQ9NEPVxvzbHtKmMxxLCvELkbpZQEgxK/3+Tyqz/jued/jRwUCskan1rZxA8qKFVzvnaA/9PPzGXJku2R9mhdmM1xRLdbTstqp9+kVKxcWcDjT/7C1m3lNcaoDZtwxcc5SYh38uSkOZZ1lGp9X3T/0fuqlKqxjvrXW62nu+yqz7j7vlmUFHsjv/u8IS6+4lNGjnyNex/6PsIxaZrg9v+byciRr3HldZ/j85uRdO4zv85l3Fnv8+VXqyP9bNpUyhXXTGXkaW9z6pnvsnDR1oj1dtb36xg58nVOOvlN5szNi4jUK1cVMPKUtzhx9Nucd/EU1uQWAZZoft34GYwc+RoTbvsqUsnsYL6vYtg3qK9wS+2//+onQtg0TbMcaz06i3+/ikf/NyIyGcPQanwOZoudEDXna4teGRnxJCW5Iu3R+ixd13ZqF8IWIWv+pmmCqsogH09ZjhYOtarP38zep4EDW3Dff4bRv29znM6aHEx0/9H7aodx2Z/61yvYvKWMc877iFBQMn3qHxRGFaW58NJPCPhCjBnTk3Vri3ng4R8QAm657SsWLtjKmDE9SU7ycP2N0xBC8Ojjs/l06h+syS3mlzl5kX6Sktwce0xbxozuRstmKdww/guKirzM+30z9z34PWeO6cGIEe154KEfWLhoK1IqbrtjJice35Exo7vhrQrx2BOzAbjm+qlsyithzJieBHwh7rjrmygDzx5d5hhi2CU007TupN9+28whhz9L+x5PMGrUm0ybsQqA7dsqOHr4a7Tp+hhd+jxFm7b/49vv1gIH5xt23bpi+g1+gfadH+XwQS/w008bAIv7+nXeJnoe/jSde03i40+WA5bYdMU1n9OmzcO06/4En3xqtS9avI077vqGced+SJtOj9Kl9yRyc4t44qk5jBz1OktWb2fA0S/Rpu3DvPbmgl3OSUpFYaGXikp/jT0LhSRjz/2QNm0eomufp5g1a13kt+9/WM8h/Z6lTcdH6TvgObZvr6i3/7RUD7dNHGw5COckI8LEeemyHSxaspVnJ41k7NielFcEmPzJMlavLuSHH9dz+61HMnZsT+LjnHz4yTLWrCnk1FM6c/ddQxgwoBXxUfG/SUkuTjyhI2PP6M7oU7shwyLr0qU7aNE8hXFje3LZpYcRF+fk65lrEEKQv6OKjEbxjDm9O01zksjJTqCsLMAPP67nfw8cy9ixPVEK3v1wMVu2lEUcxWOI4a/CsBW9PXo05rMp49B1jfHjv2D1qgIAGmXE8+Zrp6LpgikfL2fbtgoOO7RZ+PSDh3OzleBPPTOXoYNbcdEFfcjMTKjmzITi089W8OVn5/LCS/N45MnZnHxSJy6+7FOcLo2ffrqM1WsKuezKz+jerTFul8H7Hy7hqssP438PHsuDD//Ed7PWcuF5vWndMoXHn5zDvf8dSotmKTXSONUFS2mvRdxpbIw56wPat2/EIw8cy2/zNnP1DdOYNfNCcnMLmXDzF/z3zqH07JUNCho1iq+3f4/HQYf2jfj+h/X4A2aE61m8eCud2mVQVhHg7PM/Ij+/km4ds5g2fRVNGieRkRHPdTdMZ86veQzq14oFC7cy+rSuAJSX+8jM9ABEoiBee30+E2/7krhEN6++OIqkJBchqVi8bDt5eSXk5ZXx24LNdOuWhRDw/runc84Fk7ns6s+48Zr+XH/dAL75JpfmTZNxuQzOv3AKq3OL6N0jhyVLd5CTkxQLJ4thnyAi4zidOk1ykmiclUBWZgJutyUyaZogOzuRDRtK2bqljMsu7UtcnBHxwTrY0KtnNu9NXsKjj81mbW5hRD8lTfi/O4eSlZlAl06ZpCa72LSpjM2bShl3Zg+ysxM54ogWDD2qDWvXFhEMmRwxoAWnntKF7MaJPP7ICC68oE8kx1uc26BxViLZ2YnEx9eug1cTpikjFsVAwNKZLVi4jdISP+PGWGMfPbQN/Q5txsYNJcz9dTNdu2YxYkR7shtbY0SXEty5f0UgYFprDevmTFPicOgUlXq5+NJP6XtIE159+VQqKoK4nDqaLrjuhumYpuKLaeeih0sS2n3ZOsZgUEY4qbFjerBh3QS+/fICLr3yc+bMzeOi83tz9JA2DBgwiRdf/Z2cjETiPA6CQZMzxrzPwH7NWfTblbz3wRJefGkeiUlu/AGTS6/4jMZZCXz84RiCAROH459niY/hwKHG3WQTgZApI/oOISAYkkyfvpIxZ3Qnu3EiQvzJUnb7EbZ+6qxxPViz/AbOOa8Xxx//Ok9O+gUAa7oWK2NxBRoej4NgUFJYaOmkBILVawrxeKwA+uh6qXZNUrCyiQRNGQnw353OUdc10tM9JCa4aNIkCcPQyMiIo7IqQFmZD7D823LXFuHxOHAYWiSx555A10XkxZSY6KJlyxR0XeOQQ5ow+9c8Tj+1C7fcPIhfftlIRaWf449rz4Jl22jTNp1JTxzP1i3lrN9QTK+ejSN9paZ4yMiIi3CatlXU4dBp3jyZxHgnRUWWkeLeu49m48Y7eOX5kwlJSaeOGWzcWMq2/HLuvGMIWVkJnH/uIbzz/iKyGyewbFU+/fo15/77jmHpsnwKi7x06thon9XbiCGGnd09VNgDXhOAoqwswLU3TGfR0i0kprp59/1FjBzZmb596g+nOhCwRdH33l/C0j92kBzv4IihbdDCnE5BQRVebwgAny/E+g3FNGoUxymndOaRJ2ezcMFmthV6SUxy0rlLJiv/yKeoqKqGRdKmX23bpJOa6ubKqz+jc6dMhh/TjsMPa1bvnD6fupKf52xg1s/r0R6UDDm6HWeN6cFJJ3Zi4l0zGdyvGRu3lNO0eTKtWqViSsl77y/h3Aun0Lp1Km6XwRWXHlqvyFte7ue5F39j4ZJtzPppHeNvms7QYe048fiO3HBVf2b/msfq1fnMmr2RM0/rSvMWKVx50aEsWLyVO+/8ml8XbmPwka1o1SqNb79by48/rOPTGX+QNsdFflEVZ5/Zg0BQ8uZbC3C4DfK3V9Lv8GYM6N+csjI/r74+n/ztZazbWM4xR7dj8KCWVFQEyW6cxDkXfETrFin8MHsjo0/tSqtWqVx9yWHkri3kzju/5uffNnP88e3Jzk7CNGNiaAz7BlHuHpYIIqUkPs4RrntgiSBdu2QyYkQHNuaVUFLsw+sNHsg57xKVlRYXtH59CX0PacIN1w0A4OqrDqdbVytIv0+fJtwyfhBKwZWXH8b55/amsLCKlBQ3r754Cqkpblq0SOHCCw4hPd1K721zLUopGjWKY/xNA2neLJnCwioCAbPOudi6rsrKAF5fkGuvOZwWLVIpKfXh84WYcNNARp3UicLCKpq3SOGV50bhcul06ZzJqy+PIjs7kcKiKkpKfZaIGDQJBHb+SKkoLvaSk53IVVcejq5rVFQEMKXiP3cPpVGjOEpKvFxyUR+uuOwwlFJce00/evXMpqTEy7ChrXnovmMiLiaFhZWMHdONIUe1prDISzAoCQZMiou9FBRWkZjk5KEHhpOc7EZKRVVVkLIyH8ce24677jgSl8sgPd3DpMeOJyMrnqKiKs4e14NrruqHUoqJtw6mTZs0Skq8jD61C7dOGBRxID4Y1Rsx/P0gVB1mqMFDX+acs3py4fmHHIg5NSjqUlbvznnW5sT2x9i7av8zqL0Wu29TqkglsX3VN1CD66qrUpcQ1YlBa88phn8W6sqgmxTOoNuqTVtSojLo/pq3gDf3ZQZd+2Z7+51F3P/gLPz+EF26NubUcGJFK87RrOFfpBvaX34o9heinWxtnzYhBKFQdayo7Whr+6YFQxIlVTgcqdp6aZqWV/3OFbtExHkXdr8ftR2CbR81TRPh0KKac7XnaDntgqbBli0VjB77Ht5AMOLzBVas67NPnEjfPjk1rpGmVaczDwRNUDXbdE1EDBrW2FZYU/S6bDgcWsTx2VpA9D5BKGRG9GPRPnfRfQlNYIT9/QTR69592vUYYthbGEpZD8/wY9rSvXsWmgbNmqWQlOhCyvCDu5NFTu2U2eNggabVVEBbmTUUmgbR89Y0qtenYVsXIsfbx9j7UxsWMbDH2fV+1J6TNY7Vb/TeRo8N0f1DVlYcr710sjWOpf6MTKR5s+Q6rab2+gxd7NQGYIWv2uuWUQS29lzt+NC656rX03/tvqL3sua6697jGP7ekFKGs9jUHzmzv2Bo1hNPo0bxO/lKxcSDgwdut0bnTlm7PzCGGA4S2LQlKSmpwcc2vv7qS+ubLdpoOrqho+u6NbGYNvfgQX1szV+8RgKFFBoBQ8dhmuimRO1lnxYTqdCVjoZGSISIMWH/bsiwjm3OnDnQwHeDcds994a/WuKUz+elqqKSqsoKqqqqkLJui18M/xAokJrAFQzSuKqKIqeLMo8HXcq9CyxRCoFOpV6BEiE8ZgIaOg19Q8dwcEEIDYdh0KNnL6oqq0hOCWfX2c+6B+PXn36o0bAtoMhdtYoN63LZnJdHMBDYrxOI4cBCKEXA6SSzIJ9jv53F3N69Wd6+LXE+P3IvuDYpJG7lYalYyAbWMFgdg5s4JLEX478dUin8Ph+Gw8DldmM4HGjG3idx3RsYGyv8AJGkf2UlpZRXlGGakviEBGRMq/uPhqYUQZcTT8BPsaGhJcSTlpqGw+tFaXturVRK4tHjcJd50LwGiekpxOnxmCpG2P7NsO1cQgg8bg+p6ekkJSURFxdX0wi2j2E4XVHe7ALSGzWyJuGJo6qyMkbY/uEQSmG6XcS7PKQlJdGkaTPc7TvgqKxE7gVhk8ok3khk47b1bCvcQovWrUlwJMUIWwyARcMMh4OkpCQyshrjcDr2qzRakx9UVnXytIxGxMXH4fP69t/IMRwcUArl8eBAIyEpmZwmTUlp1x6trMz2B9kjmMokyZXMCrWIpFAyLVq1JsWdSkgGOZiywMRw4KDpOnHx8fudqEE9saICgScuHk9c/alyYviHQEmUU0NPTcXtdkNyEu5EN8Lh2DvCJk2SXToJiUm43R5S09JJ8SQSkrG03zFUI9q5fH/CiBmt/uVQtb7XztP8Z/qJPj92f8UQhZ2Imqrj/31w38RiWWKIIYZ/HGKELYYYYvjHwYhJCjHUVS1oX/QRk0Rj2B12V6nqzyLGscUQQwz/OMQIWwwxxPCPw/6Na4jh7wMrJ3x1QP1euHpEQyo7x5uIFHKO4eCCIJzwU/5zVQUxwhaDdXe7XAifD/fLL+OYMQ3/2LMJdWmHCLDH2UNMBQnOBNYWruLxH/9LvDMBGYs8OKigawalvmJO7jKGvs164wsqxF/IVHuwIkbY/u0QGsIvMZs1puqWW3F98xX6wqXEPfoIFY8+ikqKh9Duu9E1nQq/ybEdjsYf8rG+aA1Ow/XPZQn+hpDKxOP0UFCxned/eZScpMfIScrEH9o3qe4PJsQIWwygaQifwmzTloquHXB/Mg3nt99AMASmCSZ7JJpaxA2O63gC+j+PCfjbw5SQpMNX6+YyZclbSGX+Y9MtxghbDBZXpQuUQ68OfjIMVEIiyqGBA4RPRdKn7wpCgC8kw53ux/QNMew1TCnR3TreYBVSNXy67oZEjLD926EUyiHQKnw4vvkRmZqMvnQJWl4eju+/RXmcqMRUQr27IbySPWHF/kp1oRj2H5Swrs2/4frECNu/HRoIU+F+803i730IlZqGKCsFfwDHwhWIQIBQu9aUvfgMslkzCEnYi3RGMcRwIBAjbP92mArl1JBZjTG2rkOVe8E0UZpAVHgR3nJkVhZmRiNE0ATtz7mBxBBDQyL26o0BNAge2gff4KEoZaJcTtB1lKFjpmdQdfYZkBBnyTL/VG1zDP8oxAjbvx2ahvBJzObZBE49BVFZEhE1hd+PTE/Bf955CL/aI/1aDDEcDIjdqTFYLuhAsEd3Qi1aQSAIgHI5CQw4DJnoJlJNOYYY/gaIEbYYwDDQ/JJA3z4Ejh+BVlFscW2GTtX11yEkMaIWw98KMcIWg4WgifI4CPXuhUxKgECIYIc2mJ06Wg66McIWw98I+9UqqpTCNGOxgn8LCAVVASqOH4b+QX/cX31B2Y3XETIDYMbef38naJqG9i93ydlvhE0Bui5Idf35sgr7i0c42OZzsEAAZlwW8V06w1czSB5xHKbL8Y9f9z8FdqyHD6gK/LvFsf1C2JRSeJyCtevyGD18KAjQhapFGXb/uJimxDT/XD5XpcCha0ilMGXNIF8jeui9eGpD/+wolHClDYVWUIjAj9mpLRgG1Y9MDAczDIcDGQpx7qWXc9v4G9laFcDhcB7oaR0Q7DeOzRCwY/sOHMpk1vc/s317GSoqlMOuVhN5XAQIVISb0oQgOcmFx+P4E6MrHLpOYVUAl6ER79DDZeAsVJpYBDMyh+rv1jyiEP5DKIhzaf/sx9sO7XQ6UQ4DUeVtmFppMfxlhMwQDsPBc88+w+/z5+MQFoPxb8V+1bGFTEXrto3J3ZDOyOM/pEWXJgQDIXQUAolAIgmhlKxOUGhKNB0qt5fRoVc2Mz4b96fGXlVUwf8W5nNclyYMz0nBE6ZIQeDsReBEIoJBzMoQyhtEeiXSF0T5TKQ/hPSbKL+J8klUUCIEfP1/HXH9m/j7xKQDPYMY9hIZmZkYa9Yf6GkccOyXYi7RxRgMTZCbV8iYc9rzzONDgB2AQSUCkzhCJBAEAkVglEJ6AJwuWD9/BSMf/gaAQMDE6dx9KI9UITRhsHXzN1z1QQlPjTuaL3OL+dzn5fSu2YDC54eA30fjdjo7lgZRAR+hygChiiD+Uj+qKkSw0iJ4wfIgIZ+J2qDwdHATDJm49mAeMcTQ0AiFQhiGgRkKRYQPGSUBwc4FUg6Ggju1i7fsq2IuDRIragiFt0oRCv1IccmvrEyJY4mpUSnaodETNmdg/maSvgV6KkH3uCCFm7aiG3sh+IWJGiWfYK66n/iUB3nml7U4dI3RXTsilUITludCvD/EkVUGW4p1lHIQDIJwaMQ1NfB5JcGAAk0S51aYBrBBMHNjCcGQgn+nyiKGvw0EKuxw/W/I4lEfGoSwKUAIhUERurYFr5FAgdAoF5kIJMoUBIoE5haBVwoMl4mxsQQlatLsUEhZTvI12gW6CKEbDlThp8h199Ok+42c/fOb/Ly+IzfecBWN4x3I8LFBKUkNSC7IdFA5xEF8gifS08Yt0DynuueCCghIyEmCNY8ux+uVpMbtv32KIYa/Cl3TqSgvp8AfoqKsgtT0tAM9pQOCBsruIa2wHe92TLmOIhLZgEYpjRHKj/SCd6vCvw56KMAIElifjwgTEZtvMyIcXG1OzgGFUzBz70PreAdl077nlIwQp1x6EWARrsi7SykMQmzaovhuQZAzRzq44R7J8BMFP/5QwqjTkrn2AsmJpxk0bl6B7oQV8xOYMz9E0lX7c49iiOGvQzN0SktLWLMhj4rSMjRdIyU15V9nA2ogwqZAAr5CQmoLxSSzCUUZ+Wj4CXoFZVuBPChDgG5SsTEf0TEFgEBI4nDq3HLXBqZ/uQNHvIlUQXTNh7fKyYUjvufaEZ9jdLyD/Clf88L/pvNmwqW4p7+PKNnBA/8ZzfBBnUBKlAQ9aFLpNSksC+DQnZx7iuC6+wTL8rYz4+sEHrzRYG6u4OZ7StGk4L5rEulcKfB6ISEmisZwEEPXdcqKi9mQuwbTNPHEeYiLi8Ph+nfduPuZsIVfE5oGgXKoKEC6yylBIx8THwVoKoi3CnZsV7gKBWU6KC1E1Y586JRs9RL2H5sxq4CJE1rQvWscvqCJ1HSMgslklH+I1uG/5H/0FQWrNjPqs185tELQxB3kxoc+4beFayzCFoZuKkqrgmwp9OH3J3BID8HkSYLDLgnx6iQnhzSDEcDGCoFu6Fw0Dr7+j8T8p/uxxfC3h2HolJWVsnXTJjzx8VRVVuL3enHGCNu+hpUVwqwoRm0pYZ0eoDDgwxc08YpSNPLwbY0nWBHE6xPscOisJ59csxBNtK3Rk9tt0r1rPP/5YA1rNoQ4puU3/Oe4yWiH3EfRR18z+dXfeDw0ATn3d/I3FXLTNf3p2bsxIX+4zFLYt0czJUVlQZzJlbz9SSPyCiV3XaGz8NX2mF4/ubkSzZDcekYipiOEMkOY8h/uwxbDPwNCEAoGCQQDuFUc8t8mg4ax/wmbAk3T8VaWsnVTCbkhP4XlOr6gxK+VoLGRQJ6OrAwRCMAOU2elKCKXop1CQpQKUOENsWkbOCr/4JJ+0xBtbqdo8le8/9Jc/hccT3nIhVFVSumOSoqLfJDsxxVtHVKghUBqIT7+tIKnx8Ndj4cQbp3jH36DkL6CCleA4lAVPk+A7+dv5tZvJ5GQmoCKsWwxxPC3wH4nbEopNF2jsqyUNZuKWevzU1im4QtJAqIMoTYS2GJiVoXwBwQ7hEauVsImitEjbxs7RMCPUgqHCnJsq2W0cCRQ+Om3vPPSXJ4M3USF6cEIVFqWU1OCVCDMGlZUIRSV5UE6HpZEk+Rknn0PKssEb70P/dsk0SJjHnEiRGIoBI0EXy3YQkm5F11LiNVbiiGGvwkaxHigaxol5aWs3lzGhrIARUUCvynxU4ogj+CWKmSFJBCEfCVYo1WymbKdq72pICY6IlTE9sWv8lV5Z6YtKuRbbTxeLZ44VYkfDR0Tp7C4KylCiKg8/boQVJQGaN0knq/eiGfqXJNKqfHCA4p4jmfa+BTKzSoqnD4qSvw0uqiIJp2z8S6sQOxB+bkYYojhwGO/EzapFIauUVRWwbINJeQW+ihMUviVwE8Fgk3I4jJUlSIQhAIlWKt52UYFTWrxSEoLEjKD5K738+2sYXzYcSjbKjMRgUJUoAwCgD8IygRvEVu3V5KVEbK8cq0ekBJcUcEDCX6dN++D1CSABMY+P7zudQQX/+OqZccQwz8VDSCKgqHrbC0uYIfXpKrSQ2lRBX4/mGwGVQFVTkS5xB9UbEFQqQXYLqpoWkv2kzJAYpKDL14+hhLvSLy+KhwyiD8kMJXANBVKgikV3goffXpm8eDbC0jzqMhcXA5B7uYqLnl2DTIkaZQCU5YpqnwKQynMQDgkJfyPlArdaZC71YvL8e/15I4hhr8T9j/HhkZaokZpZQumL+yE1xckGPRjKmlRGvsjTQIOSQGKIiEx/T4SPBZr5XBaGT5ysjycPPpdmrZ0EVJeNN1EiiCIAEoLgBYEEURpQdADGO/6WbJoCc/89zYAhKaT5IG3r+vMr6vKcWiCYFAisOqUKFlbi6YQAkIhuHlcO1ISYtUKYzg4YRjWvanr+r86q4eN/fqkOh0G27aW0aZlJUuWjEc33AgBAhHONF3rAggrjxoChFQ4nIr8/Hwr64cQTPpvT0pLOxI0JTuFygplpR+KbtPA49RJSU62+rG6JsulcXyX2hdfsNN8EJbhQYGmlZOfH7OKxnBwwg6CLykpiRE39iNhM4HEpET+WLWKIwYNQKAixoA923KBkopQlIuFrguMnUrA1aX3qh5IAcFQKHKhlQKFQttLfZlUKoogxxDDwQXL+0CnrLSUxk2bEQwGD/SUDij2G2HTgdKSUrp37cpvv/++v4aJIYYYovDBB+9zxTXX4XT+uyINamO/iqJCCEKhEKFQiEAg8K/f7Bhi2F+wRdGKiop/fSEXaADjgRACwzCQUkYUnH8VSkEoJHEcICulUopgSIZ1bwLDOHhvpKAMYmgG4i8GhMlwlmND++vXMCRDCCHQxV9P2hldF8MwNLR97GtoF1nT90F+0VDICpveX3THMIwYUQvjb2nmE4IDRtSs8QVOR8Nn0lUopIwyYAgixEEphVTVv2mahkDg0P5MzYidoQmtzsSFdkr3aAghdpnkcF8QRxu6ru0TolN//3W3S7lzOQghdk209tF7PYY9wAGhDraHx589fsuWcq6/YQbBgNzrvv4KZNgdJHdNESef9g49ejzO7XfNxOcNhuep6p2Pov517+kaBAJd06s/URyPEDV/Ewikktw440a2lG+plSR6z6CoJpZfrfmaR39+DAgTs3B/mtBqzknTdyJq9rE2UX7ghwf5cOmHuxy3vvmqcAWy8B88Nmk23bs/xpBjX2Xhoq3hcXa/1t0dYXNqL7wqef8ja97R10jTLKIX/YkmarWvaTAIN99h8v2P4YiYOgzsu7oH/uVGzr3GAXmH7K1lsfbxVVVBfpmTh6YdmALlW7aWEfCbPPXUSbRomYoR5t52FZkgIv/U8dtu1iCVRBMaq4tWc9FHl1BYUYRSiubpTXlr9Jukx6Xz4ZLJTPzidjwON4meRJ46cRI9s3swe8MvXHm470+JopYV2DpvU9lmlm5fCtRMOf347Cd49ufn8DithJ7eoI+j2h/JoyP+R5wjLtIPVBO4RdsWIxARNx4b9t+7mquIKiOmgDNO68ZRR7Tk1jtmsnFjKT17ZO/h2nYNm5D8sQoy0q0/7KlWVSruuM/ko28gKV5gSkUwCGcdB3fcalguTVED2C+1335X9O4uUGpnIlj7nJ3mG7PG7xUalLBVVAQwDI38gkqUgpzsRAxDo6rK4nji4hxIqSgr85OY6ETXNfz+EJu3lIEQxMc5yMyIR9MFqakeKiuDFBRWkpoaR2qqu8HWITRBk5xE+vdvga5rNTiEteuKkaYkOdlNRkZ8pH3r1nKqqoIYDo1G6fHExzuoqAigGxoF4f1okp2Ibmj4/Sa6Lrjw4k8YdXInTji+A2iKEm8pHqebyWe9T/tG7akIVJDgTGBD6QYe/+Uxvr3ka5okNeGiTy7mnUXv0Cu7J2lxaZjKZH3xehKcCaTHp4MSSCmpqgpx6unv8upLo8hqnICuaXhDVQgEJb4SgmaQzIRM3IYbp+4g2Z1MsbeY4qpiGic1Js4Rx0V9LuScXufw8u8vs7ZwLfcdcy+6puNxWIRuc9lmgmaQFHcKKZ4UAOKdcbgMF0IIvEEvRd4ishKyMDSDHZX5lPnKcGgGzVNbIABv0AtAub8cb8hHVnhOYN1DOdmJtGyWssf6tUAAvD5IiN+97szjsY7blg9+P2RnQly84M4JBreNh/G3m3Rqr3HBORouR5gAKdiw2SLUGemC+HAm6IR4cDitY4qKIRBUZDYSaBps2qLwBcDjhiaNrXVUVIKhQUGJ5YHZuBEY+0az8I/H/g+pCv/vdDq5+rpPWbmykKpQkE0bSxkzujuPPHQsjz0+m7IyHw8+MJyNG0sYceIbfDn1PDIz43ns8Z+ZPHkJlSGTfn2a8/zTI3E6DYpLqvi//37L1E8X4UpM4NUXTqHPITlIqfa5ArkuBIOS8nI/ycnWAyyl4vOpK3nsqdlIf5CM7GQmThjEIb1zWLBgK9fcOA1vpZ+ggnv/bxgnHNee62+cwarVBfhMk7yNJYw7owcP3ncMrnAwqyYEycnuGsaJYm8xC7csotRXRrfGXdGERqorlZ45vZi8dDIDWgwk2ZXMsLbDUErhN/08/+uLzFg+A1OY/HfYPZzW9TR0XSMx0YkZkmRmJkT8Ax/8/mG+WTeTeCORNflrOLrDUTw98mkcmsEf+Su4ecatfPPH13Rt0Z23Rr9BojMRgBRPCknuJFI9qQCYSjJ5yYfc8809oAQZiRk8cOx9HN7scEwZItmTzPqS9Vw39XpCpuS5k59Gobj96ztZX7QBj+HmtO6ncn7v83h5/qu8Pv81suNzWLRlMQPbDODVU17GqTnDnJUiEDTZU7z2juTSWyQ/TdYYMFDDNOsncA4H/DRb8e2vIX6dDyOPhKcfNUhMtLiupERITYa0FOt4rxcmvWDy4jsK3SPo0FTx5H06zZtanFpSPCxYILniFknnDoJJ92msXCO462FJcRUkxcElZwhOOlFjwp0my5dIVLxG7gbFuOMED/xHR8o9M2ZEu7FH40BXpmoINKiOTdMETofGr99fyi+zLmHq9D/Iz68kPt6JHn54pVS4nDpxcQ6276jgh583cP5Ffflj4bW8+tIonC4DJRWbt5TR95AmrFp1C02yk/jmu9yGXApgiZ6WwlhQVOTlxpu/4JxxPZhw61GY/hB3/J9VPnDKJ8tp3iyZjz4Yx6Jfr+SE49oD4HTpOB06c7+/hDnfX8qML1ezcOE2vv4ml5de+o2VuQV89MkyXnrtd+Yv2ELjxCw6Z3ThjflvcfYH53L1Z9dQ7i8jyZ3EGd3O4MvVX3HNZ9fSODGTI1oMRCIp95XjcbhYdsMSRnU+mS9Wz6CkKMA7HyzimefmsmVHBU88NZvX3/mdHVt8xLldmKZk2rmfseyGxczeMIdVhauIdybwR8Eqbj5yPLkTc1m1YxUr81dG9sKUZg3jxS8bf+HeWffy/aWzWHbDEk7odDyPz34CU5q4HR5mrv6Gm7+8mUGtjmDquZ/SNLkpE7+aSLwznolH3sKoridz21e3UewrJt7hwRv08droV1h03Xx+y/uNTeWbLHlSqF2qAOpC21aCM0cJGjUS4etY/7G6A9ZsgA+eM/h+ssY3c6CkpFrPJ2W1Pg7gvY8kn05XrJ5j8McsnfQUwQuvSqRpGQ/e+1Rx9/2S6y7RePlJnbgEwZUTQhzeVzDxGo0uHQQT7rE6dLsFulPw/cc6HzylMe17RdBvEdSYzm3XaFBRNOCXXH7ZoVRVBfF4HHRsm0HeplJcTgMhBH5/iORkNw6HjtcbpGlOEiNP6MjU6StZvHgbh/TK4dKL+2Kaki6dsxhzZneCQZOMRnHEhSvGHyhdRG5uIS63zvQv1+APhEhw64wb3R2A007pwv2P/MBNN39B+zZpjBnTg65ds6iqCkb2w+026NQug7VrC1mfV8rc2evZnl/BgsXb2F5QSVKCi969uvLqqS8DYCqTXpMO4YvVX9K/RX8unHIhz5/8HENaDaHf8/3wBQPcduRE0uLSuKbfNQTNIAmuJPxUUlke4ocf17NjWwUlZT5m/biOtEYe+nVvj195ObfXOZjSxFQmnRt3YlPZZryhKk7pMoo2aW3IryggI6HRLq2bv2/5jX4t+9EorhEVgQqOaDmQrRVbqQxW4dJd/Jb3Lc3TmnPDgBsImAECMoCUkjX5a3i5/BVCMsSVh11JojORUl8p43qOJc2TxrriDTSKT0fnz5tChwwWDBlcff6uLJlV5XD5BQLDBVV+QXpi/feYUrBsiWL4kYJAyBJ5TzgKlixXVHkBAV//rBg+QHDGqRpeHxTsUDidMHeR4vdlVhKHqy615lZVqbjqEg1TQkgJUhMIE3P++SzXX0SDEjaFwuk0iItzsG5dMctX5dOyRSpffLmGqqogLpfB++8vZUdBFUKAbmhccemhXHHpoXz1bS7jzvqAww5tRuOsRExTUlUZIC7+4HD6TUp2o0zF5HfO2Om3Hj0a894bpwNwwsg3WLW2iA/fPRMpFc4wd7p+QwmLl2/j8f4jOC0nCa4fwOVXfM655/Tk8MOb7dTn5rLNBGWAVE8a64rWk+ZOZ0irIQAMbX00y3YsR6EwNINibzEZcRnomiAQkDRpEcdzk06y5nPiW0ydclak36ovg7gSnLgMF6WVpSzZupSumV34acNPeANVli+bbtRQ4kO1ddRG54yuvLngbYIySIIzgflbFrCxeCNxDg9BGWTCkTfxx45VnPr2aN49823ijDiK/MVceOj5nNGt5h7qQqcyUIlSCiNs8f0rmDtP8cFUxXmnQrduGlLWT9wMB5SWAQoMHWp7sURbQ4WA1m0En8yQOB3gdMC3v0Cc2yoC7nbC/yZqfPSF4poJJk8+pJOULCgqguceEnTsXLNzw4CycitBg67tPHYM9aNBCZvH4+D666dy3yNJFBZUcf01/UlL89D/8GZcP2EGAwY8g9PjJuA3cToN1q8v4cprp1JU5iUzycXwY9rRuHECPm+Q4iJvxBmxpMRHZWWgIZdSA0opOnXM4JKL+9Ck1UM0a5FCKCC5/ebBnHxSJ+6973s+mb6CxDgHDreDUcPaAZAQ7+SGG6Zy/6M/UlhYyXXX9KdJThKVVQEMXWPjplJy1xbRq1cOui7Iq9jIhBkTKKsqZ33pOi7oez6DWw6iMlhJy9QW9J7Ul0RnAobh4P7h9+LQHGyv2B4hQBWBCsr8pSgF/kAQb1WIvE2lrF1bTE7TeJyGg0R3Avd+8wDvL5jM1ootnNvrHHIScyjzlVERqEQTGkopCqoKCJrV8YhVwSrKfGWAZcUd1HIQI9qPoO+kw0hyJ5PsSWLC4JssA0HFdgqrirjvmP9y1vvnMPC5Qbx6+ss8NPwhzp98AY//+CSGZtCneW8eO+4xygJlVAYqEcJyYSmoLCCkQn/yWsGWrYpH75c0ThZ062aJkvURtrJyiyDZWV4KCmuKgaVlUFVV/feZozV+WyTpfYxJvAeaZcK1l+kYBmzcZBHKSQ/qnDA2xAlnhnjzGZ2H/qNzwjkmmU0Vph9GHyu46VqNwkLwh2/rQMAaO8ap7RkalLCFQpLRo7tx1NA2JCY4OaxvU5SCI49sxbtvns6mvGLatc/ADEnS0z3Exzu4dcIR+IMmoUCI7t2zaZyVgD9g8t47Z0SU7JOeOIH4OFsUbRhZNDriwDbXX3d1fw7t2xSfL4RS0KlDIwBGjerMYf2aRaylfXo3sfbDlJx6ajeGDmsbtR+KOI8DIQTPTDqBlBR3ZJ2ZcRlcP+B6AqEAcQ4PhzY7FIAUPYVnTnyaZduXE5IhWqW2pFVaKwDeOeMdmiU3BeDqw68iaAYRAtwuB06HwUcfnEmzZskIXaJpgkAowLEdjmF0l9E4dSf9WhyOUopTu5zK8HbHApDsTuKTcR/TNNwvwFk9xhEIWU+hEAKX4eTOIXcyvO1w/KafNmmtaZnaEoBHRjwStrQ6efW0l1m8bQlNEpuQ4k7h3TPfIa8kDyEEaXFWsd+L+1yMKS29U3ZiNp+f8xnNkpqF911ErsfuYBXuhoH9NHr1kaRZdo46RUtbOX/L9Rq6blGT9u0EU9/XSUkREUJ490QNj6u6g7RUeOIBg9+XKKQJPTpDo3SBVPDmSzqpKYLUVPjsLYP1GxUej+DYoTD5dZ2iEqsiW7Owx8qD/9FIiLf6PrSP4JO3dRyuXbsOxWChQQlbVVWQQ4a15eijWkfa7JuqY4dGdAwTAhvx8U4GDmhRo00pcDl12ratrnDdskXKfptzXVBKUVEZoKCgynqIXdXb2P/w5jsd37lTBp07ZUT+Nk0JCLzeEIcMbVJrP6rv2Ba11hXvjKd/83415xJ+hafHpTOo1RE12gWCtmltIm1ZCVk1ztU0Qdu26QCEwh6jVUEvnbM6Mbj1oBpzSvWkRiyeuqbTrlG7Gn01iqu+dgKBQuHQDAa2HBBpl8rKqtI82dojpRTxznj6NT88/LukXXpb2qXXrE6WGZ8Z+e7UHbRv1D58Pnh9Ify+IOUV/l065tovn3feM7nnKcXlYwRnj9UxzbojAuzLkN3YWhGA2w0d2takKE1zav6tlGUpPap/dbst6rZuJcLrhKwMyMqo/rtnl50pVfOm1W3x8dC+TYya7SkajLAppchunGCJE9KyKul61MW38gkhBGEHxvBFj7pZLSdGEekv+jsNmFKoUVo8eZvKGDz4OU45vQf3/t/ReOIckciD6vmK8HpqttvfGzdOQKtnP6zjdl5XjbApoVU7v6pqb/1ox9oa+4S9xzs7xdrIjM/ApbsioVK23qz2ubbTcKSfWr/bxM0OtxKISKoopZSV6k5UH2OHbNW1jp3GljIcMgZPTJrNc0/PJj41nswov8HasJd4xmidU0+BPS2zaV8r+3ypqFGLo/bv9v0b3W5zd3abFnWMpll/14iUE9X97GrsGOrH/g+CD/8fDAZ56IG66wmA5bNF1M0B1oU1zfCNXyvY3DStuEkryF5rEKJmE9tOnTP45ceLI+028bUJWW3Ubrf7eej+Y3Y5Xl1idX0xmPV57Ef3UVvhH/27beEcf8RNUT9Gf93ZWFCjn7r6jiKwu5pTjb/rWMdOY0e09XDL+EHcMn5QjeN3JZba4U+7hAx/jJ3F1Npd132962+v75i6dHy7GzuG+tGgoqiUqgbXtTvsKtj9gGbUUFZdBVDo+p/PKCEDChHNQQngAHuWSyXrJUh7DQWEsJLz7cnlsgmKzh7rkCxuNxy3qu2jF5xGzfmGwvMiPLddEUYTa91GPX/H0CBo0O3eUwJgi0clJT5efGUeO7aWMGBQG44b3h6nUycUkrz6+nyWL91C915NOfXkziQluSN6lP0OYYuNgvc/XELXLll06Zy529NqQ3MefK/gXWXl2GvsLaGuTVD25BTNduzah1gDapGCUwUixM5PidrFkLWJXsMngYmBA5DdQ0pFKCQJhWRYiV6dX83+ROsbGjWKY+Gibbz8yu/4fNVZNFJTPRQUeHly0hwKC6oi7Q0B05QEgyahkOSxJ2YzZ25eeG1R6zBlLb2atW6lVKQcoHpDIc+RyNsk8hKJ/D+JCoZ/D2H9b3/sOBj7b/v3yADhttrtNhdknxOdVSK6n9211x67ruNDtY4vBjVJolaq6t/rGsPej1UK9Y6Eiqg+otdRe4zo9trzUrXazaj26LboMcLtaoFCPRPuyAD1pkKeJ5FXStRiSz8Y2dNa46qfFerl6k7VNIWaLKvjm6KvUR1j12ivfe32PGrsX48GJ2y2rswwNPRwfKIQRNqsdut1mJzs4vxzenP55QPIahQfEY90XXDaKV2YeNvRtG6Rim40LOej6xoOh45haDRrlkxcnDO8tqh16FotnYqtCxSRXRc9QJwqUF8r6AliiEA4hPWWN6gWe2zRTET9bf8eGSDcVrvd5oLsc6KveHQ/u2uvPXZdxxu1jneC+lhBSdTvdY1hzzcP1FcKvOwMrY4xottrz0vUatej2qPbom8duz0DSAs7+L+rUO9LxEgB3UFOlKgNqnpPa4+7WKGmRlGs2Qr1XfhlVfsa1TV2dHvtaxfj/vYYDSaKhkISpxNef2MB9z3yI8EKP1175PDZlHHMn7+F6yfMYEdhJUjFbTcP5qyxPQmFFEIotm8vtzLWhmEZFSSbN5fiD5gNFjdni7qffr6C66+fijvZzYaVBYwb0wOARYu3ce7FU6is8NGkSQpPPXoCXbtaIuq3363jmvFTef6JExkwoAXSVGg9hEXc3gVxikA0Fqht1oPEEqAAaAPqDxA3CrQ0gZwkIRXUTyAGgHaPDvGg5ijknVZWX/qANkFDpArk4yaUgJoLFIM4Q6Bdr6FKFfIGCesAA7RLBOI0DUyQd0jU9wriQVwp0E7SUF9bnIdyAvNADAuPXQHyZhO1Dqtg9SDQJ+rI6RL1uIIiULdK8IE4WaDdpKGKFfIqCduBHNBu0RBdhXU3plDn61Y+JFGfKnCBuEigjdVAgnzeRL0OpAJBEP2tealpEnmfgkSrnQ6g36uh/CAvl1AGtAZtooZoJVBlCnm1hI1ACYgeArXVWrO4VEOMtIwa8icTvlfQFuQrEhUH/Bbej7t1a7zUqIknEtGxqRUKeaO05pMM2p0aortAbQ9fi63h/bhZQ3QTqCkStVShlgKbrTVoz2nWyw9ivmy7QIMRNo/HzVvvLOKFF+fx8btnkp4eFwl879Uzm1dfOoWSoiq2bKtg4h1fc+SgVjRpkmyFVu1Umcpqa0gDgk3U5i/Yym13zuSlF0+lc+dMxox7H5/PkrGefW4up4/qwjln9SS9UTxOhx45z+cLsmlzWeRYoFq0CACFQCYIQyCngzhGINaA2qQQ/QQsBgYKmKEQj+poNwvMs0zU5wpxpEA9INH+q0E88IRCPaIQ/xWwAVgB+ts6aqFCfSxR5cAHCpEg0F7QoBkWMZEgb5GWDvETHbVWISdIVHdlPYyfK7TXdMQVYJ4jUWcoRBeBdreO2maJaOpWiZom0YZr0B7kTSbiCg3RV0Q4G3WdRJwsLGL2M6hbJOJT3fq9dnElBfJ+CRvCc8pXyCskqpNCVALTQJ+mQ5VCjpVox+pQAOpRhfaSjmiukGdLRA8NUgXqFBNxkUC0FDAV1ESJeFuHmxWisUB7REN9oVDfKtgUnkBba28QQFcBq4BWwFSF9kbUfowNc3LRIqMtWkpQL0vEUIE2RoM0IgRc3SQRJ4b3Y3Z4P6bplvg5BfSXdWgK8m4T5gH9w/3GOLh60WBpi4SAr2eu4dRTO9M5rGi33SR25Fdx/fgZLF+wCU9aHAVFVWialYgwZCpMUyKlIhg0I+fYuixbd2Wacr9GHdhdz/11E507ZjIk7FSbmuaJ6Aq7dcvm8Sd+orI8wJgx3WnXLh2Xy0ApOG5Ee0q23hbpT9OFdePaurOwDkYpEKkgDhFQqBA9hcUllQFeBccJxJlhX7E+ArVWQXNQecB/FMpUUBo+HyAOOFtAOoihAjE07JfWQaA+lci7TcTNYa6lSEGuQozXIANEI4HoC6zHIr5nCsQxAlWhEGlE9D/yZYmaohDNBGo1oINwY4l0DiwOJiO8vgKFKgTxAki3hHIQPUXNHDtR+jhVCCxViHHhOWUIxCBQ6xSitQATS4dXoSAZyAJc1hzUGgWlYWLTElQRqHwQT4I0pMXBDheo9Qq1WaFdqkEjIIea1llbz6VTzX1VAWeE96MyvB/2O0uPOscRbhdAN4F6WaHKpbWXrQWqJLwfz4P0hPeju7DGCQAnAz2tPrVnoihZjKjtEg1qFdV1jdzcosjftpX0kcd/pml2Ep9+OIFNeaWMOOkNQiErxEfTBFmZCaQku0lLszL2WfmoBE2bJJGY4KJFixR0XWsQ44GuC0rLfACUlfrZuKEkEnlw5eWHcuXlhzLzu7UMOeZl7v/vcC684BCklJSU+Fj+Rz5dO2eSmuqxCJi9+3FYD5P9IBlUW95E+Lv9sEQ7lm4BDgW8CpEB2ud1cLAa1SJLlDVPDBLog3QoUsgxCtpK+J9ucUyF4eMFlmjmAcqpFhGD4Tm6gd+ArxT6XOtJk6eYliURqhX7RlR/ARAVoL0d5hSjobBEt+gAieTw2ndEtW0AemMRjSRQ71t6OfEfDdoA28L7OVOhKkCcp1kEbLVEKNA+1qw9t1GkUH6q38ILleUN21KAKWAN0CX82xwF52nVbiz2fjiovn4VVOvHSsL7J0E7V4NzQc1WyNOkpS44GUQpaO9qUDtoRYT7CBIjZHuJBnPQDYVMxp7Zgwk3f8H1E2aQFO+gcXYSl19yKFmZ8bzy+komTvySP1YXsW5dCQ6HTn5+JW+8tZBpX65i/fpi4m75gpEjO9Gndw6vv7WQWT+u57uf13H99VMZOqw9xx/bHodT3y9uH3afh/ZtynMv/sbEidPx+mHxou2EQtYT8fIrv5O7oYi0JBeDj2wTmYOua3z51RrGjX2ejz++kpNP7mwR4W8stwK1BHhQoXorxCAB+VgK9GIsbscJlCnwCNQykM9K2ASqTKGfoEMWqHcl8jwJhwBVWKJNJ2ERqcqohUgscfAbhVqoEHECDgXlEwiPsowZr0rUqvC5KQI6CVilrPnYfWwHfKDiFKoS5L0SqkDNBs4OX/cUoKdAPSRR/QSis0AcK1AnCcwrTcSRFtcqulvtBEDNB3mfhATABdoJAs4UqBckqlhYBFYItN4abJKQKBADwgaXxUA7UGFOWAwMi7/5oDYoRDsNNURinm0ijhCW3m+AsI7rJpAPK+in4GOFSgSRZukF1esSlRvejywBQwV8EjaK2PuxFYsA9dFQr5rI/5OQBGxQaBM0i8t7S6J2gEgQMACUVIgkDU4WmFdF7UdXgThOQCnWGA2kQ/4nocE4tmAwyNFDW/PM0yfywZSllJT4SEyy0jtfcF5vHE6d3FX5nDW2B6ef1pXUVA+lpT7KyvwcflgzjjqqNUXbK/D5rdJtFeUBmjVN4tqr+1GwtZwqb7BBfNh69mjMYw+P4OMpCxh0VAeOGdaW1q2suFWfL0SVN0hZkZdjj2nLBeceEjmvX79mPP38uRxyiBUALzQBfgVloF2lofKVRZASgSs1RBdh6cuSsN7aAWE9sBLr4XaCdl8116M9pCFftIgLUdyHON0S4aw/qtsJYBGiSgXpoJ0TZsfOE5CsLD+uNEuRTRLQV0DTsBU7XsAEDZFjibjaRA01XyG6gnhGQ/QIj+EA7QoN+Y6yCHPYZUG7UUOlKEsvFySikxIdLKOA2mrtCx5QARDHa6Ar1BwFbmutZIJaI1A7JCzEupN/VahygXaMQFZgcVcJwDIFy0HcpqHdpaGeU6gyZe1TWEzUxmvIjyRUgnhcQ2wHoQScKyCp1n4kAn0ENKm1H9kCMrDG+N5ag7hegx5h0dIHeEGVKMRRAm20db42XkOlK2vdQSKuI2KggO7igDtt/x0hNvv3vfymlCLRJfh5znxuu+wC5i9cSDAYQNOMOg0BfyfUjq1s0LG/UpZi/okoucRWau+rKdXlfLorh9Rd/VYfwlzjHqMuRbkKW2/zQX8+nGXlPxK1QyEOEci3FdrXViyt+liiXpdorxo1LZZ7gr3dj7rWtrv1/pk9rAW7YPJrr73KhIm3c9Ptd5KQnELrtu1o1boNSSnJhEyTJLfOzNXf8/nyD7juiNtplpKNL3jg7mmpTBJcOr9uXMBb81/g0sNvoHNWOyoD8i85izdgELwlkkUXuBVC4HBoUc6rhI0GhNstETaa9Fp1JAXBoIwEUzdk4WIhRGQNto7Q1gVazsXhtWmihi+blIqQKTGiQ7BqO8baPlYm1oNg3/D2+hWWOGS/1aN9m2xltQ3bB832n6q9NbXHNojSG0SNabfbyn096hhbp2QfX9v/qva8tKhzoq2fdrttOIiGvcboOYWP144XmFdIzBGm5erhAu1pHeJAvGgih8mIYUa7S7eIWu1122PXnqeKWvve7Ie95zKqr+hjIta0qL2gnv2oPUYMewxjf4jvKupTG3UVuLUI3M5Xz4oVrfuq6ro4YFWvdV1DCJs4Ux1IvgvCqmkCp1ZrLfXFHdbzuhFHCsRhet2iST3hSFKr581X39i28aIWlKYsvZX9JEYfs6vXYx3zUihwRPUVPXZ9YlddY/QTaNM1ZGV4bo1EhCPTPtUtcdY2SNgRb/Wtu579U2HCshNDU/vYqPlJDWpf6uhjIpk97D7rW/efvL1rP3uKup/JXT2nDYXac6tvrnuLv21obkNUojrYxlcuhXRJlM0VIiJphaSSNVIa2UWT91XsZ13ZO+oaFyxCH13Meae+9qHYI7IFevTEbM6xUfjzV/vfxVSlrE43pGnVGTp2d2vUl/1jbxA9bgw742+5LX6/ycpVBQ0WG1obXm+IefO38OWXq1i8ZFvEj21fI1q0hTAhQ8fQDAzNqJErTRNapN3QrJoECsWqglX4Tf8ux9iTbSysKmRDycad2muPa2hGvUTNzrO2vni9lbJ8H2DlqgK+mLGSOXPzqCgP1HRt+QuvfntPNm2B7Tt27sBOHmkY1kfTrLaqKlidu+sBCwphVa5VZPnPIpqQxrAzGjw1OFSnmrHjRc1wwLhhWHq1YMjEYegIYYVO2edpmobDobFxYynjzprMD99diKYLhCZwOvT9bhW1a5YuXrSNM87+gJwMNyec1IX2bdPRPRpSSoIhS86wdH56JGFgMGhGDA+GoUV0cgrL7B+9HzYiqcexsuGWB8r5fu0P7KjYQcgMkeRJ4qROJ+JxeNhavo0pS6fg1F2kxqVwXMfjcOsuzvrwLN4c/SYtU1paY2tGDS6utvhsShOJDCfHtObr1J18vOITflj3A6+c8jJBM4ihGzg0B79u+o3fN/1OkispUjimRVoLjm4zFEMzCMiApQMNJ8U0dIMJX95Mr+xe3Dr4FkIyhFQSh+5AIAiaQSt1UtRcTRUu7afsBJc6Dt0ABd99v4533/qd5WtKeOPlUxhxbPvd1pa1khVYNUPru2fszLoPPy7JSFfcfIOOKcFhVBOVdRvgi1lWpMbwIwStWwmWLlfcONHkuxkGoaB1nD1OIGjdCw9Nkkx6wWTlzwbNWwlME0xZ7VLkiMoDZ5oQCuv+NGHlkjMlrFmrqCiHLp0FRkwHtxMaNINufTqo6IdZCHCG9Wq2waG2JVXXBenpHuLiD4wdPGianHBse56adAJQ/XbXNK1GZtboDKhO5853X137YRcAFkIwbdoq2ndIp20bKyJ7VeFqrvz8Knpm9STZlUzj5EyO6zACv8/Pwz88RGFVMQLBsoJlFPuKubjPRaR7GpHoSsBluHZeR1Dy0cfLGHl8B+LD1b50Td+ptJ1CEeeIJ9mdEuHK7PaNpRuYu/FXVhSsoMRbQv/m/fFJH0e2HoxDOHDp1ePadQtSPanEO+MJyVCNEn4hGcKh73xNdaHvxAWqsMx52cV9uezivlx/w/SIUWp30DRw7mEG3aQkSEy0iJM9M6Vg3Ua44kYThwcSkuDTTyUvPakT54G0NKuiVW2C4wx3cN0lgj49dBplWtTLuud3HtsujBytk5bKInyzZil+/U3y6ot/W23SfkWDhVQ5HA7e/2AJpqn4+vtcqioCXHtFf/r3b8aX4VqcJ47sSFGRl+de+JVLL+5Lenoc3/+wjscf/xllCPr2asqEmwZacaK6xudT/+Dll37h8AFtuOLSw0hKcjWYO0ZZuZ8dOypIS4tD06zEjAUFlVx+zed4K/wcengLbpswCN3Q8PtNxt/6BevXFpKUFscVFx9G/37NePe9xSilmPn9Oior/Fx3VX/6Hd6MqqoQDofGU8/M5axx3WnVMjVcJFcxuPUg3jj19Rpz2VS2iWlrZjD7kp9I96Rz0ScXs7lsM2AR29+3LOSa366nXUZbrjj8MpomNScYClFVZfKfe2dx+KFNcbg0HLrBjNXTKawqYtGWxWwq2cSFh53PsDbDMGUQIRTPzX2er1Z8yemHnM6Z3c7ktC6ncVqX05i8/CNW5a9k4uCJkXmV+Eq5adp4Srwl9GtxOFf1vxIdnaAZsMr4aQbvL/6A2Rt+YeJRt5CVkMV9s+5nzsZfSXWncMfQ22ib3pZZ62axrng964vWs3zbCs7ucxYndhwJEAmnKyn17fG1mzdf8cnXikvOFDRvIXZZfk+a4K2C2x80WZULl54pGDpE49nnTVo0hecet6jOGeeZvPeh5JijNXQBH0+TvP6O4qiBgisu0HC44P/uM/kjD+ITBIMPhWCUBfiqW0zWb4VWTeGeGzVS06yCMb/Nk0x6XVFeBR1bCcZfJnjuTcmH00GG4LRLTDxOGH+pons3Ys68YTSYlK5pGtNmrOLG8TMYPLAlLZqncN346QQCJnPm5vHNt1Yl95ISL8+88CuBgMnmLWW89fYihgxpw+hTutK3TxM0TeBwaixetp2vZq5h1KiuvPL6Aj7+dAXAHumL9s16rCIudiqiysogt942k1EndeaySw4lf0cl9z7wAwCvvPo7oYDJuef25rjh7cnMsnLzz/hyNTfcNINBA1rQqkUqN0yYQWGhl7g4Bw6HTrOmyTTJSYqIroZmMCv3e/pMOozDnu7PZys+AyAnMYe3Rr/JuR+ey+AXjqR/8/7cMOAGQjJEkbeINxa8zkmdT2Ru3lyenvNcmEMwSEl20bxZCo0bJ+E0DISAn9fP5rrp19MxswO9m/Tmli8mkl+1g2R3ClOWfUxABjiy7ZH838x7WF24BlOaBMwA28u3U1BVSMAMEDSDbCvfzgUfXUCzlCac1PlEflj/I/fPeiByL8S74nnghwd4ft7zDG0zhHhnPE/NeQqF4pJDL2JIuyHc/NUtlPvLWbZjOVd+fhUZ8Rn0atKTiV/dxo7KHSBAN6zrsDfGnLm/K+79j8n69dbNsqt7Ji4BXnpD0ra5oGUO3PGQZN06xerVkhOPFYRMS8Q8figsWqJwOgS/LlD8Mkcx6gSNNz6QvP2hpUrpd5jGyGEaCU544klJfr418ITbJZ3bCS49S6NZlmD8HRZn+8scxYTbTPr20Dj5WI0jDhc4XYLDD9Ho3AayUuG4IRrHD9VITwtP+MDa1A4aNHhd0fE3DuS8s3pRVRVk2E+vsW5dMRkZ8QRDlg7K6dTJzrKKvsS7DbYXVPLGu4v45P2xNGmaBIDfZ5KTk8htNw+mcXYiX85cT36+lZ3wQPgZCgHbt5fz8efLWbRiG3FxDlYu2sqQY6xqSroumP71alq2TGPCTQMj58XHOxl/4xGcd7a1Hyec9BazZ2/gi5lr+Gr6Coq8IabOXEl8nINrLj2cSy7vxbRzplEVrGTh1oXc9vUdNE1uSvfs7jw15ym6ZHXhkJxDePa3Z2mf3p4BLfrj0l1cN+BaBjQbwObyreRV5rL2j3LOveo9tuSVkV/io1PPx0lJc/PKI2NJTorj4kMu4aI+FwLw1dovWVWwClOFOKzZYVzT72oA3l7yDqW+kojoqmuWuOjULRnvyzVf4jW93DX0LgAyEhvx/pIPqAp6iXfGc8cXdzGgdT/eP/N9MsIVrn5c9xPzNy+kXXo7CqsK2V65DVOZ6JrOOT3P5qp+V1IV9DJ52WQqAhU1qlftDc4dqzHyOEHjRiJ8feo/1ueFk0dqnDdGY9MmxQ+zTUpLw66BIqz3MqyCyP4A+AKK1q0Et16vk5oGq1cL5i+QnD1GY/hQa7wubSBvjSUOBwPwzc+Smb8KsrIU69ZDSjiO9b0pit69NK6+qPqmlhKGDBKsWytYtEhxwZnRPiMx2GhQwhYMStq3t27iqqoghq5hSkkgnFNNCKtSeTAoCQRCNG6cwGcfjWPTpjKuv/ULli7exuzvL8Hp1ElJ9pCVmYBpSnRdq1EC70Agb1MZrZqn8NE7Y4iPc+By6rjDtU4vubgvY8f24JPPVtCs2QNcf+MR3HDdAKoqg5H98HqDoCAxycXddw7hlpuO4LobZ3DciPYcM6wNSYluXLqLbo2taOzDmh3Ki/NeYtn2ZUilWLRlEa9c+Ru6MPhhw488OWcSfZoeQqIrkebJzTGliRISXTlo3iae9948naqKEOdf9DFPPHocmdkestKTmfxjJe0z2gAQlMGw5VVgSjNSR7SgshC34cbQq/dciJquJf6Qj0RXYuRvp+7EoTsiurHTe5zK71sWsGjrIo5uM5TyQDkVwXLuHHobJ3Q8IVKaz2k48Qd9NEm2QtHyK/PxODy7dCfZHeLjiNTr3B2khNYtLa6uqMTSbzVKh8REwep1cGx4yYuXQstweFvjDEgNc1ACq4q7UlZfSkFBkcXlGQbkFygM4LF7Nbp0EGg6uMNqyYpKRYtmO88HoLgMfIFq66xp7kGRmn8RGtRgrOuCBQu2MG/+Zp5+bi5Kh86dMtENjYWLtjJv3iYm3vY1K1cXYhg6Pl+IpUu3U1zq5forDich3smq1QUoBcXFXvyBELquUVbmswjDAUTv3jl44p1MnrKULVvLWLO2iLKw3mfDxhLWriumS6dMzhzXi3m/bwGs6Ir58zczb/5mnnpuLlJTDDqiJY3SPDRrlgwK0tM8NGuaTHKyC2/Iy/wtC/h983zum3U/hq5zRKsjcDvcaEJn6h/Tmbfpd7aV7aBbZlfcupsibxHeoBdd0/EGqyjzlWM4NJpkJ9OqVSp+f4jmzVNolpOK06WhYbBs+3IWbFnI83Ofp9xXwYDmAyj3l1PqLQEsC2ext5iQWa0k8oV8VAaqo+2HtT2GTSWbeGPBm8zb/DtvL3qXREcC8Y44dlTuoG2jdvzv2Ie56tOreWPBmwgEPbN78cXqL8kr2cTW8q1sKtuEQOANeSkJjw1Q7C3GVH8uT7aU8NYHElezEG+/a/UR2kVR+SovlJQQsW7v2GEZBwYdqfHJdMkvv0l+/EUxa67ihBEamoDc9TB/qWLWj5KvflIceZSGYdjGMCIl+QIByMkRtGoj+PgTyebtio2bVERE7d9X8MFHkq9mKeYtVixfqSIl+7p3go2bFF98K1m4VFFW9qe24x+LBmVzXC6dl1+ex5Rpf5DZKJ733jgdgDGnd2XZHzu4+OLJnHhydy7OOoSEBCdbt5Zz481fUlhahfQFufiSwzi0b1O2bavgiAEtItbSvn2a0qZN2q6G3ueQUhEImJH0SokJTt545RTGnT+Ztz9YjBmU3HnrkYw6uTOvvraAT6evAFPSsnUajz4wwtoPt8Grr87jkxkryWgUx7uvnx5xAzEMQe9e2TRqVJ1fZ0v5Vu7+9v8oKi/F43Lx1mmWGwfAdf2v4cFZ/yNkBhjeYTgTBo0HoF/zfiQ4EwDo0KgDaeGix1JZbjQDB7Sw3GqUiS50PE43b/z+BvM2/o7TcPLaqa8A0DSpKT1zegHg0B0MbjWYZHdyZG6tUlrh0lyRvlultmTSyCe57rMb8Qa9nNj5BO4cejsAvRr3pEliDv2aH879w+/j2TnP0SO7O/cO+y/XT7uRiz66GF3TOazloTx+3GO0TmtDRrwVye9xeDiy9ZHEOax9MU2FNGv6++0KmgbHHKkRp0vyLPtKnTo2W6XRpaMg2dKAkJwERx1hVXW/8GyNskq44jaFy1Dcd6vOoCMEeZshK0dw3V2SijK45nyNk46z3JgCQdBNSwS1a4sCvPqkxvnXSS64UWIG4KwTBddfJbjwPKt26l3/kwRM6NQKXn1cQyrBMcM0fv4d7nhQkZSoeGiipG8fYsaDMMSmBgiCX7BwIQCXXP4Zo0/twrCj2/yFvg+MHg2q/dh++nkD77+/hElPVrt77M2c7OMvveJzRp3UiWOHt939SfX1FfZx+6uwXS/umHknHTLacVaPs/9Sf3XNq7bFuvbftYsw73aMqH2/4cYZDB3amuOP61CvH5sCFi5SfPKVYsVCyfgbNPr01iJc0F6tr45rXt99ULt9ymeSF16TvP2iTlqaqHf8XVlrdx7LSnz32muvMj4cBJ8YDoJvWSsI/ptwEPy1sSD4fYPCwirWri0iEGiJUuB0WhbF6GB3O3Ouw6GjlCIYrPbqtwPd7apWds3RUMhy6KxdSX1/QROCr77J5ayz3uOoo9tx1pk9cLmNSAUuG9GOuBGOIhzU7nTqUfth1tgPG9HJNsEiBEFZLXJHO9ua0oyIZ5rQIiFVQRmMRCKY0kShaviOBYOyhj9dqa+UtUXrCJgB6zroDjShRUKn7HODZrjf8HxNZa3BCEdDCITFFcpQZE72uSEZioRd2fN2aNY4QRmsrhMaPsdUJijLx06hCJohHLq1pslTljFj2gpmfr+eIUNa13vNbEJQWaEor4A7btXp1nXXrh5g6a7AEiGt+67a4TYUqtZ52dEHljN29XW2oxPy8xUPPa0oqoAF8yUXjxOkp1tWVV2zuDmb29LCPnC27syegxU7Xf09Mn74lqnLF+7figZMNBli/I0DaJyVuJOzan3B7kKIOh1baxdSbqjaB/ZD3LlzJvf831A2bSwiu3FihKBqWt3zrT0/+8G96YYBZGXG13lOXefZUQB1oS7HWgCH5qhxzE6/h/fRPveCQy7A7XDtNI4mtBpv0NqOtLrQdzLMaUKrc77RhLX2vKPnW1ffAoHTHltARkY8nTplMOioNhx6qGXcqLv6vPX/wAEaAwdY33dH1KCmQj6asIBFsOoapy7nX4dD0LaVotwLI4fqnDA0rHPT6nfQtcevzygQPf6u9IT/RjQYxyal5PDDaueC/nvBfjhSUtycMbrrX+jH6ujww6wHcV/k4/qrsOfUM7vHgZ3IXmLwES0ZfETLGm27C1y3uaSGtCKmpMCl58aCOxsKDSqKmqYKW4T27Cm2RVQ7vjIadiGX+tIa7U/Y5f+AvyQCmyGFMCzRtuYA1Mzv1YCwM3Xsk6wgdv6x/SgiSakiYr6ui93qijQNnAeAvlj3TPgPUc2pxbB/0ODuHgAhc+dK8Hawe3T7tm3lnDbmfXJy7uH8i6dQUW5lqQgEQlx5zVSaN7+PIcNfZVNeCcAeW8b+KpSqTnJ56hnv8P6HS8Pj11xb7UrwVlu4UVle85oUVs3IPKxybyFQCxXmaBOzh4l8UNZMjKiorkBeX3t0NfG62iVWPn1bfDGxcpeFQENDk1r9/Uh2Htsu2mKCPNdEfRJOdnCPidnPxDzeRC1X1WPZ/9ce408gugD3gVKA7wmsouDhT1353WLYp2gwwiZEtVXR0HeuBG/XCbXblYLMzHg+nTyW++4fSSggI/e/rms8/8yJfDj5XNwOA7OBCBpYBMrKMqJj6BogCAbDSnuNGmurXQneahPVRKII1ESJeZ5pfW41UdsUopdA/0RHO1lYFY9s2IpiO1minemVWu3RmVnrat+mkKNN+E1ZmVtXgTzDtPL6764fjZqcpAp/j87mG7D+0+7R0d/REHY2WKLOqWuMGGLYR2gwUdQ0FQ6HYPv2CmZ8vZqgN0ijzARGndSZ7dsr+PLrNZRV+DB0jZNO6ER2dmI406iqkYbbhmUxNRs84aMQgpISL598uhwpBGtzC3GFlf8+X4j3Jy/F6w2QmhrH0CNbR/zQ8gsqWbxkOz27NyY9JQ5lKHhYoVYp9K9ridN2eTuo+erRgO2gvrMIkOgjrHJzAOWgZiiLYCZjVW4Ku5mpycoq8pIFYriwREMn0ATrexOsWpweYCuoWeF+nMCQcGbaLVgFZ8qBPKyCLZ0FCFClwFfKIlJ54b7AImDB8LyjL5MA9Zmyql41Cs8puuRgDDH8RTQYYdM0jbXrirl14ld4gyHcmqBV20aMOqkzxcVeVq0uICglxYVe5s7N44lHTyA+3okQok623WpvuKfAliBLy3xcd9MM1qzKp2W7RuzYXhHR/73+5gK++HoNqakuDEOnT68mpKfHWcWiv85l3NjnmfLRlYw6pTOySCGWK6uKkS3KRdcEqMsfaq1CPiQRAQEekO9L9Ht16IBVMm8pVoVxHegBIlmgXpRWMWU3sAAoBDEUK7fZowpaKNiBVX9TB1WkUOuVRfC2A78oxCMaajao603UKIEoEcgXFfqHOrhA3WGiNoDoIFBF1viCetahg3pXopaH57Qc2KAQF2vVHF+MuMXwF9FgaYucTgfPPf8rhkPjs3fH1TimY8cM+vVrzo/frsHh0vl06gruLvGSmLhzDrEDCSFg5je5LFu2g99+uQyAUaPfoSoczjVv3hYCVQHuemgELVqmANUEsX+/5jz74nn0scvv5QkoUwibS3FQ9wNtF6yRoF6XCA20VyxCKq8zkV9KtHYaaqkCU6DdJCAc3K3KFfLlcK3SdOBXizhyaJhDiq6+rmGVnustYB2oJcqqP/pz+Bq6gO4C/X4d4hXyyHD5vDxgBRGuU+abCG9d6wj/51fIl5RV87QdsArUTwpxJhZRjvLLiiGGP4v9Xswl+h7dsrWcgQNaRIwEUiri4hxM/mg5z744l5OOa09QQXpaXMTQYGVypZ7vaqfv+ws2c7htWwWdOmQgpeVZL6M8JCfeMohvvs3l//77LevXFzHp8ZF07ZqFaUpatkzhsov6RvrTssE0QNle37YOyt6w2suRQAGIbsIS75T1XRUDGoibdfhZIe+SUCTQHhZWdfREEJ3DhOxMLE7OA0qCdqOAFgLKQJ5lQgqoDyXqQ4UYoaESlVXnVBNQqaAHEA9qB1Yl9bC+jjai5kW3Ef23TUTzrPFFZ2HVKx0BdNKsgivR64/hTyN6C9Uefg4UdnXb/JV5NahVtHXLNF5/fT5+v4nbbRAXzn7x7ay1NGuSzDXXDKBFkxSKi31ISaQClBEmci6XESEwdmUry2PfaDCxtHFWAouWbkMIwdcz1/D1l2vweCzGt1WrVC66sA+P/u84HA6DDydb1lJNE8z6fj2HDHiWX36x6gbIDND6C9SjyqrUHq2Hiv5ui3MG0F0gv1EWkXCC/EIhkoRF2NqAOEeg3a1BCcgvFaJ5mAi2A3GWQJwZrg6vY+nQtmH9vjmsUwtYHBodBOJ8YYmZ0caLcqrdNwLheTUWqFXWnNR3CvUdKDtzhs2JKmu+CBBNw0S8SdScelDtEhIjbA2KA0nU9icaTMfm9fqZeOsgiou9tO/+OLqUdO2ew/RPz+bM0V24/Nqp5OTcy4BBbWnVPJW4OAdr1hQy9pzJrNtUjBDQtv0j3DrxKM4Z25Mzz/qA3xdtJiShb9+nGHNWb+69eygut2O/xJPafY44tj1ff5NL8+Z3c8xx3Rk0qFXE5+v0M9/n53kbidMEnXvkMG5sT8AiwuXlfpav2EFlpWUyVCHQbtPgYok5xLQe/CzQX9BRi8Oclw9QYH5vIsYLtAs05GYTc5Bp6bFOF4hzLcupvNBEbcPirrootGEauEA8oiGvlJYoWQ7a1RriNCxCYn+cwhrfAeJEgbxDYn5jItqBaGzNAQNLJ2YTWo+1L2KIQHwtMHuZiGEC0QdEmFeXF5mWLi0E6mwJg0C/W0c8rSHPk/A/wAfaaIGYoNnhjjHE8Jch8vZzEPwd4UrwgUAAZzjWxIqNVDVCpqS0rJwW91XdTzBoxUsKTRAKmhFXikDAjLiJ2DGVDRVaBeD3h3A49RrOtcGgGS5UY8WC7rHFNuweEeHMbAdd+7sZ/q7VOj46dMeONYzijiKw/cWg/rqa0bCNGXtYFyAyp9p6Qjus1Qj3Z7uMiKgxoNpdJIY/jdqV4G8MB8G32k0QfNOUbPwHSRD82+Eg+E5/tyB4G3XFRtqptqNRO1ZUj/o9ur2+WMv9iboSW/7pKIjaBETUaqvdbV0EZ1fe/XtCzKKh1TPGrrC7OdWe358ZI4YY9hCx4LUYYojhHwdjv2gPo0OJUAQCAQKBQP3HxxBDDH8JoVAIKSWhYKg6uiXyUXWbQQ9Gs+g+mtN+FUWVUng8cTidzoh+LYYYYtj3sJ+vjIwMTCkP6rjZhsB+I2wSSIiP55c5czi0b19CoSBCaOHsHhqapqNpGkLTYhb+gwgK0DUToUnMkLGP8vPGsL+hlELTdbZs3kxaSsq/XkLaL4RNCIE3AK3atOW7RX9QUVEetoKCr8rL1s2b2bxpI1s2baQwPx9pyt13GsN+h1IaDoeP9es7s2NHM7p1/wmn04+SMVXsQY/w26drk2Y0atQIr9eLruv/Ws5tv3FsSoHhMOjevUMNC0UI2Lwpnw3r17J10ybKSkr457oJ/r0gpcDjCTD/9w6sX9uEo4Yl4Hb7kTHC9reBUopQKITb7SY+MRG3x4PT5f7XPWH7WccGlb6aWyoEOJwG8XHxpKWnExcfv9/DoWLYM0gpiI8LkpybhNutk9k4m7j4EKb573zr/90gqA5jdLpcpKSmkdooHbfHvctq9/9E7P+aB3WwwknJqWiaTmJyMgGfb39PIYY9hGkKEpIkq1fFs3Wzmxat2pCYaMYI298QusNJUlISSSkpB3oqBwQHzN87MSkJjycOadou6TEcaJgSkhIgrZEiPhFymiaQnAKhA1uLOoa9hkJoOg6nI5zT8EDPp+FxwAibkgrdMDAcsViagwWmCS4DdIdE102cbgdOl1UOLoa/Fyz3tX9v5s4DR1WEnZbogM0ghlqw/TiJpIPiX/vG/2fg30nUIBZSFUMMMfwDESNsMcQQwz8O/w8n/2LBx8l1cgAAAABJRU5ErkJggg==
- data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAQsAAADlCAYAAABEbNIUAAAK5WlDQ1BJQ0MgUHJvZmlsZQAAeJyVlwdUU9kWhs+96Y0WiICU0Jv0FkBK6AGkd1EJSUhCCSEFFRsqgyM4FlREUBnQEREFR0faWBALtkGwgH1ABhV1HCzYUJkLPMLMvPXeW2+vdXK+7LvPPnvfdc5a/wWAksIWi7NgFQCyRTJJdJAvPTEpmY57DGBAA3igAYhsjlTMjIwMA4hNz3+3d70AmphvWE/k+vfn/9XUuDwpBwAoBeE0rpSTjXA7Mr5yxBIZACiEgdFimXiCf0NYXYIUiPCHCeZPMpo8wWlTTJ+MiY32Q9gJADyZzZbwASD7IH56HoeP5CGnImwn4gpFCG9G2IsjYHMR7kZ4TnZ2zgR/RtgciRcDQDFGmJH2l5z8v+VPU+Rns/kKnupr0vD+Qqk4i730/3w1/9uys+TTe5gigyyQBEdPMXQ7MydUwaK08IhpFnKn46HbAnlw3DRzpH7J08xl+4cq1maFh01zujCQpcgjY8VOM08aEDPNkpxoxV7pEj/mNLMlM/vKM+MUfgGPpcifL4hNmOY8YXz4NEszY0JnYvwUfok8WlE/TxTkO7NvoKL3bOlf+hWyFGtlgthgRe/smfp5IuZMTmmiojYuzz9gJiZOES+W+Sr2EmdFKuJ5WUEKvzQvRrFWhhzOmbWRineYwQ6JnGYQCwRADkSAC3hAAtJADsgCMkAH/kAIpECM/GMD5DjJeEtkE8355YiXSoR8gYzORG4gj84ScWzm0B3sHBwAmLjPU0fkDW3ynkK0yzO+3HYA3IoRJ3/GxzYCoPUxANR3Mz6j11N35WQ3Ry7Jm/KhJ34wgAiUgTrQAnrACJgDa+AAXIAH8AEBIAREIJ0kgYWAg/STjXSyGCwHq0ERKAGbwXZQAarAXnAAHAZHQTM4Ac6AC+AK6Aa3wD3QD4bAczAC3oExCIJwEAWiQlqQPmQCWUEOEAPyggKgMCgaSoJSIT4kguTQcmgtVAKVQhVQNVQH/Qi1QmegS1APdAcagIah19AnGAWTYXVYFzaFbWEGzIRD4Vh4AcyHc+F8uBDeCJfDNfAhuAk+A1+Bb8H98HN4FAVQJBQNZYCyRjFQfqgIVDIqHSVBrUQVo8pQNagGVBuqE3UD1Y96gfqIxqKpaDraGu2BDkbHoTnoXPRK9AZ0BfoAugl9Dn0DPYAeQX/FUDA6GCuMO4aFScTwMYsxRZgyzH7Mccx5zC3MEOYdFoulYc2wrthgbBI2A7sMuwG7G9uIbcf2YAexozgcTgtnhfPEReDYOBmuCLcTdwh3GncdN4T7gCfh9fEO+EB8Ml6EX4Mvwx/En8Jfxz/BjxFUCCYEd0IEgUtYSthE2EdoI1wjDBHGiKpEM6InMZaYQVxNLCc2EM8T7xPfkEgkQ5IbKYokJBWQyklHSBdJA6SPZDWyJdmPnEKWkzeSa8nt5DvkNxQKxZTiQ0mmyCgbKXWUs5SHlA9KVCUbJZYSV2mVUqVSk9J1pZfKBGUTZabyQuV85TLlY8rXlF+oEFRMVfxU2CorVSpVWlX6VEZVqar2qhGq2aobVA+qXlJ9qoZTM1ULUOOqFartVTurNkhFUY2oflQOdS11H/U8dUgdq26mzlLPUC9RP6zepT6ioabhpBGvsUSjUuOkRj8NRTOlsWhZtE20o7Re2qdZurOYs3iz1s9qmHV91nvN2Zo+mjzNYs1GzVuan7ToWgFamVpbtJq1HmijtS21o7QXa+/RPq/9Yrb6bI/ZnNnFs4/OvqsD61jqROss09mrc1VnVFdPN0hXrLtT96zuCz2ano9eht42vVN6w/pUfS99of42/dP6z+gadCY9i15OP0cfMdAxCDaQG1QbdBmMGZoZxhmuMWw0fGBENGIYpRttM+owGjHWN55nvNy43viuCcGEYSIw2WHSafLe1Mw0wXSdabPpUzNNM5ZZvlm92X1zirm3ea55jflNC6wFwyLTYrdFtyVs6WwpsKy0vGYFW7lYCa12W/XMwcxxmyOaUzOnz5pszbTOs663HrCh2YTZrLFptnlpa2ybbLvFttP2q52zXZbdPrt79mr2IfZr7NvsXztYOnAcKh1uOlIcAx1XObY4vnKycuI57XG67Ux1nue8zrnD+YuLq4vEpcFl2NXYNdV1l2sfQ50RydjAuOiGcfN1W+V2wu2ju4u7zP2o+x8e1h6ZHgc9ns41m8ubu2/uoKehJ9uz2rPfi+6V6vW9V7+3gTfbu8b7kY+RD9dnv88TpgUzg3mI+dLXzlfie9z3vZ+73wq/dn+Uf5B/sX9XgFpAXEBFwMNAw0B+YH3gSJBz0LKg9mBMcGjwluA+li6Lw6pjjYS4hqwIORdKDo0JrQh9FGYZJglrmwfPC5m3dd79cJNwUXhzBIhgRWyNeBBpFpkb+XMUNioyqjLqcbR99PLozhhqzKKYgzHvYn1jN8XeizOPk8d1xCvHp8TXxb9P8E8oTehPtE1ckXglSTtJmNSSjEuOT96fPDo/YP72+UMpzilFKb0LzBYsWXBpofbCrIUnFykvYi86lopJTUg9mPqZHcGuYY+msdJ2pY1w/Dg7OM+5Ptxt3GGeJ6+U9yTdM700/Snfk7+VPyzwFpQJXgj9hBXCVxnBGVUZ7zMjMmszx7MSshqz8dmp2a0iNVGm6FyOXs6SnB6xlbhI3J/rnrs9d0QSKtkvhaQLpC0ydUQ4XZWby7+RD+R55VXmfVgcv/jYEtUloiVXl1ouXb/0SX5g/g/L0Ms4yzqWGyxfvXxgBXNF9UpoZdrKjlVGqwpXDRUEFRxYTVydufqXNXZrSte8XZuwtq1Qt7CgcPCboG/qi5SKJEV96zzWVX2L/lb4bdd6x/U7138t5hZfLrErKSv5vIGz4fJ39t+Vfze+MX1j1yaXTXs2YzeLNvdu8d5yoFS1NL90cOu8rU3b6NuKt73dvmj7pTKnsqodxB3yHf3lYeUtO413bt75uUJQcavSt7Jxl86u9bve7+buvr7HZ09DlW5VSdWn74Xf364Oqm6qMa0p24vdm7f38b74fZ0/MH6o26+9v2T/l1pRbf+B6APn6lzr6g7qHNxUD9fL64cPpRzqPux/uKXBuqG6kdZYcgQckR959mPqj71HQ492HGMca/jJ5Kddx6nHi5ugpqVNI82C5v6WpJae1pDWjjaPtuM/2/xce8LgROVJjZObThFPFZ4aP51/erRd3P7iDP/MYMeijntnE8/ePBd1rut86PmLFwIvnO1kdp6+6HnxxCX3S62XGZebr7hcabrqfPX4L86/HO9y6Wq65nqtpdutu61nbs+p697Xz9zwv3HhJuvmlVvht3p643pv96X09d/m3n56J+vOq7t5d8fuFdzH3C9+oPKg7KHOw5pfLX5t7HfpPzngP3D1Ucyje4Ocwee/SX/7PFT4mPK47In+k7qnDk9PDAcOdz+b/2zoufj52Iui31V/3/XS/OVPf/j8cXUkcWToleTV+OsNb7Te1L51etsxGjn68F32u7H3xR+0Phz4yPjY+Snh05OxxZ9xn8u/WHxp+xr69f549vi4mC1hT0oBFDLg9HQAXtciejkJ0Q6IlibOn9LbkwZNfSNMEvhPPKXJJ80FgFofAOIKAAhDNMoeZJggTEbmCZkU6wNgR0fF+JdJ0x0dpnKREbWJ+TA+/kYXAFwbAF8k4+Nju8fHv+xDir0DQHvulM6fMCzy9VNqpqVMsugJzS0A/7Cpb4C/9PjPGUxU4AT+Of8JizUh8jnksS0AABQySURBVHic7d19kFXlfQfw7+8cXZnRxUwy4jhCVMCZ3WiMtfhCA0HAFd0ppBhqY1tMHLF5WRZ8yWxNO6NDp3YqMUEEnFBTY+UPOzVoxMn6Cko1pmJSDQPcTa1IfWt1q6lcTGSz5/n1j3Pu2+495/727rlvu9/PzM6wPvc853nYvb/zPOfg/YqqKoiIKvAaPQAiag0sFkRkwmJBRCYsFkRkwmJBRCYsFkRkwmJBRCYsFkRkwmJBRCYsFkRkwmJBRCYsFkRkwmJBRCbHAMDBgwexbdu2/H+86KKLsGTJErCNbWxjW65N+L+oE5EFtyFEZMJiQUQmLBZEZMJiQUQmLBZEZMJiQUQmLBZEZMJiQUQmqRSLTGYQnzzl7/CDf/x5Gt01pUxmEKfNvgNvvvlho4dSNR1QuDkB9K2J+e/wkuY30edeD1xZ1NsQ4JYFCDoLX+6Hznxc3Gt1pwv7+ssg5QGPfSy1UNf5UVnHpNFJZ+dJ+OC//yqNria2IcCtCIBjAD/jp9q19ivkegEeUuAwgKmpdt9wE31+raDqlcXQUIBLLr0Pfvut+a/cNmTjXT/Dqr/4MU4/87s4+9xN+PKf/ku+PZsdwmfP3Yxv9T2eP+6Gmx5LbUJpym2v/PZbcfYFm3H4yFDZtnJzeOrp10r+TgBAn3PQQ4DcVf6vXQcUwTmjVxxui0PwuQD6KqDrNWw/K4DujpbUWQCvA94VArQD+rKW7dMtd9DCFOB6Y1Y4WcDND+C+XdQWXdErjSVuDrnzuZuDQvs5hW3BqOOKVxBVzq/S3M1jKZpD0jjH1Gbss6loCo4eHdbFXT/Ue37wkqqq3rnxBf3Eybfp/v3v6mmz79Drb+zXOze+oNff2K+HDx/V02bfoUsuv09VVQ8ceE9PnvH3uuuZg2kMJTW5cebmdODAe/rpWd/RN974P1VVve5rP863lfPkU/+p3gm3lLwm2BxosHw4/+fhjmEd7hjW4N5A9bBqMG9Y3ZsuGoBqcOGwumej74+qBkuj147gng406Cv0m/uzHlYN5hSOcRmnwe8XnaO4j+K23HHRWF3G6fC5hrFUmEOweliDzw+rfqiF76M+iv+cyvwqzD12LJY5xIwztm0cfTaTmt2zuPC8UzFjxifQdqyPZUs7Strajz8O92z9IwDArFmfxNkdJ+O1196v1VCq8m8vvokTjm/DlX/82bLtZ31mGr52/aO4rPufyrZ3XTILQXYdVl07p2y71+PB/6UPOTP8Xt9W6IeA6wr35sEFATRrGOgQoBsV6BAAgCwW4BUAhwHd44DjAO9LMSuZ6D5AuSsvphRWQDJTIDMAPZh8c9A0h2slv4XwNvnwronG1iHQ9Qp3xYirapXzqzT3uLFUnEPcOBPaxtVnE0nlnsVktHbNXKxdMze/3eiaPxOP938l8RjpAPQBlN9zv62QqYDX749pP64HFXoIwHpFsD76ZfNKl+plZQH9a4X3fQ+yQKADCv3zcd6wrHIOQFg80VMoYNIJeA/51c+vWhXmEDfOxLZx9NlMGv40ZPe/HsIv9r6DJZee2eihlJh+6lT87we/wS/+/R0MDQXoXfuTknsWOV2XzMK+PauR+Y/Bkseq5e5ZyAUecBRwt42+guTbtse8YdsAnAZgoPRNojsVMju8YZr7km8KtN8Bpwr0o+iNNQRoX2H1oG8r9GhRP1tGrCyKz5G719IliWOpOAcDWezBe9gD3gD0La16foltSec3zmHkOJPa0uizGTRkZZH96ChO/8z3AADHtfn4yfaVmDHjxEYMJVZn50n49re+gEuW3gcA+M7fXIp33zsCILy52/2H2/DMz17Pv37rnUsrz6Ed8Hb5cIvCpT8AwAO8meGNO9nmwV3p8ldQ+VTp1Uh6ovYdQXjcXQI8ocByKTmNdABuKyC9gKwSuK+Hv6TyDYE8qNFrBDIPhbZFgBQP/+Nw2Zwf490eZHrhPKPGcne4Qqk0h7Kip0T6atEc+gQyTaBPuOrnF9OWKOnnMCVmnNMlfg7R31lVfTaZVD4pK/fm+fKfnB27R8/JZofwB/P/Af2PNl+BoEgWcN0B5AGvKX9pqTFS2YY061aCiNJT9TYkkxnE5xfdgw+PhBtf0zKciFoWP7CXiEwa/jSEiFoDiwURmbBYEJEJiwURmbBYEJEJiwURmbBYEJEJU9TZxja2MUWdiNLDbQgRmbBYEJEJiwURmbBYEJEJiwURmbBYEJEJiwURmbBYEJEJU9SNJkKKetOK4hLjPv6+OGaxnmHMVIori3pLO0U9C7jzS/srzu2MMyqVfCzJ6DGvdVtc6ThSyu70Nvkl6W3UGExRr6dapKi3A95LflUf3y/HIx8FiCnjH0ouWYtRAhMTU9QTtEyKepyENHQAYYG4WMomZaU+FiSktufOuVPHvBpJSiendFW9smhr8/H0k18FUAgZKrZ9xwH8dNcqdH9xG045pR3fu+0y7D8wCCBMJNu3710E2XXIZAaxcMm9WLa0AwsvPqP6maQsmx3C5cvux/q/vRSrrp2DTGYQly0thCBv2PhCvs1KBwCZDch0gdvioJuj9Kw+gbfCg17n4PVHV+Ms4LoC6EwNr9jXRauS5VIIE7b4GMCvwpWMDijcVQ7aXXhjyyKBbnbAnxVPHjUZi7epsJrKZatql0JOlHCcj+ioccqChJVJwjgTj6OqMEU9RsukqFdSIQ1dOgWYBujuwhW5VmNpSGo7pYYp6lVqlhT1NEi3QDdo4dJRi7E0WWo7jV3Dn4Y0a/Rhq6Soj8WoNPTcued74f2LwdqNZVyp7THSSG0nO6aox2iJFPW7Pch5ArcogIZDg3Y54FiE+/joXkC5NHT9VdEbvS1MGXerFRKNs6qxJNwnqDq1fWQ6+XpFsD4I7/Nc41WX2k5VYYr6RMZHmJQipqgTkQlT1InIhB/YS0QmDX8aQkStgcWCiExYLIjIhMWCiExYLIjIhMWCiExYLIjIhCnqbGMb25iiTkTp4TaEiExYLIjIhMWCiExYLIjIhMWCiExYLIjIhMWCiExYLIjIhCnqRkxRN2Aa+oTGlUW9pZyiXovkcqahUzlMUa+nGqSo1yK5nGnoVA5T1BO0fIp6pCS9/Jxom1ApYd3aH9PQJw2mqMeYKCnqrjcA3i6zkskiNmG9UgI509AnJ6aox5gQKepZAC8Bsjbmx1xFcjnANPTJiinqVZpIKepjwjT0SavhT0OaNfpwQqSoHwdgGqAbK7+ZrcnlTEOfvJiiHqNlUtST9vRtgPcjH25F0fkMCetJmIY+eTFFfbLiY1EaI6aoE5EJU9SJyIQf2EtEJg1/GkJErYHFgohMWCyIyITFgohMWCyIyITFgohMWCyIyIQp6mxjG9uYok5E6eE2hIhMWCyIyITFgohMWCyIyITFgohMWCyIyITFgohMWCyIyIQp6kZMUafJjiuLOipO8irJHR1vvy2QE+p6y2WiOrgrxpfMTvXDFPU6K87DcFscXHdRxmc1soCudJAbwvyNfL5oM+aEjiUgiZoOU9QTpJ2iPpJ3nQc5HdBNrmKq+ajVQ9Tm7nfAcYD3pShfNAoB0v5Cn7nViw4o3JzS7+NWJK43gLs5KLRHqyC3xcHNC8IIRiAMD1pmSEvvaLLCRWNWdbHIpagH2XX47fu3YOHc0gT07TsOoP+RlTjy0VBiivq+PavxwIN78cyzr5c7TcMUp6jnxjn1hLZ8ey5FPciuQ5Bdhw3fvXzsJ8lFEuYUpZp7mwX6GApv7C3h6sHP+GH77VGS+YAC01Ca3NUhwKtIVpRc7md8+Ht8YKtCdxdd/Z8H/OfD88kCQJ9SeFd7wDCgL0fjOqjAO4D0Gn+VRhQwMGqmZTBFPUatU9TLKkogx6kCaStq6xDoek1tj29KLr9W8kXI2+TDu8YD2gGcH61cAOhOBRbDEHsI4FVA9zjgjLDw6EAqU6E64Q3OKq1dMxdBdh1uunEe/PZbY4tGoiEA/wXTEt3rCVcA0iPhliFXNDoEeA+FbQEQrjYqXbGj5HL/RT+/WvH3+6b7HNLjAa+EBQf/rPZVBQA9CMiVAvyc9y9aTcOLRbNGH9YiRX0kd1NgShkvJos9eA97wBvhFkUWC/RwIYFcdzroLkC6ox/t7wC8BmAI0L5C4vl4ksulQ4CzAb3HASdVXlXkvQPgRYV8wQtXLG8p72W0EKaox6hJijoAfR8ILiwkhfvPR0nhI7cAxUYmkAOQPsm/Sb0NArc6TCUfla6+UkoTz38ddWBIbU8i3eE5pc/4Zj9VoL9RyKcQ9j9doJsV0mc7nBqPKeoTRRZwXQHkdq8uj0x1p4PequbiQq2PKeoTRTsgt4WriDT/wVdZWUBv1pIboDTxMUV9ApHFHvxMbc/hegPo04AsQ/h0JCcLuEUB9EiZg0Zujagl8QN7icik4U9DiKg1sFgQkQmLBRGZsFgQkQmLBRGZsFgQkQmLBRGZMEWdbWxjG1PUiSg93IYQkQmLBRGZsFgQkQmLBRGZsFgQkQmLBRGZsFgQkQmLBRGZMEXdiCnqNNk1JApgstKdDm510T+YPRbjC0WO5D4XM+1+iYoxRb3OUk9Rz/XbJ6UfoEuUMqaoJ2iFFPVK4tLQy/ZZlKKe1EaTU9Uri1yKOlAIGSq2fccB/HTXKnR/cVtiinomM4iFS+7FsqUdWHjxGSNP0zDFKeqrrp2DTGYQly0t5JnmUtTHFHw8UkKKuu50cDcotFch0yWfoh63etD1Gp8s9nwh+cz1BtCnFLJC8inqMl3yIUU6UyHnJbTx4/wnrZrdsxiZor537//k2+JS1JupWFhT1H+0fT8e7//KqPZcivqYjEpRL7q/kUtRfzSA95A/6tDEbciINHQgXDnoh4B2Fa0YPEBQSFgv10aTF29wVmntmrlYu2ZufrvRNX9m2aKRKJeivtyWoo6e8CZp0BlAOlG2aJhFKerl4gd1p4tto8mr4XfEmjX6sFVS1KuVlKI+noR1mriYoh6jlVLUq1IhRX08Ces0MTFFnYhMmKJORCZMUSciE35gLxGZNPxpCBG1BhYLIjJhsSAiExYLIjJhsSAiExYLIjJhsSAiE6aos41tbGOKOhGlh9sQIjJhsSAiExYLIjJhsSAiExYLIjJhsSAiExYLIjJhsSAiE6aoGzFFnSY7rizqKBcQlM8pHQLcMmOOaMJrR+WSXmHLQa0311sY48jcVWp+TFGvMzkewCsADgOYMv7+dEDhrnLwNnktkUPKtPfWxRT1BDVJUZ8C4GIpm/YVl1zutjgEnwtDhnS9hu1nBdDdla/KSWnocQnrbouDmxeEBa34tdGKqJo+EyUlyEdtxcnvbk7ROHsCuPMDuHkB3FeZ+F5LVReLXIp6kF2H375/CxbOLQ013r7jAPofWYkjHw0lpqjv27MaDzy4F888+3q50zRMcYp6bpxTT2jLt+dS1IPsOgTZddjw3cvNfcsiAXaNeANlkU8u9zM+/D0+sFWhuxVejwf/lz7kzPDK7Gd8+Pt9yAKBdAhklcB9ffQbPKnPvChh3c/4kAWAPqXwrvaAYUBf1nw/eAWQXq/qPnPyxa4zKB1vUYK8t1mgj9niGfU5QO4P4xZxMiCrBRjg1qYWmKIeo5Yp6tIp0GmA7i5cAceTXJ4LTXZbHIILg3zUoL5j6LNMwjoA4HxA+x1kgQ93vwNOAmS6JKavV+wTMduQLJIT5BPI7GhcPiDdHnQfC0WtMEW9SuNNUZdugW7QwtouIdXcyuvxgKsBtyiA2+4gn0bVfUqPB13rgEEFnlHIWi+1cVJravidpmaNPqx1irrM98L7F4PR95WSy9sAnIaKS2x9W6HDgMyUcaWhy0wB2gH3kAJZQH5PbOOshd8BeA3AEKB9Djr6x0B1wBT1GLVKUc9rA+QbArdawyV8hVRzILzauysdgh0B4AHe3R4wrHCrSwuI9En+yUjVaejF4+srbCss40yi6zV/HI4FvH4PcmLCZqsdwMrwngwAyCJAfl35PJQ+pqgTkQlT1InIhCnqRGTCD+wlIpOGPw0hotbAYkFEJiwWRGTCYkFEJiwWRGTCYkFEJiwWRGTCFHW2sY1tTFEnovRwG0JEJiwWRGTCYkFEJiwWRGTCYkFEJiwWRGTCYkFEJiwWRGTCFHWjiZqinosiTDXyLwpxHhVFWKmNmhpXFnVUqxT1sn2PRxZw55cmno+lmOhzDvgA8F8MIwy9231TWzWYzF4/TFGvs7RT1HO0XyHXC/CQhn0b08KkQ+DvLfOGnQJ4D3thNOBOB3eDQrsUMr1yoKIOAJhWfgxJbdViMnt9MEU9QcukqGcBvA54V4QpYsWBxrHp5Ci9KldaOchUQKZKxVTzoDOAblZoBqOS2ePakuaeG+eYk9krHJd0vqS2yYwp6jFaJUUdAHSPA84EcJIACwXaX/TLXZxO/rAHfRL5IuNt8vP9jvIx4Lqirc0ahdzmVVwNeD3h2GW1QDrDc/p7fch0SWyrWTJ73HFJ57OMZZJiinqMlklRHwJ0owLLo7jCxQJdG21FBCXp5DJTIDMAPaj5QhOreBsyoHBXOXh3epDzLLnuY2Oa+1iT2ROOS0qCH0+a/UTHFPUqNUuKuh5U6CEAxRmiXrgVSeuNLTMFMiuVrsqrdzJ7wvl0p2NKfIyG3xVq1ujDVklR150KmR0t66Mv+eaIrUjutc856CFAusZWRPSgAocA5ApGyqnm9U5mTzpfQ1LiWwRT1GO0RIr6XQI8UdiC5EgH4LYCeo3m7z0AyCevy3QJH8WuCG+aAsivTKRP4K3w4o8D0k81H2cye9rnq+tYWghT1CeyLOC6A8gDnumRJ1ESpqgTkQlT1InIhB/YS0QmDX8aQkStgcWCiExYLIjIhMWCiExYLIjIhMWCiExYLIjIhCnqbGMb25iiTkTp4TaEiExYLIjIhMWCiEz+H+RIM8OwwiocAAAAAElFTkSuQmCC
- data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAaUAAAJYCAYAAADCNvn0AAAK5mlDQ1BJQ0MgUHJvZmlsZQAAeJyVlwdUU9kWhs+96SGhJBABKaE3QToBpIQeQOlVVEISklBCSEHFhsjgCIwFFREsAzrSFBwdARkLYsE2CFasAzKoqONgQVRU5gKPMDNvvffW22udnC/77rPP3neds9Z/ASAnscXiDFgVgEyRTBIZ6EOPT0ik454ACGABBVgCwOZIxczw8FCA2PT8d3t/G4lG7Ib1RK5/f/5fjcLlSTkAQEkIp3ClnEyE25HxlSOWyABAIQyMlsrEE/wbwuoSpECEP0wwf5LRpAlOmWL6ZEx0pC/CjgDgSWy2hA8AyRvx03M4fCQPKRlhWxFXKEJ4M8KeHAGbi3A3wnMyM7Mm+DPC5ki8GACyMcKMlL/k5P8tf4oiP5vNV/BUX5OG9xNKxRns5f/nq/nflpkhn97DFBkkgSQocoqh3vSsEAWLUhaETbOQOx0P9QrkQTHTzJH6Jk4zl+0XolibsSB0mlOFASxFHhkrepp5Uv+oaZZkRSr2SpX4MqeZLZnZV54eo/ALeCxF/lxBdNw05whjF0yzND0qZCbGV+GXyCMV9fNEgT4z+wYoes+U/qVfIUuxViaIDlL0zp6pnydizuSUxitq4/L8/GdiYhTxYpmPYi9xRrginpcRqPBLc6IUa2XI4ZxZG654h2ns4PBpBtFAAORABLiAByQgBWSBDCADdOAHhEAKxMg/NkCOk4y3TDbRnG+WeLlEyBfI6EzkBvLoLBHHZg7d3tbeHoCJ+zx1RN7SJu8pRLs848tuB8C1CHHyZ3xsIwCOPwGA+n7GZ/Rm6q6c7ObIJTlTPvTEDwYQgQpQB1pADxgBc2AN7IEzcAfewB8EgzCkkwSwGHCQfjKRTpaClWAtKATFYDPYDirAXrAP1IJD4AhoASfAGXABXAHd4Ba4D/rAIHgBhsF7MAZBEA4iQ1RIC9KHTCAryB5iQJ6QPxQKRUIJUDLEh0SQHFoJrYOKoVKoAqqC6qAfoePQGegS1APdhfqhIegN9AlGwSRYHdaFTeG5MANmwiFwNLwI5sPZcC5cAG+Ey+Fq+CDcDJ+Br8C34D74BTyCAiglFA1lgLJGMVC+qDBUIioVJUGtRhWhylDVqEZUG6oTdQPVh3qJ+ojGoqloOtoa7Y4OQsegOehs9Gp0CboCXYtuRp9D30D3o4fRXzFkjA7GCuOGYWHiMXzMUkwhpgxzAHMMcx5zCzOIeY/FYmlYM6wLNgibgE3DrsCWYHdjm7Dt2B7sAHYEh8Np4axwHrgwHBsnwxXiduIO4k7jruMGcR/wSnh9vD0+AJ+IF+Hz8WX4evwp/HX8U/wYQZVgQnAjhBG4hOWETYT9hDbCNcIgYYyoRjQjehCjiWnEtcRyYiPxPPEB8a2SkpKhkqtShJJQKU+pXOmw0kWlfqWPJArJkuRLSiLJSRtJNaR20l3SWzKZbEr2JieSZeSN5DryWfIj8gdlqrKNMkuZq7xGuVK5Wfm68isVgoqJClNlsUquSpnKUZVrKi9VCaqmqr6qbNXVqpWqx1XvqI6oUdXs1MLUMtVK1OrVLqk9o+AophR/CpdSQNlHOUsZoKKoRlRfKoe6jrqfep46qI5VN1NnqaepF6sfUu9SH9agaDhqxGos06jUOKnRR0PRTGksWgZtE+0I7Tbt0yzdWcxZvFkbZjXOuj5rVHO2prcmT7NIs0nzluYnLbqWv1a61hatFq2H2mhtS+0I7aXae7TPa7+crT7bfTZndtHsI7Pv6cA6ljqROit09ulc1RnR1dMN1BXr7tQ9q/tSj6bnrZemt03vlN6QPlXfU1+ov03/tP5zugadSc+gl9PP0YcNdAyCDOQGVQZdBmOGZoYxhvmGTYYPjYhGDKNUo21GHUbDxvrG841XGjcY3zMhmDBMBCY7TDpNRk3NTONM15u2mD4z0zRjmeWaNZg9MCebe5lnm1eb37TAWjAs0i12W3RbwpZOlgLLSstrVrCVs5XQardVzxzMHNc5ojnVc+5Yk6yZ1jnWDdb9NjSbUJt8mxabV3ON5ybO3TK3c+5XWyfbDNv9tvftKHbBdvl2bXZv7C3tOfaV9jcdyA4BDmscWh1eO1o58hz3OPY6UZ3mO6136nD64uziLHFudB5yMXZJdtnlcoehzghnlDAuumJcfVzXuJ5w/ejm7CZzO+L2h7u1e7p7vfuzeWbzePP2zxvwMPRge1R59HnSPZM9v/fs8zLwYntVez32NvLmeh/wfsq0YKYxDzJf+dj6SHyO+Yz6uvmu8m33Q/kF+hX5dflT/GP8K/wfBRgG8AMaAoYDnQJXBLYHYYJCgrYE3WHpsjisOtZwsEvwquBzIaSQqJCKkMehlqGS0Lb58Pzg+VvnP1hgskC0oCUMhLHCtoY9DDcLzw7/OQIbER5RGfEk0i5yZWRnFDVqSVR91Pton+hN0fdjzGPkMR2xKrFJsXWxo3F+caVxffFz41fFX0nQThAmtCbiEmMTDySOLPRfuH3hYJJTUmHS7UVmi5YturRYe3HG4pNLVJawlxxNxiTHJdcnf2aHsavZIymslF0pwxxfzg7OC643dxt3iOfBK+U9TfVILU19xvfgb+UPCbwEZYKXQl9hhfB1WlDa3rTR9LD0mvTxjLiMpkx8ZnLmcRFFlC46l6WXtSyrR2wlLhT3Zbtlb88eloRIDkgh6SJpq0wdEU5X5ebyb+T9OZ45lTkflsYuPbpMbZlo2dXllss3LH+aG5D7wwr0Cs6KjpUGK9eu7F/FXFW1GlqdsrpjjdGagjWDeYF5tWuJa9PX/pJvm1+a/25d3Lq2At2CvIKBbwK/aShULpQU3lnvvn7vt+hvhd92bXDYsHPD1yJu0eVi2+Ky4s8lnJLL39l9V/7d+MbUjV2bnDft2YzdLNp8e4vXltpStdLc0oGt87c2b6NvK9r2bvuS7ZfKHMv27iDukO/oKw8tb91pvHPzzs8VgopblT6VTbt0dm3YNbqbu/v6Hu89jXt19xbv/fS98PveqsCq5mrT6rJ92H05+57sj93f+QPjh7oD2geKD3ypEdX01UbWnqtzqaur16nf1AA3yBuGDiYd7D7kd6i10bqxqonWVHwYHJYffv5j8o+3j4Qc6TjKONr4k8lPu45RjxU1Q83Lm4dbBC19rQmtPceDj3e0ubcd+9nm55oTBicqT2qc3HSKeKrg1Pjp3NMj7eL2l2f4ZwY6lnTcPxt/9ua5iHNd50POX7wQcOFsJ7Pz9EWPiycuuV06fplxueWK85Xmq05Xj/3i9MuxLueu5msu11q7Xbvbeub1nLrudf3MDb8bF26ybl65teBWz+2Y2713ku709XJ7n93NuPv6Xs69sft5DzAPih6qPix7pPOo+leLX5v6nPtO9vv1X30c9fj+AGfgxW/S3z4PFjwhPyl7qv+07pn9sxNDAUPdzxc+H3whfjH2svB3td93vTJ/9dMf3n9cHY4fHnwteT3+puSt1tuad47vOkbCRx69z3w/Nlr0QetD7UfGx85PcZ+eji39jPtc/sXiS9vXkK8PxjPHx8VsCXtSCqCQAaemAvCmBtHLCYh2QLQ0ceGU3p40aOobYZLAf+IpTT5pzgDUeAMQkwdAKKJR9iDDBGESMk/IpGhvADs4KMa/TJrqYD+Vi4SoTcyH8fG3ugDg2gD4IhkfH9s9Pv5lP1LsXQDas6d0/oRhka+fUjMtFZjZE5KdB/5hU98Af+nxnzOYqMAR/HP+E8R9IgX6GUmeAAEAAElEQVR4nOydZZwcxdaHn+oeWffdbNzdXQkxAgQI7nBxCG4vzsXd3d2dcIGQhBiQBOLE3WU167MjLfV+6JnZ3WSjxEjqgfllp6anu7pnpk6fqnP+R0gpJQrFHmKaJi6Xi9dff50lS5bw8ssvEwqF8Hg8B7tr+wXDtNE1gaaJg90VACQSy7Zwaa6D3ZX9QuT79cEHH/Doo49y5513kpGRQdu2bWnatClut/tgd1GxC2xp47o7hst6XsLbp71JyArh0Xc9Phye32iFYh/jdmn7dH+2tLFsCwBd09GEhmVb2NIGIUBKhBDomo5AYNomUko0oUXbDleDpDiy2be/NIUCkBKklESccOd59ce27ZKD7a/X1g8pwbad83jnvdksXpIPOG3Vt9kbNKHh1t24dTeacH6GuqY7bZoLt+7GpbkQOJ6ZK9ymazoAW/1beX/u+9jSdvqNmvBQHB4oo6TYp0gpEQKEEAjhDKjO8+qPbdsF4iDOitm2rNGPiKGRgKY55/HFVwtZtqwAwm0RI7an/Y4YkB+X/chRbx7NkLeHM239dACe++M5+r3anxHvn8Tgt4ZxxXejKKgsoDRQxlmfnUOfV/rw5G9PA1ASKOHT+Z+hCc3pN0IZJsVhgfL/FfuMiCHasLGU4qJK3B4XzZqmIm3J1mI/AG63hj9g0qRRCsXFfjRNsG5DCWmpsTRskHxQ+q1pgjVri9la6CMlNZaWLdLDU2WC5SsLCQRMhAaJiV62Fvnx+0M0qJ8MCDZvKSMmxkV6WhxSslMjJXGm5DaVbmL2ljl8dNaHTFozifsm/pfvL/iei7pfxCntT0HXXPy5YTqvz3yDjNh0zvvqQjrW7cCrI1/mljG38t6c9xnZ9iTqJmZT4CsgpyyHJmlNSPImHbBrplDsL5RRUuwzXC6dMWNW8NhTv+PWJRl1knji4WN4+rlprFhZSGGhj7S0OMorg3zzyTk8+OhkVq8uwhWjUVjg55nHj+XY4S3CHsj+d51sW6JpggULcnn97ZlUllRiulxccHYnjj+uFe9/MJenX5hG3foJzJ+XQ3y8mz9nbOSaG3/k528vICsrgWNHfMgTjw7nxBNa77Lfkam4BskNeHDIAwAMbTaY12e8gWEZpMelkx6XDsDTU59iVO9RFAeKyffl8eHA91mYt5D5ufNJ8CYyqNkgNpVu5oGJD7FgwzzSUjL57KxPiPfE7+erplDsX5RRUuwzNm0u5eFHJ/PyiyfSo0d9AEzDZt26Yq68vDsTJ62ldcsM/H6DjZtK8XhcDDq6CQ8/OIznXpjOF18t4JhhzQ9YhJuztiV47sXpbM0vp//g5vw2YSXPvTSdLp3r8crrM/j5+wto2jSVs879gq1bKxl5Ult85cdy70MTiXHrvPzCiQwe1NTxrDQRngrc+XRkZApPExpP//EMZ3U6k/TYdGxpowmN2ZtnsaJwJS+MeIHpG6ZTJ7EO7819j0mrJ3NO53NYV7IOn+Gj0qhkVO8r6TiyI71e68OG0g20zWzreGQcGlGCCsWeotaUFPuMoiI/cfFuOnSoE20LhCzqZMSTmhIHQNOmqfh8Bm6Xjtulc/ppHQCoVzcRTQhM0wb2PoBgd5FSousahmHj84Vo1y6L7Kx4LrygC6+8eCIbN5aSlRlP48apAJimHfWCTjqhNblbylmwMI/Bg5oCVetkzhrUzo8rhEATGjePuZkEbyK39b8VpLMPU1o89tuT/KfLhbg0F/WT6rMyfyW/r/2DN095g671uiIQeDQ37TLb0rFORwp8hWTEp+PS1T2m4t+PMkqKfUZ2nQT8lRavvT6D9RtK2LipDMu0KSkLEAgYVFaGqKgIEQqZGKaFxGbp0nzWry/h6+8X0bZdFh6PHg082J8IIbAsG5dL0LBhMprbxTlndOSUUzvQolkajRomk19QweQpq/nhh2X8/MsKYmPdVFSEuPn2X7jsku6cdnI7rrvhJyoqQkgJS5bk03PAG/z08zKgZpRe9eMGzSDnfHEuywtWcnWvUWwq3Ux5qByB4P0571HsL+asjmchkTRPa06TtCYMajqIoBHk1T9fo2+jvqTGprKlPAdTmrh0FyX+kmiIuULxb0YZJcU+IysrgY8/PIPxk1ZzzvlfcM2NP1JWFqBbt3pkZSbQoUMd6tVLpEXLNFJSYjFNm0cfncw5535Oq5YZ3HJjf2DnwQL7kkhk3dOPH0t+gY+jBr/F0UPf4atvFpFdN4G7bj+ae+4ew2/T1nLTdX3JzIhnwuTVBA2TKy/vwc039WPdhhImTlqNENCuXRZ5uRVMnLQG2N4oRaLjlheuILc8H2ELrvj2Ki779goW5C0AYGXham7qd6OTZBh++xunvMGU1b9x8oen0LdhXy7uehG2tOlevzu60HFrLno26Em8W60nKf79CFspOij2AtM0cbtcvPb66yxbsoSXXn6ZYDCE17v7ig4XXvQtd94xkPbtMvdjTw8MBQU+3vtoHuPGruSVl06gXdusXUbjKXbMtooOd2yj6OBxu1UA/CGMACxp466m6BDcTUUH5Skp9hmRHB/TtDEMC9O0kRIsy0nwtCwb25aEQhZSSioqguTmlke3PZhE+mwYVtTDsW2JYVhYlh09B9uWNda9QiErGsUXH+/myceH065tFrBjgySlxLANDNvEsI2oWgNQpepQfXskpm1iWEZ0ii4iMxTtv22qPCXFYYFaGVXsU4QAl0vDsuxoFJquhxULdGeUdrt1hIAXXziB9PQ43G79YHYZcPq8LVLK7fomBNHoQCHA43FeT0+P47pRvYGqUPMdIYTALbbXbpNSIm3hmBbdyZMCapUUEoiougOgJIcUhw3qm6zYL0QMUW1EPIhGDQ9OsuzusrNz2JaIRyiEiBrfCKZpo+2GmKsQApdr/833mabjqbrdWjRasLrnp+tatO+Od+h4XtW3NwwrPC0pcLurrk/IsBAQNeKW5XjGESI3Is4+7KgaRmT7bfuhOHJRRkmxX/hj2npSU2Lo0L7ODrc5UEmye4NtS/6Yup5ePesTG7trReqIh1gbO2qPELkOOTnljP5xKR6PxvChLWnYMBknk+qf40Qabt8PTRNRb8/pizM16Biomts6Bq36tk6/pZR4tvEodV2gb7uD6D523Y9QSE1FHqmoWxLFPsNZFnEGk8uuGs0LL07f6faHqkEC507/nvsmUFjoyCPtKBxoV2FCoZDFe+/PZe3a4h1uH2kLhSwKCit58KHJjP91Zfi1HYvV7m6IUiQn6823ZnPHf8eTm1MefW3z5jIuHfU951/wJTNnbXKmJ4Vg7PiVXHDB51x380+UlAQAx3A89dxUzj//M1589a9qGoaCu+79lRdf/RO/3wScm5JRo77nP5d/xw23/owV9oI0TfDsC9O44ILPeObFaUSWzzZtKuWSq77nggu+4M+/NuLxqNIURyrKKCn2GUI4g7lp2fzvu/N58IGhNV637ZpL8ZEpm8g0z8GOAw2FrHBAg/M8u04CXq8eTpytuW0kaGPbdtuWNULBfZUGH340j9WrizBNG9PaPqAjMq3XuHEK9909iNNP7oDH40xiCKqmO7cNBqnebtWy30g/hRA88thvLF6Sz/hxq1i/oQSA8vIgV179A/XqJHHO2Z24/6HJbNlSxsxZm3n40SmccEJbWjZL57obfwLgsSd/Z+rUdZx5ZicWL87n1ddnAHDjLWPIzatg9OilVPiCAEyespbFSwsYeUJrykqCnHn+lwB88eVCfL4QI0e2Z8zPK3j7/dlYluTm/xtD9671OP741jz/4jTmztscvZ6KIws1faf4x0SGjbKyINfcMJqVawow/SZXj+rDNVf35rMvFvD55wuwNMnKlVu585ajuOzS7rzw4p98+Nk8PLEu8tcX88xzJ3Hm6e13GSiwz/odnn4qLvJz8+2/sGZFPtLt5oWnjqd793r4Kw2ee2Ea435ZRMNm2bz3xskkp8by3PPT+PzTuZgujSsv7sH11/Zh3PhVfPPtYjbnlrNhdS7HntCBi8/vxjW3/MjS5fncdOcvuC2bO+4azDlndaw1XDxi6IpL/NFoPCEECxflcc2NP1JR5KNpqyxefGYEDRsms3RpATfcOobCvDKS0uL48uOzyM5OrLFvTXPuO6+8oge6Jrj2up/QwutWf/61EcOweOTBocydu4U5f2/ml3Er2by5jGFDm3PuuV146pmpTPpjDdOnb2D69A08/NBQunauy5vvzmPN2q1cdEFX7r5jIGvXlfDSy9OjwRlxsW6OProZZ5zanlNPasvgYe/x1deLOP64lpyd2AGhCZYsK2LGrE2MOLYVJaXBaKDI2F/XMHnKGrp1rX9Ie9OK/YMySop/TGTYSEry8uWnZyKE4I47x7MlPE3kqzRYu66Y6X9cyc+/rODt92Zz2aXdufmmvtxycz/+/HMDf/61iZNPan1Ac3ssS+JyCcaOW0lefgXPvzCS7t3qAc4dekGRj6zMeObNu4U+R73JvPk5FBZW8vu0dfz9943k51dw0qmfcvxxrXC5NObPz2HsmIsA+ODDeTRomMRv4y7j9LM+5/b/G0C/fo2I3PjXdo6R4AFHQ89pK8j3cdW1/+ORB4cyZFAzbrtzLK+8PoMH/juY62/6icsu7s6553aqcd2q7zvyd1ZmPMVFfnyVRnTKbOXKrbRrk8WXXy3k3ffncMoJbVm6rJCg36BTp2zue2Aify/I5fihrfh14mrqZMazeVMZTz75O9l14gkFbbbklNGqVQZLlxUQClWFqNu2pLw8iGVJbClp2zaTsrIgyckxAJSWBpg1exM339SfhAQPwaDFM8/+QUpKHLPmbqJ7j7rhPSlP6UhDTd8p9imm6ayBuFxatFprMGBx8UXdSErykhDvITnJCziD8LLlhXzw0TzOP68TuksHDlzwQyTKa8jgZnTrWo9XX5/JbXeMZc2aIqSEullJXHpJd6SEBvWTME3J4sX5HDe0BbYtycpKYOjgZuTllmOaNieMaE1ycizp6XHcekt/0tJi8VU6EkRIxwjubDoqUlQQwLadCLUFi3Kpm5lAv94NsSzJccNbExvjYu3aEjRdY+TItttFutWGbTvTqk4umVO4MDs7gfGTVvHL2JV8/MEZtGubRYxXJy0jjudfnk5yUgw/fHMe0rZpUD+Zkoogjz7xG5dc3I3/3j2IysoQiYnecCHEquPIqOEV0Qi7YMAkMdFJnNywoZQLL/mWYcOaM2xIM1JSYnj95ZNYviyf0ooALZulEx8buV9WntKRhjJKin1KpHBfzQqukpISfzRs2jCcO2rLkrz73myuubo3deokoGvigE7XRA5VJzuBRx8cxmuvnMiiRXm89sZMdF3g9xuUlQUQAvx+E7dbo02bTH6dvBpNExQVVTJxyhqys5MwTZvy8mB0UHbCniE21oXXq5Nf6HMi0nYyLanr4bBxGQmhFnRsn01Ofjmz5mxB1wXjJ6yk0m/QoEES+bkVjBu3El0Xu4zw0zRBTIwLaUtivC6EEHTrWo9A0OL+/w4hIyOeDz+Zxyknt6VF83RSU2K59Zb+/DljI3MX5HLWmR2wLJtjj2nJscNb8uY7c8jMiiMrKz4aOSelJCbGFV1btKVz3Hfem8OMOZsZfkwL1q8v4cJLv+HY4S25+YZ+gPNdad8+i7ffPp0zTmmPryJE/76Nwj1XntKRhpq+U+wznMHYMTgetxZdF4mJcZGY4I0mm8bHO3fML738J59+MZ8Zf2+mLK+CK6/uyzVX9Tpg/bUsG13X+PKrRTz61G943YKGjVM579xOAKSkxkRDoJMSvdhSctaZHZg9bzNduryAiPXyfzf0p3nzVJYuKyAp2Rs1yu7w+bvdOhec35lb7vyFBx+awJ13DOLsbdaUbNtG0zR++20dd9w7ntzCCv6YvpYff1nGW6+ewuOPHss1N/+EyzTo1rsJTzx8DElJXl564URuum0MDz85maSkWL746EwyMmoWGzRNicej8dAjUxj9/ULKghbnnfs5J5/ekUcfOoaXnxvBaed8hlEZ4oL/dKd7t/p07JDN6tVb6dz5ebRYL08/cSyJiR5efeEkbrj1Zzp1eo4mrerwxssjEULjjHO/YPHiPHxBkwED3+SuOweTVSee11+dxtQZ69FswRefnEVqaizPPD+NuTM3oLk13nz9T3r1a8LLz43gkcd+Y/R382nYPIMXnzuBdmHpKbWmdOShtO8Ue0Vt2ndgAc4gfv2NP9OwQRK333bUTvbhJJUGgiaacO72d3XHvz9wvDdnuszl0nZLYSIQMLfLrdkZpmljmjZut7bD5NCIBJPHoztBD9Ix7iJc0sM0bWJiXLW+Rwjwend8j2kYNrZt4/HoGIZdI3E1EDBrfb/fb+B267hcWtTQmZaNadTsRzBoRfO0DMPC5XLOMXJdI9tGwts1TeAPmAiq8pMcOSeJx6OjaUJp3/3L+Sfad8pTUvxjIoPD2rVFfPLFYsqKKvlz5kauvfp05/UdJMlGDFDcbiSn7k+cRNE9M4bRgZbdW/XYHYMbmWJz/q6Z0Fr9/REDERngI+/Jy6vgjXdmYdkSwvlGVsCgc7f6nHFqeyKz9dsa0m0NXYRI0nD147l0DZdesx9eb9X+qhu26tc1ogIR+RrEbnNMt1vH7a46X8WRizJKin+OlNi2kw/j9WikpsbwygsjaNMmE9uO5CAdviPNgTizbS9f5HnNdonXo2NJ6eQ3aQJLOjWjLGv7XKu9Of6O+rEn+9gdbNuOBnsojiyUUVL8Y+Li4tA0jSZNMrj91oE1XovkySj2P3XqJHLnbQN3veG/AI/HmeaJi4s7yD1RHGiUUVL8I2zbZsGCBUyfPp1AIIim6WiahsvlwuNx1ap/drgigJDL5QiTmiZy2zDEXb1bSHSpo6FhsnelKGorAVKbSOyhjmVZuFwulixZcrC7ojjAKKOk2Csia0R9evdm0sSJPP7EE5imibRt/IEA5WVllJeX4/P5olN4hzs2kF1UjKVr5KekoNv2bmcCSynR0SnTygiIIOl2GuIIz9HRNA1d1+nRoweVlZUqEu8IQRklxV6h6zoS6NGjB9999912ry9bvpwVK1awadMmLNM88B08CJguF0N+nUAgNpapA4/CGww63tJuYCOJJYbZci4b7Y0crx+LhnZEF+5z9H0lgWAQt9tNTEwMbrdbGafDHNeR+5VX7Ass28asZnQEUOn34w8EcLndZGRkHBmL1VJiezyYcXHI+ATqZmfj8vuRu7mmZkubOFccyUVJFFbGklWnzhFvlCIIIYiPjyc9I4PklBTcLhdHhu/970WwfWRqWNhklyhPSfGP0DQtuigdIcXjoVmzZiQmJlJZWXnEGCXp8ZCZmYWdlIi3Qwe0igrYTaNkSYskdxJr16+luKiENm3aoglllCJ4vV7S09NJSUlRBukwRxklxT5HAsmJicTGxhIyjCNjZURKcLvR09MgNYXUpk3B70fsplEybYtETzzZwWy2yC20aNE8bJQUTlKzC6/Ho67HEYAySor9gg24XC7criPrKya9XvB48WoaxMXtdqCDJW00IfDGxOB2uZ0we4QahKuhrsWRwZE1YigOOEfMQBKWN5BS1sw03YPoOyIK3jgq3lIoo6Q48lCZjQqFQqE4ZFBGSaFQKBSHDMooKRQKheKQQa0pKRT7kkhBpcjfe7OL6H+KnWEj1VU6DFGekkKxLzEM+AeySpZtYUlLVQHfCZGkTF1dpMMS5SkpFPuS9HTkz79AXp5joHQdKiqgQ0fEuWeD273DhFoJZMSlsTh/Mf+d8F9cuuvISDzeQzShURGq4Kqeo2iZ1hxLeUyHFcooKRT7gvBUnbjqSshIB9MpC4+uQ3Ex8rvvER3aQY8eYFlOezV0zamDNLjpYGwgtzwHt+ZWig7bYNuSGJeHCWsm8dasN3n62KeUQTrMUEZJodjHiNNPr9kQDMLSJWCHc5h24P1oQmAhGdp08AHo5b8bTXcxb8vc6FSeMt2HD8ooKRT7GstyPKfINF3A77R53E77TlQuBAJDWmqU3QGWbeHWdHwhH7ZUKniHI8ooKRT7mnBxP/n1tzB/gfP3rHkQNKFBPYhPQFx9FXi9tUbo6UJXgQ47Qdd0NKFitA5XXOqOTKHYh9i2Y1B8lfDORzB+HMSnISTw9woIBKFOBvLEExAtmoNl77aSuIIqD1Ju87fi0KL6nGptn9lOUL8GhWJfomlOkENSIgw9GuKSnIg7l+786/VA3x6Ili2cNSZlkBSKGqhfhEKxr3G5HJn0iy+AZs0cr0kIxwi5dLj5uj0Sa1UojiSUUVIo9jVCgG0hsrKQXdqDFjY+UiKbNUR061pT+UGhUERRRkmh2B9oGkiJuG4UJMQ5c+mVFYhrroS4WFT5VIWidlxqjVCh2A8I4Sz29u4JTRvColWQlgyDBiKFcAIcdHVPuKfUtnZe/V/FocNexjmokHDF3iGEcrN3F3nnrYgzzkZefxuieVOn0aWu3s6QOEtwiiMPZZQUe4VtSyoq/ZgROZ09wLUXA7KU0glWEyCqrcXY0pkJE0jC/+9iR46DIg7Eeo7teEOydSsgBI0bI0IhKK9wIvEUOyQmJgZ9GykmxZGBMkqKPcIwDGI8bgYNHkxJSRF1shJx6VpYo63aQC8AWXPgF0BlwKS0NLBHx5Rha5Ma66Y8aGLaVTECMRrE6DhTYiJ8lG3tTaSsuAShgS9oY1oH8DbctqFlS3jjJXjnNRXgsBOklAgh2Lx5MytWrSY5MYED+VEpDj7KKCn2iMhwWlnp4+eff2XuApvCogpAhhWtnRFESOmMvUKCcEyWtCVtWmTQr0/2Xh176hYfferF1/jSbgbWlIJu4LhM4Yewcf6Q4b6EDZJhWHRp6CFeOSqHND179qSivJzkxISD3RXFAUYZJcVekZgQw98Lcrjkqjmcf24bLMvEpUlnGg0bQ9oYlo0VlGiGJMYCo7SE++ZuYMOq27Asia7v3GOQSKQUmFLjrakLKLW8bNqazNCmKSTHuHFpgpeWmfwSsqjrMggUG5gVBma5iVkewip3nls+p03z2eSVGnx0TxtO7JqGaUtc2gHyWiIirMpL2immaeJyuRBCHJgpVsUhhzJKir1CCAgZFsOPacKLT7YGFhMgho24MGiITR2sIMiV0MAPGQBGAXNv/xJN0wCJtlODIJFoCGxWzryNnxcN4pFT+vHBnA0MbZ6Ox+WsN8SbkjYZAmOejtwawuUzsfxBRMjA9BkYARMMC6HbEBQYZTqxsS40TUOTu+qD4kCjaVr4+3GA1v0UhxzKKCn2Gk1AWZlFKDCX4pIJzElPZI7pJqD3RAvFYs+OQ//TorNPcLRu47HXYARCNfZhmDLsRFQtHAgkbreOwEKuuIZG8RYdtAJuf38sL1x6HJmxLkKWxKMLKgIm17s9tOjrxdZiSEiQBANQ7pPEJThqPyUVUFwuaZwk+HRyDvl5QWh3YK+VYs+QUlJaVkpWnSyUOu2RhYpLVew1EokmJB6zGF3fQIV7EzmezWxxl7HZBRsrNTZs0SjZqKNt1HAtLwbLrLEPt0vgcQs8bi36cLt1IIS19Erweoh3DeWp4DdMvqEHneun4iwUhQcqwyTOgnXLJfXTdJYuc2HgYu4iG5fHzbdfuXF73Mz928bW3cz6Wycu9oBfKsVesHrVatauXUdZWdnB7oriAKI8JcU/IFywLlCEaa6jkFTW4cYvChGWhb8YtHXQukRiuiQVRQXYtln1XgTvfZLPomVlaLoFGNi2RYNsuLLvC8SnJ1BZ2JOvrr+Nv5pcR1JwDWmJq7nxsqF4vQIQiJBFIGizeLVBz35xLFxgc9/LNuUVuXw9tiEJhZKfZgg2bMxh8m9NWV9o41bf+n8Fq1evJiYmhkAggMfjITY25mB3SXEAUD9Pxd6jCaQVAl8B0lPEViQ5QmCxFZAUF2mYm21yKzVstyS0pRA72wBAhsPF739qHf93bT0SEwWmbeOrDJKRfzVafEuCJb0oHf0eLf/7EUXl9YgNFXL3Mz9w2nFdaN3cieATpo1l2qzJ9eMScVxxgUZWfcl/7inh0VsaM6QnjJ0JZ91Yzkt3QI6lUVCoYowPdaSUrFu3lvT0dGJiYqjw+YiJUUbpSEAZJcVeIhFCQwbKIaeADXqQrTKAz5BIvRB8m/AX+gj5TIoCGltMm5LKHCxio+8HQZuWLs49P4tbX1lGkgfu6P0Mjc7virWuMxMffpJni6+CwjTKN67hofsHMWzIfALBautSpkUwaBHSKxg/NZ05Sy3uukJn1retaZAGq7ZY9Oki+emDpvRqbfLit5KM1INxvRR7SkVFBYZhYFkm0lZigUcKyigp9goJIDTMQAU5G7ayPBRka5mPkCEw9UJE5QqMvCTsgEVJQLDSkuQZW5CyaY39GGaQFWvK+PRnH/cP+Yj0umkEVnXg94ef5oENl7BEtsD9+xIKVxQz95R2BM1Kaug2mBJdSMZNK2VIR/j0e4kZhFM/+IgFMWuodIVYYPvJrShkTYeepFx5FVZFxYG8VAqFYg9QRkmxd0gnfDcQqGDl+kJW+YMUlmkEDM0xSsHVhAriIGhRHBSstiDXysOmcY3daCKIZbnpXK+Q81usJH5DW35+/Q0e3XARy0Q7EkIlSLcL4dHxunQkJtWNkhm0SEoQHNMrg29/ha0Fkh9+lQxtohNj/4YtBWkug61GAWs3Z9BKc2EqUTWF4pBFGSXFXiGlRNc0KisrWbJhK6tKgxQVCgKWhim2IsxVmPkxiKBFSVCwxoRcCrG3qdlgSz+2nkjhktH8INdQVNaQn7dewAaa4AkU4Q+BJm2kP0jQsEAPOSoREQwbTeq8cGc9pi2W2C6d1x4RGOXn8OebnfC7Q1TaQcp7lnN677rMKvPhUWKoCsUhizJKir1G1zUqg5Ws2LKVjQV+ShNMLFvDFnlgudGK3GBKKmzBOgEFrvztqn9rLklynEEofhAfFQ/E72mFmegjM+gjSBweYaJJSSDOS0JcPG4vQJUIbChkYRgWvoBNggYP3wCxSGRiPMff0XO7Pv/6xTqy0r3798IoFIq9RhklxV4hAcswWLwsBxHU2FSWRUllCYQMkAVgl4e3tFmPZD0ApaTklxAKhTAtG5eusXJtDhs3bOa1xwZiSpCmD5tETAkWNtKW2NgEjYbUzd7MXx/OR150NqFQCAk0S9e4++OVJLgFXhdYhk0wKNGkxDKtcDE9R5dPc2n4gpL7/9OMUCiEZUnsXUgdKQ4spmli23ZYR1FxJKKMkmKvMAxJr+4t+L+7ryNoXo0GCGwn915aVKmiSiS2I8oaNGnWIg2Px4MnvJ+bRg3h519yccdaIEIgTCAEmgFaCIQBmoHQDRYtDXDuiUPp0rZNtB83ndiIm05sFC5f4bAjM2OivvCHOh6P883wer3YKuLuiET9RhV7ROT+NRSyuOmmK2jaJIsYl6whEkStfwPxgs0bLC677E2EEEgpyUyPI9urg1XdpIhw2YuqNikFAoFdIrnyiiuwbBshBLZ0RFW3l0mr3hBWLhfC8Y7CCubqZvzQI1K6YuXKlfTo2VN5TEcgqhy6Yu8Q0KNHLxITU2oZOHb8rRJC0L59VfE2w9h2qiaipr3tO6u2adnWVUOss/Zxa/tGJzOqNgOmOFSwLAtd15k0eRKW5awdym0eEao/V+PYoUVtpc9VOXTFfufqq0fh9aose8W+59XXXicUCjke9cHujOKAooySYq/Jy8ujfv0G2LbENG0kErdLV+UgdoJp2liWM/Xodms7LM9g2xLblntVOv7fROR6aJrA5dKwLAuXy4VhhFTpiiMUZZQUe42u6+EHuFUl191C1/VdbwTs5mYHFVva0TUgTTjGU0qJLW1n+lWCJrTo+qEdrgQcaYPar4eu68ogHcEc3rdhiv2KZTkTK3PmbOG0cz7nnIu+YuHCXIDoOlHkjr/6ulGkzWk/8P2OIGXt/avebttV5xHZJvL6nhDZ/qOP/2bkyA+54prRbNlSFn1t2+MtX17Ia6/PQEqJZdnRdimdfuzO9YtsW+N5eDLMlnb0EX09HDofaZe7mDjThIau6VGDBM6aoa7p6EJH16qMixBiuzYpJc+8MI0TTniHO+8ZTyhkKWOkUEZJsfdEpumaNk3htpsHsG5VCStXbgWcgVtKZxtNc0pbRwbWSJtWa9TcgUOImv1zBvGa7ZFzrL5N5PU9IWIb/pi6nl69GzHqil6kpsaF+yFqHM+2Jbm5FYyfsNoZzHUterxImfDarp9tS0KhqsTibUuKC+FEMIJjUCKP6OuIqNejCS26bc3zcE7Eb1Ry80+30P2F7pz66ekU+gsB+Hrx1/R9bQBHvX40nV7syhcLvgBgytrf6PNaP3q+0odP//40ur+RJ7Thyiv7MmPmJnw+Y7vkasWRh5q+U+w1kfEuLS2Ovr3jaNMyA7dbq/H6pClr8PtCtGqdScsW6ViWzew5Wygs9KG7NPr1aURS0sFRWAgGTSZOWYO0bLp3b0B2nQTAMSB/ztiArzxIWkY8XTvXZe7fOTRrkkpaWiy+SoPlywro0KEOHo8eNWS7Q2KihwEDmtC9a71omxAwYdJqgn6DNm2zaN4sDd2lkZ2VwPKVhWxYV0S3bg1JT48lL68C25asXL0Vl0unV/f6aDqYpuTPvzbx7vuzeefNUwDIrdyCpmk0SKqPLW3yfflIKUn0JjJr02wCRoDkmGT6NOqNJjQKfAVY0mJFwUqEEHSv3404dxwSuZ2BeuWv14j3xjP2irFMWjOJG366gU/P/JQNJRs4t+tZ3ND3hui2eRV53DHuTp4a8QR9GvRh6LvDaJzamAGNB9CqZToNGyTz1bdL/9mHqThsUEZJ8Y+JeBj+oBn1CDRN8Oln8/njz/W4pc03o5dy8/V9adkynYmTVpObX0FZaYCxY1fw+KPDiYlxHzCvSUpJIGjx1luzWLaqEDeSMb+s5K47jyYzI57Hn/ydP/5cR6JXo33n+nRqX4dXXp9BTk4ZY374Dw8/MpkVK7fywbunVTPCu9d525aUlwejHocQgg8+nMdfszfhlhbf/rCMu28/ioQED7PmbOL5l/5k3coc3LHxfPPF2bz59mw++WQefQY0YsHCPM46tT1333k0Hg/Uq5dErNeNx+Os04yZ/zM/LvuJ/53/A7qmc9vY2xjZdiS9G/Rm3IpxhEyDvIpc/s77m2t6Xc2bs97k19UTaJ7cnBkbZ3Jm5zP47+D/oiGipxfxvNaVrKNH/R5kxmeSnZDN2q3rsWyLZG8y41b8irTBtE1OaX8yywqX0SK9OUc3OZqnpj5NXkU+f22cwYDGA5BSUlLixzCsWq+X4shDOcuKfYIIj1u2dAZ9v9/kyWf/wF8RIi41ngnjV/Dt6KXExro57rhWuIUkJt7Dj2NWUFEeOmDJrI5XI8jNKefZF6fhcmt4Ery8/8k8li4t4K+/NjJ5yhomjLmE0aMv4tEHh+H26Hzw9qm0aZ3Jiad+jBGy+PzTs0hM9Eb3tydEptWEEFRUhHjyuT8wggaxqfH8/NNSxk9YjUsXCE3j8QeHMXbslRQVVbJy5Vbi49307duIj945nXdePZk/pq3nzz83ctV1/+Oqa79n4h9rOOucz3nxpRmc0fYsNE2wYusK1pWso8hfxOntTqdRciO61+uOS9PxGZWMWzEOALfupnvdbrx3xrvMvO4vjml+DIQDGSLrSxFjOrzFMXw092PO+/wCXpvxOl494u1KgmaQiqCP8lA5pm1SVFlEvCeOe369hw0lG7mo+wXkV+ZHr4WK1lRUR3lKin9MZFD2enTi4twIIdi0qZSEeA8nntCa5NRYTj+pDa1aZbJ0WQG33TmO60f1pLTCYN6cLYgDemvkpNCuXV9Cw4bJnHBcKwDOOaMDHdtn8/U3i2jUKGW7tRpNEwzs34Q335zJiGNb4vXoGIaN263t0fTdtmzYWEpqcgwnntCG+AQPZ5zUhrbtspj/dx59ezckNc0pilgnI4HKSgMjZHHssS0B0F0asR438fFuTj+lHfPm5TBx8houOL8LdesmkRKbTP+GA/hr0wwqQz6OaTEcTWh8/PfH/LxsDJd2uwSXy82G0nWAs6bUvV53QlaIeHc8/Rv3i/YzMn0X+axPbnsyHep0ZFPJJtaXrefLBV+iC52AFeK0jqdycdeLou/dVLqJcct+5aaBN/LoMY9yz4R7yYzL3LsLpjjsUZ6SYq+JeDaFhT7mzNvC6nXFzJ27meUrCmncOIV6dZPIL6ykZYt00jLiSYj3kLOlnLy8Cjp3rktpsZ+Nm0oPaAReZFBt3y6LWK+LYMCkTasM0lJjcbkEbdtmsnBBHp9+voA5czazdFkBAGPHreSTz/5myoTL+f77ZXz+5UKEAMuyue+hSfQf/DbFxf7wddm9E5JS0rJFOhkZ8RQV+WnVIp30jHjiYp2pzAULc5g9dzPvfTCHnMJyunevj2nZzJuXw5y5m3nn/Tlk1Y2nU6dshg9rwfBjWpKeGsvIk9rSs0d9XLrO4KaDmLx6EhNXT+L4lschkSwrWI4uNNrWacea4lUUVRYDUGlUUlhZiEf3YEkLS+54Sq0sWAZImqQ2ZvKayZzW4TSEEFSGfGwu3YJhGRiWgS1tutfvTvvstrRJb8OUNb8xadVkjm05fO8/RMVhjfKUFHtNJJpuzpwcnn15GunZcUyZsobcAh+PP3QMb742kktHjeabH5YQ49Z56dkTGDKkGaec3JbLLvuGPv2bcuVlPaNrIAcKKSV1suJ57pnjufm2X7AFZGfE8/LzJ9C9Wz1efflEHn3qN0KVQbp2b8AjDx7Dj78s54rLe9CnTwOuvbYXY8au5LjhLUlNjaFnt3o889wfFBT4SE2NxbZ3nmdkmjaGYaHrGm63xusvn8So6//HJ18tIM7r4s1XTqZZ81RS02O56/4J6ELwxssj0XWBy6Xz049LmLdgCy1apvP808cDzmfh8ej06tUAy3JCv126Ru+GvZm85jdiXF5aZ7QG4PIel/LwxEe57ocb6NGwKxnxjtfSqU4nEjxOsEck+s60TWxpRz0lS1roQmdtyVoemvAwvkAl/zfoVoY1HwpAh6wOWNLCrbuj1zolJoXnT3ieO8bcSaUR4IGh99GpTqdwuLvEMCylQ6iIIgxbfR0Uu49pGMR43PTq3Zvvv/uW+vUbHOwu7VN2NRW37es/j1nOC6/+xaD+jbnzjoE7XCOxLImuC26+dQxnntGRfn0b7lX/7ntgMu3aZnDO2R13a/vaIuf2B5Ek2t3eHgnV1uPOu/BrXnnxJFJT3Qih071HD7p3706/fv1p0qwprVu3ITMzE8u28Oo6ny/8iiX5i3lg6IOEd6U4hNAFGLZN7D0xXNLjEt45/U0qzRAe3bPL9ypPSfGPicgMRYhI6EhJjaiqiKyOYTp1kiKDt65rByVfqXq/hQCXS0eIbdo1gdulYRiOFI6uCyzLxrIlHrdOgwbJXHV5D0ae0AZd13YydeesZRmGzeWXf0P33g154uHh1K+fhGU5CbIR3G7Hzdo2Is3j0bEsm7y8ckIhCyklHo8reu0inkd1aaKItwPg0lzR7UzbRCKjeUouzYUlLQROnlLEmN34800szV0WHUwMy6BuUjaPHfcoGXGZSGnj1t3R/USm/HRR01W0pR3tRySJ1paSx5/5nR+/m4+lufF4/tn6nOLwQBklxT9G00StU3BCUHs74SFaOAYJwgOlaSMBV7Vk0f3JjvpdW7umVQ2Wuq5Fp+c6d8qmc6fs6HY78hYi5/nIw8PIvaY3mi7IzIwPvyZqlduprW933DYAXd/R9Ra4XNsfP2KMqm8XmV6r0cdqhiTiXd3Y9wYqDT9aNRUGt+4hIy4Dzy72UR1NaNvdJWua4MLzunDyiFakpccTH+/BskyVQHuEo4yS4oBTm8io410duoJvEaOyLRH5IU3TtovYM007bHCq3puSHENKck1ldSklhmGHj1O1fXUPyuVyDHVSkhcpZViSp8q7M027hvSR261HDX1VW5XmXGT76vuojWZpzXbzCu0dDesnQf2k/XoMxb8LZZQUB4TItEwwaPLhJ3+Ts6mIQYNbctSAJmiaYN26Ej78dB5uj8bZp3WgefP0Q2IqJxIOPnHiGpo1S6Vp09Qa6yeOR1ezkxF5pW29mR2tuwhRc9vIDGBtHpQtJZrYft87MvS1eVRS7r76uKxtwUawz9apnHMNV7pS03YKVEi4Yh+wO6EyQoSLfNmQmhLD9D838sGH86Kvu1wamRnxvP/+PP6Yuj6830Nn+frtd2cz7+8cYOfJslbY+1iwIJfTz/qM73+oks8RQvDAw5MYMeJd7n1gQtSzycv3ce5FXzNixHt88/1iJxFZwMRJqznxxA849ZzPo5qCmhA8+sRvnHDCu9x21zgCAWed5q23ZnPyGZ9y/Ckfc/5F35CXV8H8hbmcedZnjDzzU04+6zNycsuj/Xj19RmMGPEu19z4I5U+A6j9ekf08Go89mHghHOuyiApqlBGSfGPiQwoRUV+Cgt9+HwhACoqQuTmVZCbW04waCIAt0fnzNM7cNFFvUhLiY0O8A0aJHHNVb04blhLPJ4D58AXFFZSUOCjvDwIOFNmkSkv25bRQT89PY7EBC9biyqpqAjWui/bdryY36eu55335iClYMaMjdHB/tEnfmPhwlzuu28YAb/J/Q9NAuCyK76jVfN0HnzgGN57bw5//rWRVauLuOe+CVx2WU8uvbAb19zwI1LCd98vwevWue22QSxfXsjTz00F4NeJq+nSMZsnHxnOzTf0JSnJy99/57JhUxm33TSAHl3qcdpZnxMImHz6+Xy+G72Ee+8dSrPGqdx4689AlYiuQnEwUdN3ir0mMoD5/QZPPT2Vn8YvRwYMzjq3C7ffehQffjyPsRNXoYVM0usm8diDw8jKSsCybAoKfJjVIs4sy0ZKKCkN7HcPKbL/b79bwstvzCBQGaRfnyY8/+zxfPvdYmbN3szTTx7L1GkbePSJyYz7+WIAvvhqAQ88MZnysiDPPn4cxwxrjm3baOGV+UhwRs/u9enTuwHPPzedQMhECIHfbzBt2gYefmAoHTtlc9/DU7Asm4kTVxMMWTx43xDm/Z3DwqUF/DpxFWkpsfTsUZ9TT23Py6/8xd8Lc/n111WceELr6JTc3L9zmfbnhuh5mZbEMizat69DbIwLTQg6dszmqP6NOap/Y+b/nctrr89g1eoiLr+0O/36NeGd9+cxfeYG1q4tomnTtPA6k3JbFAcPZZQUe02kntJHH//N7DmbmTV1VI3Xr7y8J7HxbkKGxSsv/snvU9dz1hkdACe0ujpOiYYDo4MmhBPW/cOPS+nUPouXXzgRIBzCLjHDQQemaRMMOiHOIcMiGLKYNvFyXnt9Jm+/N5vBg5ricm0fxuzx6Oi6wFdpIIRzjXJyy0mIc7N6bRFPP/sHLZunEwyY/DF1A61bZPDRx3/z1bcLOePkdhTkV1JWEqR+3SQefmQKi5bmcfLxbVi5eivDh7cAoLQ0wISJa7jlRkcKaNjQ5oyfsopbbvkJ4XHzyQdn4PHoVFYa0bpLbdtmkpdXgbQlAb/J5VeOxuPR6daxHmvXldC0aVrYYCujpDh4aJLwXL96qMduPqpwni1bUciQIU6UllN8zhnU77pnPD+PXcHmLWW4XBpeb7WQ4+gaRY0dhuv57P9BUdc1briuL8nJMVx0+bfc/+CkcJ0kosrfSYme6N+agMsv7YFtS1o2T8Ota/j9Rnhv21yVsCemaQIRNrJpqXFUBAyee3E611/XhztvO4qysiDt22cx9a/1jB2/knfeOIVuXericmk0bJTMW+/PxuvV+fLTs9F0jcQEJ6R63boSzrvoG04+uS3DhjVHSrjqyh58+9k5TJ58JS6XzhdfLcTrdUUNva4Lior8NGiQhO7RePqFaZx2ajteen4EPl+ItHRHY+9Q8ZIiaQORK7vt96+2dvU49B7V2d33qDUlxT+medNUvvlmMVuLKjEMC9uG8rIgP49dwWP3D+Pe247GFzCjYc+hkEUgYOAPGASDVrSKaihk4Q+372/pGSmhZ4/6PPLgMC6+sBsffzqPnNxyPB6d9ZtKCQYtXn5tBluLHD27YNAiP68cw7D53y/Lycx08mpqm+6ybUkwfC6BgEkoZJGSEkN2nUSO6t+Y/v0a88rrM0hM8nLSia2REi6/tDuZmQm88c5shg1tRu9eDUlOiuGmG/sx7+8cps/YwIjjW7NmTTGnn/MFw4Y046rLe+D3O2telZUGZeVBFi7MpbCggg7tsjBNi/KKIMGQxSefzeeX8Su58Pwu1K+XRId2WYw4vhXvfTCPoGnTvm2WmrpTHBKo6TvFXuMK59NcdWUvCgv8DD3+fUTI4uzznDWlC8/rwqmnfUiLttm0aZVJnawEystDXHDRN6xcW4gtYcDQt3n71ZPxVRjcdPsYfAGDRYty+HXyGl56ZgSZWfHRsOx9iWFYXH7VaOYu3EJqrIdRV/UiMyOeo49qzFffLaRP31fp0Kk+PbrWB6BRo2QeemQSjz85hbYds3ntxZOwbSePKDKQ27ZE0wWLF+dz2dXfE7JsrJDFX3M388ozI3jjlZO4fNRoOnV6jpbt6vLaiyOJiXHx/tuncf2tP1Gx1ccZZ3fh+ONaIYTguqt706vXK9genaceH05GRhzvvj+HvM3F/DBmGR+8N5tO3erx5isjee6FP/l29CJCIYtbbuzP8GNa8NOYFSxekkffwW+hS8F3X51DSmos/3fzAO66dzydOj1HZoNU3nhpJG63Hs1bUigOJiKktO8Ue4BpGMQextp3B5o9ycXaF3lbh0Lu184wTROXy0WPHj3oGta+a9qsKa2qad/F6DqfLfyKpfmLuV9p3x2SRLTv4qpp3/mU9p3iQCKlUwYuXHUnXLRPRgfBSDG86u1QlacS3Uct7fuzz0C039X7UR0hRI1zsW2Jrmu8/uZM/v57C7rXKYlu25L4ODc3X9+PBvWTdniO1fcbuTaO1lxVe43+yW22jVatrd4/50wifYy0OQm7Nfex/bmrPCHFoYMySop9gpNUWUtbdOCsvX1H2x8IIoN/bf0Gagzq1fsW0WZr2SIdj1tDC4vPSinxelzExXl2eC6RXKBIgqxzvO0VEiLbaZrY5trVbqydph1vW1tASW3nvr+QUhKOf9nunBSK6iijpFDsgB0bAKdt2NDme7zP3V0bOxCe4j9B4iiNR+bNXLoralhN24xKKkXEYJ2Q/4PVW8W/CWWUFIodUFYWZOOmUtq3y6r1dcuWSFtWuRthD2hbcVYgOkivXVvM4sW5eGLc9OvTiIQET63rPGVlQXJzK2jVKn23+1tb6Yr9hUDg1rZXCbelXUOVPJJcvGFjKbNmbSQlNY5ePeqTmOjd731U/DtRIeGKf4wThVbzAc70k2XZWFaVgnUk/Lv6e6s/P5A4g3jN/kGVOvfM2Zu47MrvATDN6ufl/K1rApdLw6WHHy5th7WhIvt/7InfePSxKYz7dRUVFaHt+hFRBZ87N4fb7xoXDZWPHNu2JZZdtf22a1TVDZItbWxp13jurP1JLNuKPmTY3YlsH22vJQYqsr+8ijyem/o894y7j9f/ehPDdnK2NKHx4dyPuPOXO/nf0h+jahfr1hfz7beLuPyq0UybvqHGNVEoqqM8JcU/ZkdTUtXrJe1o2wOh4LAjIioS2+K0CTLS40hPjwOI1imKBAzs+VSU8/6kJC8vvTSSnj3qR1+pTWnc49FIT4vbTm286npVbR8Jwli5qojJk9dw5RU9kLKWay+qnutaLXWkIq/v5COJTCnqmk5qbCou4WbMyjHk+Lbw0NAHeX7aC0xYNZHBTY7mu8XfgSYZ2XokAwc0YeCAJvz3vonKGCl2ijJKir1ChiuvFhYGeO/9WcycvRldE+geHSEk77x2Cpu3lHPpqO+oLKmk/9HNee7J43nznVls2VLOIw8NA+CJJ3+nYYNkzj+/cw0duf3a9/B82bSp63ngsclgmJx2ekeuGdUbcIRTv/t6Ib6gSf0GyYSCFv+54js6tcvi7juP5pvvFvPFFwt4+81TSU2N2aM8KsuSbNpURpfO2ejhYoZLlxZw+73jqCypZOCQlvz3rkFoukZJiZ9b7hjLlF+XcN4Fvfm/W/rz7ntzmT1nE6s3FFNaGuTJh45h0KCmCAEV5SEmT17DqKt6AvDW7LdZX7KeR4c9AsDTU5+mSWoTutXtxl1j76E8WEGiJ57bB99Gj3o9+GjeRywpWMr8TfPZXJ7D/cP+y+ntT8OWdtRgRdaNMuIyuKT7xc45CYO8inyklIxeOpo3Tn6DtpltOOWTU/lk7mcc33IEmtSwLElRiX9ffpSKwxA1faf4R3g8bj7/aiFDBjclL7+CRvWTyUiNY8LE1Vx304/cddvRjB9/Obk5Fbz5ziwG9G/Cb7+vo6jIT0VFiF8nrGbQoKYACHFgvo5CCPLzfdz931+56MIuXHNdP1565S8mT1nDt98tZsqUNfzyy8U899SIqLL5PbcNZPyE1Xz6xXx+GL2U667tS3KyF9t2pv62LV2+M9xuDbdbdzT4TJsbbx3DccNact0NA/j55+W8/8FckpNjmDF7EyOGt+Sbby7mg4/msnFjGfkFFfz+xzo+++BMLruwK08/P5W8PB/T/9rAnzM2UOEPMWXKGpYsKaBX/d5M2zCNfF8+ATPAhNUT6N2gN83TmnPHwNu5qtcVNEptxNN/PAvA+pL1zN0yl8/P/YyHjrmfdSXrMGwzWh49QmTK781Zb9H5hc5MWj2Za3tfw9LCpdRJzKI8VM6FX1+IW3cRHxNHfkU+uq45moAH0TNW/DtQnpJi7wkLmzZtlELXLvWYOm09g45uwvQ/NzJz1iYaZCdx3PCWCAHnnNmRpcsKaN0ynQ7tspgxcxNlZUE6dqxD/XDl0QMRbBYJKli7toiCokpG/7iMYMiic7e6ZGcnMmHiGoYNbUFWVgL16iXicWtIKenYsQ633tiPkSPf4a23z2bQ0U0IhWw8Hm2vy3cLAes2lFC41cfEyauxBDSsl0iHjnUoLQkwbHCLaIRfx3bZbNhQjEvTuP66vqSnxdG3b2MmTV7LvHlb+OybhaxeWcjmvAqeeW4qRw1ozo039aBjnY7M2DQT0zJomd6KRsmNWFKwmAcnPYSGTkWonMykDAA8uofzO59HSmwKp7Q7pWZfq83p6ZqOLW2u6nklV/W8komrJ3Lpd5fz4onPUxkMcPf4u7my55W0z2rLQ5MfJtZVs9KuQrEzlFFS/GOqL8aHQhbBoEmH9llM+3MDWzaXUb9BEn9MX09cjBtvjIujj27KtGkbKNzq45KLugEHTmnAUe0WxMa6SU2O4dvPzqnxuqYJ1q4rBuCrbxZRWh5E0wSVlQa/jF/JffeNYNLktZx2anvS0+OcGkc/LGHT5lKuG9U7vI5TlUa8M6SUJMR7cbt0Pnr3dBKqRaT98cf66LrV1sJKlqzIp2XLDCZPWUtGTDxCwKLFeRSXBRg2rDnHHdeSlSuLePa5qbzx+sjofgY3HcyMjX9R4i/hzI5nAfDOrPfoWLcDjx7zCM9Oe45p66Y5/UESMAJAVUCDtgPvtXp7nCcOXdNokNSAimA5p7Q/hbM6nMk9v95DdkJdUmJTakwBKhQ7QxklxT+memSdpjm1gzp3zuaKK3oy9MQPSIvTad2+Lrc+0B+A449txcef/01igpcuXbKBAyl946gzdO6UzTlndaRp62dJy4wnKy2ezz86g/9c0IXLRn1Pv36v06RZBump8fj9Bhdd8R0tmqbx4ANDuO6mnzjvP1/z5adnk5ISw9q1xdx2mzMF17p1BpbFTgMhItF9Qgjq1Inn/27uT+der5KSFkec18Un759BWnosP49bQf+h71BcVMmVl/UkKyset0fn4Ycm8va7M7GBF54agculEQpZbNpSRll5kFDImV7zelwc03wYX8z/Al3o9KzfA4BhLYZy99h7mL5uBkK3aJTcGKhFbQKBJR1h3MjHY0kLXej8sX4q9/16P27hJjkuiRdGPE+SN4nnT3qehyY8zGdzPqV+SgOeP+k5NKFhWlY0+k+h2BnKKCn2CqEJQiGTjAw3n356FrExLrp3q4fXqzNkcDO8Xp1OHbMZOKAxoaBJvXpJeL3O1y05xcvnH5+FS9eibQe072ELeMN1fTntlHYYlo1L10hKiiElJZafRl/I1sJK6tdPwjJtvF4Xrzx/ApkZ8SDgxedGUFBYSXy8h7z8CqSE449vTXZ2QliFYcfH1nWNzMz4aGSclHDmGR0YMKAxgYCJpgnq1U1Cdwnmz76WSr+B26WHZYskhmFzxeU9OeecTiQmeskIe2sej85R/RvRs0e9GtF6id5E3j3tXXShEed2IglHtBpBr/q98BmVZMSlR6/Hzf1vjk7TRf7VhV7D6dNx9t2nYR8+OvMDBIJEbyJpcWlIJF2zu/DmKa/jC/nISsgi3hOPlOAKW+mkRK9Sc1DsFGWUFP8IIYjW+UkI/+t2Vw2K9eslRf+OJJBK6QxOhwINGiTXeB7pW7R/4QG+TlZC9HVd18iu4zwf/+sq/pi+jpeeP5Hk5F1H4pWU+PnwwzlsyS3jmCEtSE72IqWkbnbidttGjglOwUGXS6OoKEDTJkk0bZIa7k9VuQmXSyPBVVPwUiJJ9CawLRnxGWRs0xZTy9rPz8vHUFBRgB5OiLVtiwRvAse3Po4mqU2i20Wm56SUZCVUJRtHigauXLWV339fy6Tf1tK3b6MdXh+FQhklxT9iT6djqouMHqrsqm/VX7/w/C5ceH6XcLtjkGq7JkI4uURnnN6BX8YsZcHCXAb2b4yUnqiY6s6ICNmeeEIrEhPc24jd7vy98h9oaC8tWMq6wnW4dEe9wbRNMuLTObrZQGJdsWEhWee/qs92W0FbSeHWSmbO3MjgwU3p1LHODrd1zusQ/nIo9jvKKCn2Ck3T8Hq9h7Q+24GmSvx0x3p5xx/XkuOPa7nNa7vedyTJd8jgpnv0vn/K/w24daevby/DWzt9ezekb++GNd9by1vdbsf4HYh8NcWhiUvdkyj2hMj3pby8nFWrVlHpq3RizYRA07SqhzJWYQQIia6Z2FLHMMC2bBACt1vbY5Vuy3KiDg5Uvo8RFletjhDg0tx71HfLllimDQJcLp0ddd+0LFy6ToXPV6XWvs0jQvXnahw7tKjts9n289sRylNS7BFCCCTQu09fbrr5lmitIcuyCAQCBPwB/AE/hmEc7K4eIkhsW6fCl0JsTAUeTwBpaweuZsS/FKEJEhITsSwnKVkZnSMHZZQUe4TucmFIeO+dt7d7bcOWHJYvW8aqVasoKS7iSB95JaDrFhUVCUycMoyunebRtOlqgsEYNKGG2Z0iHIVxl8eD2+WORu8pDn+UUVLsFZVG1bROZLHdMAx0l4v0tDTi4+N3e73hcEVKcLttSkq9JMRbZGWl0qhRE/x+tzJKu4HL7SI1NZXk1FTn+3Rkf52OGJRRUuwVLlfNr44A6tarh6brpKamEgqFDk7HDiEcoyTZWuQiOSWdxk102rTNxOfbe2miIwld04hPTKROnTrExHgP6YhNxb5DGSXFPkECbpeLevXqkZqaGl0LOJJxklohOR9SUlw0aJhEy5Y2Fb6dJ9gqqoiNjcXtdimDdAShjJJinxGJwouPjzvYXTkkkBI8AvyJ4HZbxMfrxLpBJO5chkhRhZSHdk6bYt+jjJJin6MGEQcpQYqq6xFRN1ADrUKxY9QkgkKhUCgOGZRRUigUCsUhgzJKCoVCoThkUGtKCsV+5J+uH0mkkjOoRkSw9Z+IzCoObZRRUij2E0KAJiAmxsnj2hvj5BFCJY1Ww9ZcCMCjeaLVcRWHF8ooKRT7AWmDJuG9z22WLZds3CKJjdl9p8e2bdwa/LJqIjM3/kWCJwFLqtwvKSUxupe/Ns2gVUYrNEBdlcMLZZQUin2MZUGsC7770eb7/9kMHKAx/BhB106C4C5KpYNTMC9G11hcuIK3Zr5Ot3o9SI5JImQbR7x0EwBC0K9xP87vfKHjgYZrOikOD5RRUij2MbbtPEIh6NhecNuNTjxR0N49JQdb2tgSQlaIekn1ubLnVWTHp+/nXv/7MAFT7n5NJ8W/A2WUFIp9iCYgPlyRPLKWFMGjgbEb83dxuvOzjHPHoQkRXTuxgZCt1lEiaEIFDx+OKKOkUOwjNAEVPvjoY5sYL8yea7NhE7z6jk2lDwYPEnTrJAjtwGOSUqILyWcLv6HEX0RuRT6L8xbz4bwPSHDH0Si1CSe2GoEhpRqQFYctyigpFPsAKcElYMZMm9sfs9Hd4RcETF9sU74Vrs0RdGyno7mc7atH1dnSxi0E60s38eiEh1m1dTWxrlgkkr83zKc8VE7fJn3o07APabFpWNJWhklxWKK+1QrFvkA402t9+mg0yA6L02rOAw1iY6B/b4HXDYbBdmHemtAI2TbNUhrRLrs9mhBU/0/XdLrU60aduHRClqkMkuKwRYvUTVcP9VCPvX8AhGyI98L1lwn8lU6UnUsDXzkM6CcYfrTAsEHTa9+H0DQs4Nr+Nzgh4FgIIQjZIeon1+OKPldhSdA0/aCfr3qox+48qrO771G3WwrFPkJKxwgNHKCRHAO2dH5kQkLPzpCeJgiYO47AEwgsoHeDPjRMa4Rt2wicQIcWmS3plNFGrScpDnvUt1uh2EcIASEJLZoLzj5V4Ct3puqaN4ZzztAwbXDtIkfJqcEkuKr31dhYznO3m1G9r8GWEhX9rDjccW3nYykUir1C4OQmJcbAwAGCDz6XWDa0airo2EZQaYQTZ3fym7Olja5rDGs+nHhPPAEjSGZcFoObDUMK4bhfCsW/gR3N3+0CFX2niGKrHJh/jBAQNGFIP0nf3jZT58B1l2mYlg3SSardORK/ZVEnPoNLul/K0+Of5P5jHiBOdxMyLUCgxEj/OZqqR3/IooySAnDWObzhH+qeDnn7ekZpb4bcQ2lWywDqZkPbNjp/zYbhQ53+7WrqLoIF6LrOwFaDeHrCEwxrMxyvy5nUOJTO899MUN1/HbIoo3SEI6XEqwtWrV3PCccOJzUtibhYF5ogPAKKbbZ3/o1Iu9hS4vOFMIzd+5VHBlZbSjy6hselURE00YQgYo5idVEtGEAgaxuJq/VNSvCHDp1RRgJIydZiiPND1y7CCQ3fLWsro9fIZ1SSVJ7Eeb+egVf3htuVWdpbhCawLIvGTZrww+jR+A0LfVdChIoDjjJKCgSQk5ND/fp1+OSTn5g5Yx22rodr10BkNHXslIz8AUi8bp1OHbLJzIjbLiF0RweT0saj6xRWmqwvqaR3gxT8hqP1bAOrKiHgt8PhaxJhO5PRIlr7QUa7IAE30LJuzKEzXItwwILbWUPyB6LNu40EdE3Hq3sJmAFsaR865/cvJicnh1NOOzVcSkRNgx6KKKOkAMA0oVnTTL76vpQP35lFh54tsEwDXdgIaWNjYUob07KRhgTDJi5OMH/aSk6+uAeP3DcEy5Lo+u4NnQV+i1dnriQrNQ1XrEH37ATAmfq6YalFTLyFFjAwyk3sCgOzwsCqMLB8BqbPxK60sCoMzHKbpFQX05/seMgO2nFx/+z9Me6YfdMRBfEJCcTExB7sbih2gjJKijASgaS4wsdDD/Ri5CmJQAllaJQSj00DTLyEisG7BRqEwJMJX731K1MDQQAsy975dIi0MYSGm5W89tVHuOtdSOsUndGLNtM9uzVSSkwDkkSQpFidLfMsCAUwy4NY/iB2ZQiz0sAKmMiAhbQsrBUSV6d4bCT6IWuWFIcKtm0rD+kQRxklRQ10TZC7uZRQ2R+s1wuYqgvWkQ1af0RhK4zfIW2FpLcFvTIMcuduRuteN/p+KcGytv/Ra5qFprnQAuth7Q0MbtqHR6fNZ0NeFk+e2sdZLxGCEJIMv8W9KTGU9XGhaTHExUgqK21sKYmNA90NZeVgCkm2LvjvZ+vxB2wSYtT6gGLnCCGwLBsLZ/pOCP5RuXrFvkcZJUUNHKVqC4+Vg4zNp0SHXDTQQiA0/CUQ3CTxWxqeUh/6plJkr3rR9wsBLldtHosLGdwMS6+ARiczcEsx7ZLHkXHBO5EDgxBYtiRBWqSWa9hC0rKxzoZN4I6XFJVKkjSNvELIqgur11vENdQpr3AUuhWKXaFpGsFgkDXrNmBbFvXq18fr9SjDdAihjJKiGuHQAdOCwAb88blslpI1gJBlyKCkPAcq1kjKbJAxASo3FCLcjkXQNEFxicmPP2+lLBDCsiw0EUJKL73bF9Iz4S5Eg5GsH7OJr1/8Hu2Cl4j/4Hc6tK9P/57NHcNkg8u2WJNvkldh0biBl3uel5TJUqRlEO/KpKLMJi69Ap+vkszYbLb6bdzKSVLsBo5RCrBi2TI8Xi+6rlO/QQOVt3QIoT4JRTWcyDoRqoBAASFXETl6Ibl6LoWighzTxZpcjbWbdUrzNcQWg0DJVkT4B+1yafzxVxl3PryWrYUGpaUhisph9fL5FP51IVqDkVTOLELfuIKUW9+iyBPP+JlrueGhr5yjSxvblrgtm62lBlsKQ3hc8PGzgtKtfhYtLeXl/0p+fFujojTIzHklPH4zdG4nqQgczOum+LegaRoBv5/Va1ZRWJBPSUkxfr9/11GjigOG8pQUVUhHqTpUko+RW0ae10+JZlFJKW6tgFDeFiqKoLTSZqvLQ4mWQ64sIq7a3FlFZYjLL87i5PMzeOf7AjrV28L9Z7wF2TdRPi6Hz54fw08NH6FuMAmPJbnjtlO454E3q3VBoktJXkkAvCaPv5rIRedJxn6YycbyLOISBQUmvPtaJpuLUshOh62F4FbfZMVuIITANC3KSkpJTk7BMEylZHKIoX7KihoITVBeVMCaNT7WVFRSodkE8WFqmzA3LEWWSYwg5Joulugb2UApHWpEvdmUVwQZO7WYNz5ZyjeXvUrAczzBX7bwxYtjeLLyVvLnVmBM3oIRhN5HxzvrVREkuCwoDwb4e0mIwb3g1BsE752UR+iBr5nZKEhJoJJKd4Dlubl4n72J1DppWIYFKtBBofjXo4ySIoqUEk0XbC3MZ+n6CtaX+CnTJEF8aGIzVu4KzFJJMCTJFS6WuraQQxldauzFQggDt+7i5LZrOKWdxD8zl09fnMyzlbfis+NJ1n2YiR4sD3hcOhIj+m4hoLzM5Ph2sXzxtUbxZpg5VfJSkcbNdf/Gk72Q+EodO83ir5mb2bjxfDzeLKQSKlUoDguUUVLUQBeCnMKtLFlfwUZvgApNEsCHEJuxi71YZWCEJHlSZ7m7kHwqtskPsrAJYdkuypa+xZgvkhi/cDO/mDfik/G4DR/BkI00TEwDTOwanpKuCUqKg/TrXI8/voMH3rFo017wyHV1mfH57Sz/bQWBNItyM0D8pVvpMKAlo8f60XS1PKpQHA4oo6SIYktw6xqbthYhPeVsFCF8GphoIDYjfQZahaP+UCh1VooSijQfuqg5fae5JcIKMWHVCWz0dGJzsAExoa3IoI/KkIUVNLFMEyvolPnWXFWeElKCWTXH37epzrFDnb97n9uO3ue2267flV8vRCijpFAcFrjUpMeRjaz2r5Q2oWCIGYs20cZKYE1xGcU+P9jFIE0wNkLQpgKb+WisCfnx4Sbgq8QwHMNi2wEWLc3hojMb0WL0HSACaFYAw26IJcGyJVLaWLaN261R6t9KYXEBhmFgWSZuobG1yM9pjy9ESEl6Erw11UYDpGFiW1U9llJiaxoSgUtYuy0KqzhyiX5P2XX5bsXeU/16ylradobylBRAWJtaeDl+WBv+OvE2YpJTaGyaSGmDtHF+xtUfEpcuMCorOG5oZ9xuNwAjhrfj2x/yePqNJQgtCJqBFEY4+TYEmoHQnOdCN/CVbuXC00/E7XZH9/Hj3R3IDTilxc1w+XBHQLNmn4UAy4bsf6gtpzhyyMrKOthdUOwCZZQUAKSmJPH7H3No1/5Rhg5xoWtbtpH8rj2RQwjBn9M/YNJE5w7U7dIY2ssb9mhEzffKbZ4jEKlZmBvX8+CDDyKEcIItNIFLF1V1LnaBaUlsFeig2AVCCPx+PxKpSoAcwiijpACIGgO/36KkxL9HdWY0TaCFc5VChk1evm8XxqSmARFCoGtaVCjTtiXBPTAyanhRKA4flFFSAODz+WjXrh3333/fwe6KQrFfef/9D1RJ+UMYZZQUgCO/4vf7MQyDUCiEx+M52F1SKPY5xcXFB7sLil2gjJIiihACt9uNlDIadKBQHE6o7/Whj0ruUCgUCsUhgzJKCoVCoThkUEZJoVAoFIcMyigpFAqF4pBBGSWFQqFQHDIoo6RQKBSKQwZllBQKhUJxyKCMkkKhUCgOGZRRUigUCsUhgzJKCoVCoThkUDJDilqxbacchBCgq6quCoXiAKGMkmI7pKxZjmLf719iGLZTN8lVZfBM044aQpdLRwinL4ZpQbhPke1tW2KGy6a7XFq0r5YlsSy7RpthWNECgTvah65r6LrYrh9u9+6X8FAoFP8cZZQU2+FyaUydtp5lS/No2SaLvr0a4vHoSLlN3b+9QEqJEAKPp+Zgb1myhoGKIAR4qhkG25ZRg7ntPmxboutiu1pQ2xoWy5boO9lH9X7YUqL905NWKBS7jUtVFTmykdv8C453kpfv48eflpH7/jx+/P4CsrLiw0X4ag7QkfG6eqnyHY3hEYNSUhzggccmM+Topow8sQ0Aui74/MsFTBi/jKYts7j7tqPRdIFlSR56bDKb1m1lxEntOf2UdgCsXl3EU8/+jmVLbr/1KFq1zEDTBLNnb+HTL/7mgvO60L1bPSorDd79cA6LFuViBS1OP7MTxx/bEoD1G0p4+PEpuAWMGtWHzp2y0TTBZ18tZOK4pTRoksGD/x1S83qFjari8EKybelJxT+htuu5u9dYLRYotsMwTE4/tR0vvHAyTRunRo2MpgmEoMYjQm1t1YkM5suWF3Lv/RNYvqyA0T8swTCc6bOvv13Mm2/PYvDgFpSXhbjn/gkA3HTrGFauKGTYsJZ88eUCfp2wmspKg6uu/YF62YkMHNCE/7tjHP5Kgx9/Ws77H81l+vSN/DF1HQAVFUHefHs2jRqmctSAJtz34CR++HEpSHjhxekc1b8xycmx3HbnOCoqQvzwv6X88MMSBgxoSmlJkPsfnAg43pVznsogKRT7E2WUFNshhMCybDZsKCYUsqJ3N4Zh8cxzU+nS5UU69nyFdz+Yg8SZenvllRl07/c6Xbu+yJPPTAXAtu0a+xQCGtRP4t57BnHOGR1JSY7F5RJICaN/WMoVl/Xkggu6UVlp8OOYZcyetZn5C3N449WTOeuszqxctZUfflrK+PGrSIj3cP99Q2nWJJ0/pq9nzNgVDOjfiMceGcbAo5oSG+OOHrdpoxQu+U83Lrq4O1dd3oPXX59FWXmQe+8exEUXdOXRh4ezJaecLZvLmD17C8cMac4ll/Tklhv78cu4lRTk+9A1waQpa2na9jlmzdoEVBkqhUKx71BrSopa0XWtai0mPDf37ntz+P2PdcyefT2bNpVy1nlfMmxIC2bM2Mjo/y1h4i+XkJToje5D07a/54mLc5OQ4KGsPIhpWAghKC4OYJkWifFurr3hJ7bklNGrWwPGjl9F25aZzJi5kZde/pPOHbORFsyYtYlunevyySd/88HHf3PS8a1ZvqKQ009rD0BpaQC7msEIhSxy8yrIyoqnRbM0EhI8BIImWZnxAHz06d906ZhN8+ZpZGbF8/1Py4iNdTHtz41YUmJYdrTvLZqnERsbNnj7/rIrFEc8ylNS1EokJDyyViSlZOGifI4/tiWaJmjcOIUhRzcjP6+ChYvyOO74VqQkxwA7D4aIRMdJHFtn2xKPR8Pj1XnosSn06lGfD945nYDfoHHjZFatL+apZ6Zy1x1Hc8l/uhEIGDRqlMw3/1vC73+s5+svzqZZ0zTcLh0pnX0LIaL9jyBxgiCklLhdGjFhT+rzLxbw4ad/c/vtRyE0wXVX92bYkOaM+Xk5TZukkpocQ0KCBymhT68G/PrTxXToUAdgv0UnKhRHMsooKWpF0wRxcW40TRAf70EIQYsWaUyastYJVigJMPn3tWRkxJGREceYMcuj79vZuosTHafh9bhwu/Xo/tPS4mnZMoOL/tOVH39eRkFRJaec3JbCrT4uu7Q7/fo14rW3ZtK+fRZDBzentDTIc88eT4zXxXc/LGbwoKYIIaKh3TFeV7QvlmWTmR6PEIKHHvuN5i3TSEr08P6Hc3n1zZl8/tEZdOpQx4nq0wU3X9+XTz89G3+lQds2dUhK9CIEzF+Qx0VXfMeKFYWAE5mnUCj2LWr6TlENZ5B16Rq33DaWseOWU1oZot+AN7jp5gFceUUPlq8qpFu3FxExHm65vh+NG6dw6cXdWLFiK116v4puWpx9Xjduvak/pmlFp/AkEoFg8+YyLrjka3LyKwgGTabN3sizjx3Lg/cN5pbbx9K583MkpCfy0jMnkJjo5f03TuX/7hrHE49NoHOPxlx2SQ+Sk708cM9gjhr0FgHD4srLetKtWz3Gjl3JPfeOY6svxNhxy/hl4kruu3MwFnDiSR8g3DqDBjbl9luPYvXqIu57eBJSwNn/+YqyIj9PPX4cTRqlcMlVoykt9nHWmZ147OFh0ajBvLwKvv/fEkZd2sM5p+2DERUKxT9EVFrqdu9IRkpJnC74/a+ZPHLfvYwfP55QKIRpOlNgbrdGMGjh9ep4vc49TGlpAF3XSEjw1NhXWXkQpMTjcRETs+P7nbKyIC63hhACw7CIi3XjcmkYhkVlpUFsrLtGXpTPF8I0bZLD04MRSksDaLogMcFZx4q83xvjwrac6bu4ODe2lPgrDSRE17wsS2LbNpYt8fsNdE0QG+tG0zR8lSGklCQnxWzbdcW/nOLiYtq2bcc1N9xAo8aNadWqNS1btSIxKRE1Eu47dAGGbZN0bwwX9biE905/k1IjhEf37PK9ylNS1EpcnDv6d8QYRYzEtsYh0l49yGHsuJXMnbMJzetCShlViTj3jI40bpwS3S42pmrfbrdOcrJeY59SQny8Z7tjwfb9qP7+6mgIEqv1TUqiSbZuIMZb82eQtM22KgpcoThwKKOk2G12NDhXb49MdYUMC7/fRJMSaTsTg5qoCqPedrDfdt+R5ztq/yfsyT52Z1sZvcUWO93+QBm43T3O4W5wd/dzURxaKKOk2KdEItJGntgmqtZQG4fTILG7CbUH6px3dRwpJbZNNBox4sVGsGwJUh5UIV7Ltpx1SKGhi7BWobSxZVXum67pCESN9kgbqETnfyvKKCn2C5Zl1wjJjuByaYfVYGHbko2bStla6CMjM4FGDZO32ybikRQV+fF49O3W4nZGJMR9T8LPCwp8xMa6d3gcJ0oRiov9pKbGbufp6ppg2wgOy3I+y4ho7f5ESomuVU3DWtJCFzqa0NBETUPpaBNu326aNitWbsUIGdSrn0xmRvx+77di36CMkmI7IurZEWkgKZ0pOV3XonlGUKXObZp2VCRVSmcgjYR+H2hqKo1XGUDLsqMDq9PubBvZxjTtPSrTETE0OTnlnHbG58THwJnndOW6Ub0Rmqi6TgKQ4PHo/PeBSfTqUY/zzu3k5Eu59eixoWrqs7ogbG39qe0cbRtM0wQEV13zAyed2IaLLuyKYVh4PC6EcJKIXS6NVauLWLu2mAULcunapS4ut8ago5tGP+fFS/PJy6vg6AFN0F1adA2uRh9s0zFuQo8+14WOREa9HE1oUc8l0mZLiQBcuivq0USvaThCUwjBT0t/YlPpJno07EmP+t0BWJC7kPk5CzAtExuLE9ucQJ2EOmwq3cQvy8cS647l9A6nEeuOpaIixPOvTGfWtLW071SfTz86M3IQxSGOMkqK7XASS7cfDKsHCFSn+iAaGSgPBlLWfmyn3xrbdDuqWLGj9+0OwaBFj+71ePP1kwHHsAhqv04xXp24OM92quW1HduyHAMxdtxK6tVLpFPHbJwRVdS6vaaBx+P8nDMy49F15yahepBKRBHdMCxmzdrEmAkrWbO2mJEj2zgGUQg2bCjh+JM+on69JH767gLSM+KQUvLnnxsxLZujBjRx+qzVHDoizwUCrRZDWt3zqQ2JjN4EvTHzTX5f8zup3hQmrpvErf1voU/DPjw//XnySvNpX6cdQSvEkOaD2VS2met/uoFkbwrx7gRWFq/kgSH3k5ISw9uvnsySJQW8+PL0nR5bcWihjJIiigxPt/3+x1pmzMhh9rzNtGmZwZKVhZx8QmsuOK8L33y3mFdemoaIcfHQvUPp2aMed987gXPP6UTPHvXJzS3njbdm858Lu9CsaWr07n+/9lsSvjMXvPzqX4z5cRGJmUk88t8htGqVgRDwxluz+OK7hRAwuPOuITRsmMy9D07kqUeG07JlOnfeM56GDZK59uree6QELgQEAiZbtpSTVSc+sprBV18v4v13Z+BK8HLnzUfRv39jdE2wfHk+J581HyklTz08nDZtMrn/wUm4PRoTxi2jV99mPHjf4KiU0f9+XEa/vo3o3CmbyJTaQ49O4c8/VlGnUTqP3T+UevWTyMur4Krr/0dZeZAl83IYeWIbfp+6npdf/4vXXziRjMx4rrr2f4w4rhXNmqRSUhIgKz0ely7Iz69ACEEwZHL3fydw0vGtCQYsp44VznrTH1PX4w8YDDyqCTYWj055nM7ZXTipzYn4DT/PT3+ekW1GUlhZwMvTXiVghuhUtwN3D76LRE8i7815jy3lOUxdMx2v28NLI1+gcXLjqHeEBE1oVBqVjF81nudHPEfjlMa8P/d93p71Nn0a9iE7sQ7X9bmW7vW6R6//m7PeJN4TzwdnvMfMTTM59ePTOaP96XSs0xHDsNiypazWaWTFoYtSdFBEiUQrrV1bwudfL6Rzp2y+Hb2EZo1SWbaskK+/XsQ7783hxRdP4v9u7M9td46lvDxEIGjx/eglAPz55yZWriykXt3EA2KQwBF+1YTgk08XMHvWJkZd249eXetx+agfkBLeensWP/20jJefPYGXXz6ZXr0a0LRJKs2bpvHUc1P5bvRS1qwu5qQTIoEZAsOsmu7bFZH6UC5dQ9c1pvy2ls+/XMioa/py6kntuP7mnyktDeL26Pzvp+U88dAxtGmZycOPTUFKydffLmb9uhJefvkUZs7ayGdfLKC42M/qNUXYUlJUXMmatUVUVIR44aU/ycsp4+pr+1O/TgJX3/AjlmVz9XU/0q1zXV54egRdutenvDxIl07ZxMW4efbF6Xz0yd/4fQZH9W9Mw4bJXHddH0YMb8n11/Vh8KBmCAHvvT+X/n0actP1/fH5QmRnJ1BZabB6TRGVfoNAyGT1miLKSgzivfF8s+hrAFYXr2ba+mk0S2tG93o9uLrP1YzqfSUrt67kg7kfAPDT8p9YXbyGZ094mlYZLZi6buoOr6WUkl9XTWBl4UrGrhgH0vkO+UN+zvnsfHq/0o8h7wxlfel61pWsZ2DTgXy/ZDQ3j7mZno168nfufMDxhFWRxn8fylNSbIfLJejdvT49uzVgxYqtDB/agl8nreL3P9Yx4tiWdO5cl86d6zJp0hpWrCzkisu68/QzUyksrGTS5DWcfFIbYmJc0eqy+5vIMVat2crs2RvJKarEX+KnRetMkDBh0houu7QHHdvXqfG+Z544ljPP/ZJzL/ySvA13kJIaGzWk7n8wBbl6TRELFmzhtXcM/BVBGjZOxuPRCYVsRl3Vi7ZtMjnj1PY89fQf5Of76NA+izvvGEjzZmmccGxr1q8r4fvRS3n3vZlszPMxeepavvlhMffeNoiNm0r5c/paVm0owVfkY8Dg5ixfvpWy0gDXXtWb9Iw4mjZNJRgwSUry8t6bpzJo+Lt88OFccjbeEe1jSkoMV17ZM/r8rxmbeOnVv3jooaF8M3oRa9YX8/W3SzBCFq++8Rc5BT6klPzxxxquv3IQ55x2Bn+tn8na4rWMWT6GgU0GEueOY8q6KTwx5QliXXGsLFrFgCYDAGiQ3JAzO5xJ+zrtePr4p6PHrR4pZ0ubWFcsDw17kNvH3MmYpWNIjk8mzhMLgFt38+yJT3NCqxHY0saluYhzx/H1wq9pmNKAL8/5kuemPVdDnV7x70MZJUUtOANFIGhG/3W7ddIz4li6vCC61aLF+Zw8si1du9QlLt7DL2NWUOELMnJkW6SsvZLsvqZ6Fr6vIsTpZ3TmoQdqFuYTwLy/czj1lLY12hcvzictOYYTjm3NTz+v4IILOiME+P0mX36zkO5d6tKxY/Ye5/ME/CYDBjThw/dOr9FuWzb16yUBsGJFIaZlEx/vwTBsGjdMAWD+oly6da3HpZd049JLunHfA5Po1aM+J57YGoCPP/ubUVf358orekT3u3lzGSVlAXS3TsBvMnX6RgYd3RSAqdPW0bZVJmnJsYwbt5Jjj21Z43wia1fBgMmQoc3438/LKCjwkb/Vx5hxK3juyeM479xOvPPOHIIhk2uv6R09bsuM5kxcM5Flhct5ZNjDADw6+XHuHXoPg5oO4qJvLsa0jfBnEA52kBIbOxogUZ1IBF3HOh355ZKfAbjo20tom+l8bhKJW3M761PSMWSNkxuzuXQzv14yHlNaTF03nVG9Ru3+h6U45FBGSbEdoZBJhS+EYdhUVIQIhkzKy0Pcdmt/rrv5Z0aMeJeA1Bg0oCndutZDSsnJJ7Xmxtt+4f9u6EdMjCvscez/vgoBzo2x5LprenPF1T8wdNg76B4Xxw9vxc039eOeu47m6ut+Ys6CLRA0uPmWgdSrl8T5l37Ds48fR9s2mQwc+g4VlSFGXdkTXdd45MkptGySxi8/XbRbBslRVHdyfs45uyN/TFvPUUe9QWxyDF061uWpx4/Fsm1uufVnmjRNpag0wBMPDSchwUN+fgXHnfwRLtsmITWOC87rjGE46zn5+RXk5VdgGBaaJrjrzoFcdfUPfPPtAtA0zj+nMxec34VBA5sybOjbdOhaj0ClgcftYtr0Ddzwf2P45P0zkDacdPonPPfkcZx+WvuoRxiJqjv66CYcfXQTABYtyuf+Bybx/lunAk5gRF5+BcGQiWFY2NLG43FxWrvTuPL7URzTchj1EusB0KthT27+8VY6Znfkry1/0aVeFwAqQxUYtuHU1QpPx1XPOQInN8mluRi9dDTvzHoPgcbRzQdwYZcLAfAbfoJWEHCmmiWSE9qMYGHuQk78cCRlgTLO6nAGrdJbOWK5YRV6xb8L4VPad0c0UkridcFvf83k0bD2XWFhOYYBCQleysoDJCXF4Ktw1hiKivwsWpSDJ8ZNn14No/uxbcnS5QW0aJYWDUE+GOTlV7BieQESQb26ibRokQ7AlpxyVq3eCrakdetMYmPdbNxcSvu2WQCsXVeMtKFhw2Qq/Qb/ufRbOrXL4uGHhlGb7mrE21i7tpjHn/yd1145CZdLiw72ZWVBFizIwQbSUmLp0KEOBQU+1qwpIhiyqF8/iebN0jBNm1NP/4xLLulGZnosHTvWJSUlJrr/vLwKYmJcJCdXtW3YVMq6tUWAoHGjFBo3TiEYNJk7dzMpqXFkZcTj8boIBk2KSvy0Cl+DFau2EhvjomGD5O28P8uSmJaNAPx+g5LSAFlZCcR4nbD1rVsrkRIyMuJqXIcVhSvITqxLkjcRcAzHorzFaEKjblI2sa5YUmNTyS3PJTEmkXj3rvOFtpRtYU3RGmLcsdFwcIC8ijziPfEkeBJqbF/iL2F+7gISPQl0q9+tKngCmDcvlzffnskbr40EoLiomLbt2nG10r7br0S075Krad+VKO07xd6SlhaLFg7xTUx0vkSJCR5sW5KWFsvAgc2i20YGN00T0QH+YGHbkjpZCdTJStiuvV7dROrVTazR3j4pK1zXSdK0SSoAZaVBbrjlZzIy4njg/vA04C7UwNetK+GHH5bQoWM2LVukI6UkKcnLgHD4dITMzHgyM6sG5chdvM8XYuigZiSnOFp+1aP/6tSpOhfHK5Q0apBMowY1k3S9Xhd9+zau0ZaY6CEjHNINRI1TZF/VqR7C7vHo2+kKpqfXNEbgTKe1ymhVoy3WHUvPBj222zY7MbvG84AZYPam2Vi2He6LwLRNMuMz6ZjdgXpJ9aqOE74edRJqrglGXkuJTeHopgOrzg1BKGQxb34Ov01eTUmJf7v3KQ5dlFFSbIdh2Hg8kZG46l8nObaq8J9Tr6jqfU5C58HTGdu2f0IQVUOo2S6iA3yk5lJk4E5K9vLhu6fV2O/Ozic9PY5u3ery0UezGXFie1q1TA/vryqaMdKPbduikkwj22JGFTBqqjfIcH2MSB92dC6RfVf1NfJHlYHbk89n27D46te06gjh6yaqAhYi+UbRFlG1nRAi6sWUhcp4e9a7BI1guE8alSEffRr1pnVmKyfvSTrViyP92PZYkfOvOiYgnevn95t88sV8Nq8tZMSJHXZ9wopDBmWUFNsRGUTDz2r8u7NB7VCoxLqj/tXWXr2/1Qfg3ZHUiWyelOTliceG1/r6trlOtbVpmuCmG/ru5Djb96G2c6lt3+FXahxrd6mt77u1HbUXeYy0RQxKVlwWH575/i46sfNj1XrM8D/JyV5efvaEXe5TceihjJJCsQ17ou8mJZimFRU13ZuIQ9O00XXtsBKp3RUSiWEZ27VrQttOLWKv9h/9XCSaph00lRHFnqOMkmI7ttW+s6Uj0rkj7TvDsKOyNtW17w6G8GpEFw7hVNDVquvQ4dxtu90atnTO0b2X2ndVVE2lVb8Ll1JimHY0dNnt1jBMJ5AgEhBhWTYul35EDpgCsVuL3nu9f4FKnP2XooySYjt2pH1n27JWTTe3+9DQvrPt2nOjtu2zlI4kkSc8aO3ofbtDRM2h+r6d6bWq/UeIJORGhE+1XejBKRRHIsooKaJEtO8WLsplzZoy5s3PoU2rdJat2srA/o0ZMqgZs2dv5p13ZqLHuvm/G/pTv34S738wl2HDmtO8WRolJQF+HrOCQYOaUL9e0h7pyP2jvocH+u++X8zYX5aRnJnI7Tf2JzMrnsmT1/D16CWYAYOu3etz9ZW9WLFyK59+NZ8bRvUhPT2Ojz6ZR1yshzNOb79bfY5EHRYWVvLAo5MJ+YKcenoHjj/WiUYrLQnwzIvTyN9SRpMW6fzfTQN45Y0ZtGmVzvHHtmLd+hI+/Xw+V1/Zi7S02AN2nRSKQ50jb95AsUMiEUxz5mzhvgcnsnlLKfc/OIkli/P59ddV/PbbWu57aBI9ejSgTmY8V17zAz5fiAmT1vDlVwsBmD1nM199vZC4WHc0Cmt/Y1mOhfhl7EomTFzDgP5NSE7wcuvtY6nwhajfIIl+fRoyoH9jxo5byedfLiAx0cusWVt4+rmpzPs7l3fenUt2diT8WkSTYXeEEI5C+H0PTqJt6wwGDGjCa6/PZMpva6nwhbj2hp/wVxr06tWA1i3T0TRBWlosd9wznpWrtvLMs9MoLQni9ephWRxlkBQKUJ6SohY8Hp3uXetx/jmdqaw0ufyi7kycvIbRPyylf5+GXH65o5l2+VWjWbOmiGtG9eK99+fg84UYP34VJ4xoRWpqLIZh43bv/8FWCGdInzN3C+PHLmPdllKKcsrxxHuctQu3i8++WoBhSdYsziXnqCbUzU7gh6/O5czzv2TEyR8ybdIVNGueViNMfEdEvKQtW8oY++sKVqwqQLh1Fi/IIRiymDNnC0UllXzy0RnV3iO56PwuuHWd7v1e54ar+vDIw8MOmGitQvFvQRklRa3Ex7mpqAgRG+PCHzAQGrg9Ov6AGd3GVxGipDTA0CHN+eCjefzx+3oKCn3cecdAp3roAalSWhWuXFjo4/wLu/Pg/TW1784850euurInJ5/UhvMv+jraXloWIC0ljgbZyeTl+WjWPA1w8rTmL8ylSaNkMmqtWOp4gKWlQbKzEvjlfxfVWFcbN34VFeXbRpY5nawoD9C1Q13Kyhy5nEjekZq6Uygc1PSdYjt8lQYFBT78fpP8fB++SoOSkgDnnduZP2du4o47xnDVtT8QG++hYwcnU//ogU247d5xNGuWGl4jOTB5S9UTR889pxO//bGW22//hbv/+yvffr8YKSXJyV7eensmDz02mfHjVyOEYP36Es4470uGDmnG22+ewn8u+4Yf/rcUTRNUVhqccd7n3HCzIwq67SxeJBG2U6c6dO1Sj9PP+Zy7H5jAw49OobCwkq6d61InK4Ezzv2CO+8exwuv/Ill2jzx9B/89MsKvv3qXPIKKrjwkm8pLQ3USKpVKI50lKekiCLCRmTQwCZ06lCP+g2SqF8/kUaNUmjaNJUunbN5/pnjGffLMho0ieHyi7sTG+t8hc47uyPeWBfHDm0e9l4O3J2/pgkk0LtXA55+4jimTFmNFIKEeA9CCJ58bDg//LiU2HgP33xxDo0aJeNyaYy6oidnn9ERIeDFF04g1uvGth0j1qNLfWLCVVtrW+6JJKs++/RxvPv+HCoDBvExbnRdkJERx7tvn8Inn8/HVx4gPTUWBDRvnsZpp7YjIyOOZ546jklT1tYoI69QKJQg6xFPbYKsYLOjkPBtvZ9DaerJsvZuyrD6eZWWBrj+lp8pLKjkkw9OJy0tbo9LV+zqmqh1pINHcXExbdsqQdb9jRJkVexTAgEDt9uDpjllITQNbAl6OBHV0VCjRoLswU6aBac/kf4hQBNOaQYnUVWGvZsqmR7HiDkJtk7yrCApycsrz59ITIwrmn+0s9ORUmKGZYkEhJUZnHUiy5JRg+ZyaViWHdXis20Zzvs6spQcFIpdoYySYjuq19mJ5JzqIrLuIWss6kc4mEmz1XESZbfXl6vNM3G5RLW/q/qelOQF2C0PSQiB27X9RkKIGvt3OlIl/bCjPikURzrKKCl2GyG2H/APZ3ZLTbta7Z5dUVu1VYVCUZODf2urOCSREkzLxjRtzLBu3Ny5OTz+xO9YtsQwrKiatpQyquUW1Z47SER0+yzLjq4R2LaMnktVn6mxTXTabw8RONqAISu03WuGZdSorvrajNeYsHoClm1h2iYStYihUGyL8pQUtSLCgqbV2bq1kvkLch1x1mq6bVWlFGrW3znQayWRAIJtp8U0TaBV61tVKXAt+nxPPcCIhzR25TjuHnsPUgr+0/08bux3I7M2z+KCry4i3ZtOwPJz01E3cnHXi1hSsJSkmKQa106hUNREGSXFdmiaIBS0+Oq7Rfh9Ieo1SGbEsa1wu3XS0mL5Y/p6Vq/IZ8iQVjRqlMyWLeX4fCEWLM6jotRP335NaNUy/YBG5slwv2fP2cysWRtJTI7ljFPbExPjYvGSfKb9tQErZNGmbSaDj25GTm4Fs+duZvjQ5ni9LmbN3oy0Jb16Ndit4wkEBZUF3Pvrf3nvjHfoUrcLfV7vS9d63bCkxci2J/Ds8c8yL2ce5315Phd3vYhETwIg+GrB18S54xjaYgixbqV7p1BUx6UmEI5savv8dV3j3ffm8tvUdWRlxFJcGmTE8JbExbuZ8tta4uLdrFqey2dfLWH8mIuYNn0DDz86hcFDmrJp3Va+Hb2Mjz84ncREL9Urn+4vItGAc+bm8Mmn80lNcrFsVTErlhdy951Hs3VrJTk55QjT4pdfV2GZkkaNUrj7vgmsXrmVc8/pxNXX/cj/3dyfXr0a7DqkW9poQuPPDX/SNqsNXep24e5f76YkUMrcLfPo1bAHk1f/xs0/3cqW8s3c2P8GAITQeH/O+/Sp34exK8ezpmQ1N/S9AVvaar3pICG3eSj2DdWvp6ylbWcoT0lRK+s3lLBpYykP3DuEVq3SAQgGTLLqxPPko8MpKw8xePi7AHhjdLp0rsOLz44AYNHifNxu/YAmhQohGD9hFeN+WUb/oS3YvLqItVtK+b9bB9CrZwO+Gb2YMl+IlUvymDtvC8OGNmf8j//hymv/x2dfLeC5J49j4NFN9shrqQhVoAuN63+6gQRvIqN6X0GhfyuGZZIWl0rH7A5kJmSyIGcRlUYlSEmfRn14dNgjNExpwPzc+ZHO78cro1D8u1BGSbEdhmHx2CPHsGlTKS+/MZMJv67itwmXoemC9m3roLs0Nm0qJS01Nrp961YZhEImuq7RoX1WdF/7e7ytLmeUl1/B8Se05dpreyMkZGTGk5jg5eJLv6V9x2xGntia/5YEovlHmZnxpKfGMnfOZho3SYnuT0pJeUWIhHhPrWtNkWi7luktuf3nO7l/+H1c0f1y7hh3B01SmyKlTb/Gfbm0xyUADHtvGCEzhK656NGgB4ZlELCCJMYk7t+Lo1D8C1HRd4rtEMCs2ZtZsryQvj3qEROrs3ZdEZYl2bKlLOr95OSWAxAImOTlVaBpGpqmHdDoOycJ1kYCgwY2Y8myAlYsK2D12mI2biwFJLn5FWwt9LFxYwnT/9qEadpsLfJz2VWj6dwpm7dfP5Uzz/2SeX/noGmC4uIA/Qa/xe13jQVq174D6FinI0c3H4iw4Yv5XzJt3Z8MbzEcG8nkNVP4Ycn/eH7aC9RLrE9KbAqFlYUU+gpw6258IR9FlUUH7DopFP8WlKekqEZYmUAIfvt9LbPmbUEzLa67ug8dO2azYuVWTj+tPUI4XsYVl/UAoH27LJISveGSDwdW9w6cNTApJaec3IZKf4gPPpwLumDIoOa0b5fFQ/cN4dU3ZvDjLyu4+7aB9OpVn8JCH3XrJTDqyl7ExrpYsCSHhYvy6NqlLunpsbRsls7KFVvD12P7Y0okMa4Ynh3xLPf/ej/lAR+PH/sozdOaIQR0rtOZH5b8jxhXDE8e9wQAw1sMp1FyQwD6NepLm8zWzv5VLSWFIoqoUNp3RzRSShK20b4LhUJ4PJ7ttjvUI8T2VlPODpdHBygrC/Lgo5OZMXMTb792Mm3bZu5RePueJNMqDjzbat+1VNp3+4WI9l3KvTH8p8clvH/6mxQr7TvFP6F6EqymCVwuLarX5nI5nolp2rjderRKq64f3NngiIbdtv22LCexF+F4JY4+HximjdulowlBKGShaYK4ODfnnNWRUVf0pGULJ8BjZwbJlhLTdmon6UJH13SklBh2VT0ll+ZCExqmbaIJDU1oWNJCSolLUz9BhaI66hehqJXIYG7bdlQXrnpiqhACt1uPth8q5bxr099z9PCcvpqmjZQSTdPwuKvCsCPBDwA9u9cHds/z0oTY7u5P1NIG1DBAutAPlUumUBxSKKOk2CHVB/PDhd0RjY2qjCvBVIXigKOi7xTbIaVTcmH6nxt47sXp+P1GjfZI2PS2c/BO2/btB5KqvtXshB1u+/6HJUyavMZpqxYlGDkvCHuEh/j6mUJxuKKMkmI7bJx1lEWL83nz7ZkEAo5RimjcVa9JBFWlvJ02cdByQZ1gjKp+VG/Xwm3jxq9iyu9rgSpPqOp9B6XbCoWiGi6lrXGEs60WCODSNHJyyundsz5jf7qIpKQYwMlHCgZNysqDlJcFadYsjZgYF0I4AQYrVhZimTbpGfHUq5t4wEVZhRDk5/vYuKmEmBg37dtlRUuzb9hUSmlpgIDfID01lspKg7yCCpo2TkUIwdaiSoyQRXa2Smg9YthW/0aNhfuWvdQZUmtKiu3QdY1vv1/Me+/MIDUziS8+PovMrHhmz97CpVd8R5eudVm1LI8u3Rvy3tunUlIS4IGHJjF3YQ6aYXLamZ254do+SGkjxP53xiNrQJs3lfHSq3+Ru6kIQ3dx7ODmXHJxNyZPWcstt/9CcloMqxbn0a9/Y9auK+akMz7l8QeGccrJ7TjplE8596yOXH9dn39F+LtCcbiijJJiO4JBk+uu6cMxw1pxz73jscJrL0KD+AQPb74ykpBhM/hYR/vuw4//ZtOmUn7/9bIa+9G0AzM7LKVE1zS++HoRf0xZzalnd2LVknweenwKJ53Ylkcen8JD9w3hpBPbcNe9v7K1sJL27bL4/IMzefTJ3/jhp2VccUl3LrmkW9SzUigUBwe1pqTYjsiYXFxciSYEMTHOvYvfb9C/byNS02LJz6+gTkY8ABs2ltC7d6OD0lcpieZH5edV0LxFBhlpcfTp05CvPj8bvz+Ey6XTsUMdAAIBI6pn17tXA1KSYvh+9BJOP61deH9qDkehOJgoo6SolcLCSjZtLiO/0Mfq1VupqAhh25Cf7wvn+QiKS/3YtqRDuzp89dVCli4rYOPGUoqL/Qesn0KAbTvVXZs3S0MKwblndOCCC7vRtWM29esnYds24yasYt7fOXz48Xxcbp1gyOLRJ36jcaMUnn9qBJdcMZqtRZUqDFyhOMio6TtFNRwvweXSeOqZKfw+bR0ur8611/3A/912NC2bZ9CpYx2EEMTHe+jbuxE+X4hLLu5KeXmQS676HoIGZ57bhVtv7I9t2wdkCk8IDVtKRl3Vk9z8cgYOegtcOqeMbMu9dw3iwf8O4ea7fuH3qeu5dlQvWjRLY/nyQmbO3cxbL59MnTrxTP1rHR9/Mp+bbuir1pQUioOIqDDVfMWRjJSSBJfgtz9n8uj9O9a+UygOB2po3zVqTMvWrWnZUmnf7Wui2nf/jeE/3S/h/TPepDiktO8U/wDLsrFtHCkcSVQvzrZlWJUbLNvGFV7PsSyJLSWE6xvVVofowPRb1tC+03Xh6PRZEkHNHCvLcs5FCEd+SIiD12+FQuGgjJKiVnRdozaFocigLQRRgxRp1w8BMTdHGqlmP4QQuF3b981VrW135IcUCsX+x6U81iObWnJnFYrDGrnNw0blzu5rarueu3uN1e2hQqFQKA4ZlFFS7JD/Z++846Mo3j/+3t0r6b1C6L333psgTUAEBRv2jmLv9asoKiKiItiwICIWEKVK7733EHp6b1d29/fH3l0uydH8SUCZt68zl7nZ2dklN8/OzPN8nvNt/Hp/fiVuEldEny7kHFfivREIrlSEURKUwz2ISpLX8p7XyGok9SutaydJpZW2LycOh4qqauV099xJCs/Wx7/Td3eyQIdDLVXudGrYHSpOr364278S7pFAcKUijJLAg+7yWjt8OIPWHT/hp592IwF33P0Lzzy3CIdDY/yEVbRs+SFN2n7EJ59uQNfhjz8Pcs99v9H/uhk0bvweYx//05UBVquYfutGaoqCAgcvv/oXA/p/wZCRMz0pKoqLnTz+1J+06vQJrVp9yLzf97NzZzJNWn/EylVJAAwZ/j3vvr/a1d75rYbbAC9fkcTg679l4ICveOX1vygudpKSUsAd9/7KoCHf0Kf/V/wwaycAt941h7vv/xVJgjm/7KV3369ITs43+q8JSyUQgPC+E3ghudQMGjaM4c1X+zD50w0kJmURGGDhf6/34cuvtrJu/XG2bx/LqVM5DB3xA/361kWWJbZtP8PiP2+j2Kby3fc7yM4pJioy4IKyt/5/0TQNRZH58uttbN50gjF3t2f/3lTue2guB3Y/yvi3V5KWWsi2dQ+UOu6Zx7sw+ZMNrFiVRMP6MTw2tqNH+87hUF0u5b6f2yQJcnNtPPnsQm69uRkRkQG88upSKlcO5e47WvH8013YtPEEicdzeW/SWoYPa8ykCf257c6feef91ezdncqbb/QhNjYIXa+YIGOB4N+AMEqCctjtKtf0qc2SpUd4+sl5HDv2PIois2XLaa7tUxtN06lUKYRe3WqQnJyHqmoM6l+XkDA/wiSJx8d18rR1qQ2SrpcIv54+k0NhoZ1lq46iFjt55OEOAOzam8qdY1qhajq6ZvRJkmD0Tc2Y/8dBXnplCYXZL2MyyWiaXirVu+9zGnWOJGbicKrs2ZeKw6kxcEA9OnWoStKxbJ58ZiGRoVbsmpFq3e5QiYjw56lxnenadQrj3x5I2zaVcTjUc55LILjaEI9ngnJYrSZWrkoiJ9fGa6/1539vrUCSoFmzOBb9lYgsS6SnF/LXiqPExQXjdGrk5TvQXfs1qqpV2L6JsZdlnMzfz0KTZpX5bPJgPp82jIfua4ckQUSYH7Nn70KRJUwmCVk2jvv5l73ERAfy1LhuvPr6cld7Erm5Nh4aN5/f5u4Dyu8BuSWIoqMC8beaePuNa/j8kyFMnNCfhg2iWbT4MHaHxpdf3sDQwQ3Jy7dhsSjk5Nj4csZWpkwZztp1J9izJxWzWamwZU6B4N+AMEoCD+49pd27k3nmpUWMuqkpL7zQjaTjWTz7/GLuGNOSSpVCaNHiA/peN4OxD3ekevUwNA2CQwz5EEnCo5JQUUiShKbrPP5YR3JyimjYaCKNW3zIK6/9BcA74/uSl2+nZcdPaNlyEnN/38/2Hcm89d4q7rm7Da++3IMVa48y4f3VSBKEhFhZv+EEEyet9VxTWXQdEhJCePrJLjRr+zGN2nxE5x7TSE7Op+81tSkotNOoyUS++X4HdWpG4nCoPPL4fOIrBfPAA23p0qUa9z08j5SUfEO7T+wpCQQASHlC++6qRtd1gk0Sy9dt5E2X9l1xsQ2TyVxK5cBuV7FYjGWmwkIHsiLhZ70yV3+LihzoOpjMMhavpbHCIgfoxnKaLEvogOK1vOhwqKhOnS3bT/Pya38xakQT7hjTCh3OqVVht7u87JDw81OQJEPaqKjISUCAGTCMmMNRcg/d5zOZZCH+WoFkZWVRv4z2Xe06dQkR2nf/KG7tu3Av7btMoX0n+LsYy1ylJ9Heg6l7oL3ScLup+/ubfZYH+Pvut/tzs1nBbrMzb/4B+l1ThzvGtHJV4KxWSXcZOQul94UkSSp1nySp9D0ExF6SQOADYZQE5fi3PjCWxEqVCLK6y33hdljw/jwwyML4N/qc9XNf57xScAvinq/P/x9EWg/BpUYYJcF/CrcK+IXV9V3PCISVMJsv75arqqnorkcERVI8/XWXS0gocslsS5akc68z/gMIgyS41AijJPhP4F6Cy8kp5sjRTBxOjQZ1owkJsfqs73RqpKTmUyk+uNxAe7ZlNbdnYUUpinsbHDeqppYq13QNWZLJy7OxZ18qVotCrZqRZ73u/w+apnPqdC6xMUHlliIFgn8K4X0nKIem6ThVDYdDw+mS0FFV44ld1XQcDhWHQ/V4jBnqDcZ7XTd+r+hNY1U13KqnTd/CiJtm8fZ7qzh2LNtzPW4pIKfTqJeaVsDtY36msNDhuh7NU9fpLLlub684SSqd4kLTNZyas9Tvqm7IDTk1Jw7VgUN1oOlayeeaikMzyt11fVHsLGbO7jlMWfcxM7bMoMBeABiGau3xdUxaPYm5e+chS0Z/jh3P4Y13VjBs+PfM+GZbqXtyoRjOGKXvk7sdh0MlM7OIocO/5/CRDFeZVuq4C1HCEAjOh5gpCcrh52cGZPCVT0mWyj3Bew/UZQfuikbTdV57uTejbmziKZNlqVwQryRJBAVZCAws7Q3kqy4YA29eno2ff9nL6JuaYTLLyJLsMQpAqfcmufxXS5ZkkEDxdWM959FdLu4qZ/KSOZF9gj2pe9iavI0PBkzkr8RlvL7sDZrHNGVnym5y7Nnc0vwWGjeK4fefbubzz7eQX2g//43ygeHsUf7fzp1bKyoqgMgIf1cyRKOsxElEPN8K/hnEX5LAgztOafmKRN4cv5LrR87kuecXM3Tk93z9zVYAfvhxF126fEqX3tNZtvwoRUUOHnl0Phs2ngTgzJk8XnhpKYmJmcDl0XRLSyvAbi+Z5RTk27nr/l/pe800nnh2IbZipysjLbz3wRq6dJnM628uB2D12uM8/ewibr/7Z7p0+4x5vx8A8GSqnTFjGyaz4Uiw+MgSnln4jGfG8+veX5m6aSoZhRk88NuDDPpqCMO+Hc7ypBUALEtcxntr3mf0rJvp8kkXPts8DaBU8Kx7KTHAHMhDHR7k7WvH80jnhzmWcwyAL7Z8zm0tbmHioIlUC6/Kh2umkGvLRdM07HaV9IyCi75f7glOdnYxt931M32vmc5zLy+mqNBh3JPVx+jS/TM69prO7v1pBAdZmDRlHQ+MnYckQVp6IcNv/IEtW0+Xux6B4GIRRkngwb38cux4DnN+3UO7tgnM++MADevGcPhQFj/M2slX32xj2rRhvPRMd555fhF5eXZ0HX79zVA/WLvuBMeOZVG5ckiF6N75wmSSsVgUz/WMe3IB1RJCefDhzpw6ns1Lry4lMMDCnn2paKrG9Okj+fnXvaxZe5zs7GI+m76JO25tybjHOvO/t1dw8mQuR5Oy2LU7GYufwvYdZ0g6lkXDqEasOr6KPSl70XWdH3bNokpoFSIDIrm/3X3c3fZOutboyht/vQFASn4KM7bN4JnuT/N8r+c5kLafrKIsZFkuo8JuDOp/HlpAkw+a8eqS13it16tkF2fj0BzUjarLS0teYkXSCmpG1eBwxmFk2bhmX1p97uXIs+E23o8+/gcN6kbx4MOdOLA3jXfeW01KSgFPPLOAJx7vwqcfDCQ+NoiiYic3jWjK/v3pfPXNNiZNWkezJnE0qB+NqgodP8H/D7F8JyiHSZFo27IyzZtWYl+rNHp0q8nipYdZs+Y4A/rWpX79GOrXj2HRosMcOpTOXXe2Yvw7q0hLK2DZ8kSuG1Qfq9WEw6FdFqPkRlFkCoucJB7LZP/+FFZvPEFxdiF9rqlNQYGD+vWiuP/etgQFWenWqTpHjmQQHOzPHbe3pGuX6uTm2pj5wy42bTrJ/EWH2LX9FMeT83l47O80bBzH+28OoG+9Pqw5vhZZAl3S6VK9K3m2XD7e8AkHUg7ib/Gn0F4IgI7ODY1voElsE5rENqFf3X6evno7W7iNVK8aPdn68GYOZBzg4blj+WDQ+wSZg3l56Sv0qNmdb4Z/zaN/jsOsnDtu7FzLqbquoyiGtNLRY1kcT8pk2ZokirMLqVu3CRs2nqBKQijXDWoAQFRkAMXFTurUDuTLqUNp0uYjenSpwW8/j+acAV0CwQUijJLgrNhsTnTdSP1gsSgEBASya0+K5/PtO5MZPLg+zZrGERRkYf7vBygocDBoUAN0Xb+se0tgzABUVcNhU5k0cRDNm8d5Pjt1Og8/q5mgIMNLbefuFIYMbUBGepFnnykltYCkE1l07FiVoUMb4nTq3HzLj/wwc6SnnYG1BzNj+wyyijLoVaMnwZYgvtz6NakFKfx1zxJWJK3g2QXPlfTJ9Z/kGrylswzikiRhMRn9qBFeA5taTGxgLOgQHxzPc92eY/6B+eTb8qkZXhNN1w2X8NKtADDrp92Ehljpd02ds94nTddRHTrTpg+lbp1Iz2d/LjhESqqxJLhu/QkOHc70BCf//scBbhvVghMncjh0KIM6dSIv2+xY8N/BJPxlrm70Mj8B7HaNwkIHTqdGQYHhnZafb+epJzrz8Lj5XHPNNGzI9O1Vh5YtKqFpOkMHN+Chx+fz1GOdsFoV1+B0Oa7IePp3J/MLDrLw3DPduOWOn4iKDgAkXn+pJy2aV2LT1pP0Hfw1+VlFNGoST6eO1Vi48BAzvt3Ghq0nSU0t5MF72hIbG4TTqXHqdB7pGYXk5tgICDShKDINYhqgqhrz9v3BzBu/RUenUWwDpqz7iD7T+6GYSmKH7KqdYmcxkus/d191r7vvdnQ4ln2Mx/94Es2pYcfG092eIi4ojqe6Pcn/lr1Jr896oaLzQs/nCLQE4lRVkEovAxrvJeb8sofVq49xaO+jBAZaSiVodEsihYX68fSTXRg64ntiYgORkHjrtT507FCF6OgAevb8mIRqsZhNCmaTzMdTN/LTL3uY+/Nofpqzh0HDvmXWdyNp2iT2X2OYdB8vwT+Dr/t5ofdYzJQEHmTXfsR1g+szoH8DAgPNdOxQhaAgC507VyU6OpDPPx3C/v2pmK1mWjaP9xx77bV1WFD3VqpXC3Olk7g8g5IkS4QE+3nOrwPX9KnNzzVuIiOzEAmJunUiCQw0s2TB7WRkFiEDTZrEYTbJFBY66dK5Og892J4AfzNNGsd6Zn0JlYP55uvhBIdYPMtt/iZ/Xuv9Kvn2fKqEVgGgbeW2/Dx6Dsl5ySSEJmBSDG+7YQ2H4dAcpWZHkiSVni253lYOqcxz3Z9F13UCLQE0jGmIruvUi6rHG33e4HTuKWKD46gRXh0d3XOO4GArdpertqpq5OfbqVoljK6dJfz8fH/dZdlw+hg0sB5160aSlV2EJEnUqxtFaKgfX0wbxv59yVSrHolJkQkNtTKgX11uGNaI4GArt9/Wgg4dqlApPkQE1wr+3wijJChHaKgfimL8abiXsownbJ3QUD/atavqqet+6pYkibq1I322V5EUFzlZtjKR+MpBtGpeiYgIfzRNp07tSOpQun+1a0VSu1bJ7zqQn28nLNSfdm0SjDK9ZL9HUWTi44NLtaGjE+4fTrh/uEdlAaBqWFWqhlUtVTfYWnKse0a0K2UXp3JOY5IUz5OkLEm0rdKG1pVbeeq7g2Q1XaNqWBWqhlUpVZ6ZWcTGrSdZuSqJFs0rAWBSZCZOXsuBQ+l88ckQFEU+6yzGnQKkXt2o0tenQ2iIlXbtqpUqr1YtrNR11K8XXaotgeDvIoySoBxOp+bJOeQ2Ou7B2a0t5zZE3gPQ5dRFcw+0XTtXY//BFL7+bhuV44KJiPD3DLjupQP33ot3Ga7ZXeNGMQQFmdF0IyGgopS+nrLXKCEZy296aWeFsoGkkiR5lukkJDQ0FBRWJq1mxZEV+Jn8jP7oOibFREJoZYKjgj2Gzh0DJbuW6NzlbiOYmlrAlzO2YZahU0fDGEqyxKsv9vR5n3zhXspzuyu4/31L/s0lQPf8Hbjf+7ovAsHfRRglQTkMg1PyvuzPsw0+l3NQcg+23bpVp1u36qU+c/ernBuA5LVw5nrTtm1l2ratbPziI8bV1zVKlNecO2s9F4pkNP5gu/t5sN395U/k45jS/S5dXr9+FLNmjChVJssSqqq7POwuLMdVqXviKfO+Hm+R29LLkALBP4EwSoL/FKqqe+R1TCb5ove2NM1wkqgoz0Gn5vTIEHljls0XNdDruu6R/fG+bmOmJwyG4N+DMEqCcrj139xuxpquG/JCioyqah4dPPfg53BoKIrk2TBXVeP3y/H07Et/zdtQSZKh/u2+RrPZSLLncGrIrqy5F2PINF3H6TIGslceKm8j4c7V5HBoHhkmt7u6yWTin7B/kiQJkVTBfwJhlATl8GjflUHTdI/mmTfeumeXU/vubDMcRZFQvDrt9g50D+KapmP+m32WyxiDkhxM5Y2E+z7puu7S2BNGRCAoizBKAg9u7bsdO89w6FA223acoX7dKPYfSqd7l+r06V2b9RtO8NnUDSj+Zp5+rDNVq4by2bTN9O1bhzq1I8nKKuK3ufvp3bsWCZVDKmwD3D3Q//jTbv6cv5fQ6GCeGdeFuLggliw9wqyfd+MsctCidQKPPNCe/QfS+fq7bYx7uCPR0YFM/2ILQUEWbhzR5IL67HYASU0t4KXXlmIrsDFseBMGDagPQFZmEePfW0Xq6Rxq1Inm2Se6MnHKWurXiWLwwPokHs1ixjfbePjBDkRG+gtHAYHAhRCpEnhwL31t23aG199cTmZWIW+8tZyjR7P4a9lR/lqWyKtvLKNHj5rUrhHBvQ/OJT/fwao1x5n14y4ANm8+za9z9xHkciGviP0MVdVAkpg//yDLliXSu3cdYiIDGffkn+QX2KlRI5ye3WrQu1dtli49wnff7yA83I+9+9KY8P5qNm8+zXff76C6y80ZDAcB7RypGCQJiotVXnx5Kc2axtG7d20+mbqJv5Ylkpdv5/6H5yFLEr161aZFszhkRSKhcigvvLKU/fvTePf9NTgcGn5+JpfWnTBIAgGImZLABxaLQuuWlRhxfRPycu3ceVsrliw7wrx5++naqRq33NISgMQjmSQmZvLAfW2ZNn0z+fl2Fi0+zMBr6xIW5ofDoWE2X/rB1u0xtnXHGRYvPMDRUzlkJecRGGakWUCX+Oqb7ajoHN2bQrcu1YmNCeLn729k+OhZ9B86g42r7qV69XBPHE9ZV3Bv3LOk06dzWbzsCIeOpiOZFA7uTUXVdLZsOU1evo23XGnVjWN0Ro1ogiJJtOr0CY8/1JHXXu39r1E/EAgqCmGUBD4J8DNTUGDHz2qiqNhh7MFYFfLyS3L1ZGUVk5tro2fPmnzx1VZWrkgiPaOA54d3c6kgVMSyXYm7ekZ6ATff2opXXiodm/PgI3N55KEODLi2LqNvm+2JTUrPLCQi1J+aVcM5cSKX6tXDAbDbVbZsO03N6uHExgb5OisgkZdnIy46kKV/jEHyMiwLFx8mJ9tW5hjJ1cdCOrSuSmZmMeBWUxBLdwKBG7F8JyhHYaGDtPQCioqcpKYVUFDoIDu7mJtHNWfj1lM89thcxtzzC2HhfjRtGgtAz+41ePKFhdSuHUFYmF8pJYRLiXdw582jm7N85VEeGTuPcU/9yazZu9B1najIACZNXssLryxh0aIjKLLE0aQsho/6gT59ajHt06GMuftn5vyyB1mWKC52ctNtP/LIY/OBknxDJec0vAybNo2lTZsE+g/5hnHPLOCFl5eQllZAy+aVDGXt4d8x7on5TJi4GtWp8fpbK1i45BA/zhxJRlYhN90ym+zsYk//BQKBmCkJvHA/7ffoUYMWzROIrxRMtWqhJCSEUqdOJE2axPLhewNYsvgAfkF+3Da6BVar4UF244gmBARb6NWtRoUZJDeyLKEDrVtVYuK7/Vm16ii6JBEVGYAkSYx/sy9/LDiAn7+Z3+aMIiEhBJNZ4bFHOjLsuoYAfPrxYKwWE5qmExJipXXzyoQEW103pvw53Zc3YXwfZny3nYIiB4F+ZsxmibCwAKZNHcysn3aRn1dMbFwISDpNGkcx+sbGRET48d6EvqxYlYSigCzrHoWEKw/x3CqoWKRcp3hEu5rRdZ0Qk8SydRt56+UXWLRoEaDiS87A1/7HlbT0pKr6OfeCzob3deXkFPPQY/PJyiri2y+He836Lry989W/2PYE/xxZWVnUb9CQ+x95hCpVq1GnXj1q16lLSEhwuRmx4O+jSODQNCJe9OPWVmP4cvhUMux2LIrlvMeKmZKgHDab0xUYC5oGslwS2+NWPABKBche7qBZd3/csjpgzNYUpXSfvTX7DCNmBMs6VQ1ZkggJ8WPqR4OxWkuyuJa/HLdX4XF0PR9V9ZIPcsn56JqOqrk18YxyVdOQJKnUfTQp8hXqeCdhPJzUBs6dRFAg+CcRRklQDvdgDngCZd0DsxH06Vtl2q1UYATZXj7DVHaUP1ufvR0xTF5pxAMCjEH47DMaFTCB9hwSqzDJIa4yyZM0RkIvrdSgSxi3RAfNWBST5ZL6JUt3ZU/oq9z7kf5Cyt2fna2uUV/TdCTZrbcnA3kgrwYSfBwvEFwahFES/KP8l9ybzz/hC0EnAkkKAbTSHhFlBEs9n0llDINepm45rwp82I/y7ep47+Pp5e3TWdsw9rMkQDbJbq8RDKPkW9lDILiUCKMk8EmpJS9ZQnHp2hmBniXLeW4j5HQa5b/8updDhzN47plulyUGx9fyYtnlO0Ux0j+4l+/cS3mSdLFGVUWSNVSHA5uq4u8nI7m0VXUN7E4dzZXewWoy5h+qU8eu4UrMJ2GRJa8yCLB6zZ4kY/lUKiNCrqk6NtWoYlbALEtIskSxTUNHRzZJWBUZNP2sbTicOk5Nx2yWMUmgI/PN3NNU6xJCp1AraBqKrIq5kaDCEenQr3J8pYIua3CMMt21rFf+yVlVSzTnCgod7N2X6mmnInE7OpQ1LGWvxW0s3ct3f2e5Uccw1ol78rl9cRpZkk6/tkG82j6KgGyVJ+ec4bdCB+FIREaZ+GJUFeTdBdy0NJUcC9jzNQZ0DWN8u2jWrcjgib3ZFBZqtG0TxPgu0URIElKRzhu/pjDLz8mGwZUJMpnYty2b+xanURAoU6zAvT0iebheGKd35XHLunQKbBr5gRJTro2lW7w/FOtMmZfCRKed9TdUJkZW+Pz3NF47mE21ADOSIvH66Hi6Bvlz5FQxAXoQJtlsTJDKi5f/ZxHp0P9ZvO+n7qPsXIiZkqAcJpPMipVJbN95BlSNLl1r0LJFJdLTC0lKyiI1vYBTJ7Lpc01dqlcLQ1EkVq1JYtfuFFavTCIsMqDC+6xjzIzWbzzBhnXHCAoLYNQNTfAPMLNzVzIr1xzDaXPSsFEs1/SuzanTeazfeJwBfevi529m7brjAHTsUPXcJ3IhARSoPLEwlQdvr8vIiEBufvcQH1Xx4yl/f0IqW1hybQLVsAJOQOdQkUbHziG80SoWjyOBptK5Rzjre8SCzU6PacdYVLeIUZVC2H80h5pVLXRI1ticWUy3mGAKCzWatQniwx6unE9OO6AzaUkaQ0dH8VBMNBO/PcIvR/PpFh/EsRN5RMSY6ZOhsSGtmEHxQaTaNUb1jeStJrGsW5bGQ9+f5vc7qhPjp+CXpzH9UBph0VYGVQMrYjdJULGIBWOBT3JyiskvdFCQb+OV1/7i6NEsjh7NokefL5j/x0EWLTrEXff9CsCixYd55rlF7N+fxpkzeV6PQxXz7Klpxj7Ixo2nmDlzF/l5NvbsTeX1N5dTVOwkL89Gbm4xhQV2PvpkA4sWH6Kw0MHrb63go082cvp0Ho889genTuUavdb1c87y3J+lHSomubaVkeH+fDnvDMfNOntOF6PJkJPs4IHZp7nv52O8tCYNFbCaJbZuy+fOX08w5ufjzErMBUnGUaQy5dcTjJl9irbtghgYFQBOnYMFKrZYM09XDmLuySLcLhzrtuYzes5xXl2TTLbJ6NA9Q2JIW5PPmHlHKarjx/3NwkHVOZrvJC1a4aUqwSw4VQQ6mCRQVdB0lQ6tguhgUlhZUEyQSeaT9dkcSHPw5txUPj2WD8j4SPckEFwyhFESlEOWoVGjGPbuSeHg8Rw2bDpBamo+iiLTqWNVpnw4kKmfDSMnp4j8PDuff7WFu+5ow4cTB/LAgx2w2Zyuliru+VqSJJYsO8LCP/dx6GQuu7ed5tf5+3A6VJo3q8SJU7nsTczk4J5ktu9Ipk7tCBbNu40Vq5MYOPQbPnyvPzcMb+yVeuL858xSNUIkiU/mprAsRGdCq3CcxRoOTcfiJ9Giqh9dawbQKsaKhJF7KTzMRMfq/vSoHkDtYBPulOJ1qvrRtV4g9qN2lhfaoNDB5qQCYuMt1KkVyLHEYnJxUrdRIOP7xdC3eiApu4sYtzodkDl12s5RSadrqJl9SUVk6RrYHaw7mE90JSuVawdw+mgxqqriXsnUdcMTMCRQwQzYNZ1mTYOYMLAqD8UFkJhhSCWJQUJQkYjlO0EJrilAXp6de+77jXGPdaJ2rQgO7U9HVmQcTo2aNSIAOHkih8jwAJxOI+lfpUrBABw6lIHJXHF5gtz7XwCpKfkMGtyIRx/tiASER/jjZzVzy+0/0bp1ZYYMrs/Tzyz05DkKD/MjKjyAHdvPEBcf7GlP13WysosIDfHzmZ/Jba9qRVrYuyif1tfFMKNhDPN+PUFkNRMKEBJm4rp2YTT0LN+BqkPNan7c2Twcj0ucpmHyM3FNyyjAxPjth9h6vIB2YYH8tCePhVl23nLo5Go6m4vs9Azzp1eYP6DQzgaj92WS11Fl6poMBj1UmRsDItC+P8KkNRnUaBbB7AP5yJl2PtYhpVhle6GDQFkmyF9Gkc0U5hdzPNfB0CATGUDnOAt21Y7dBJGXKS+W4OpGGCWBB/eKVX6+nfTMQo4dzSQ5OZ/tO5LRNA27XeP06TyX7ZI4fjKHoGAL9epE8clnG8nLs/H5F1vo1LmaV4uXdrZkeM5pyIpMr561+Ojj9WzccAKTRaFKQijNmsaRkVHIsWNZ7N6Tyso1x2nTNoH09ELGPj6fdm2qcOOIptxw0w98OmUwbVpXJiOjiM69p9O3Ry0+eH9A+Xgl13ulmpWxCYFkFev8tD6NyWcKeaZPPEohZBaonM5zUi9QweHU8LMoqA6dlAInmaqTUF0CyfBq3L4/l302Fa0YDkQp3JcQxNxlOXQYHMXnLaPQdI21y7KYsC6LJm0U1h8uJFfXWbgnh0HtwgiWZaqGW1iyKRfCnGywO2lfJZjFm3Kp2zucHzrEoOka29bl8uHKTOqrMn/tyaeRw8SfKzKw1POjjWLl92wHVpuGRZHIL1DJtKuX9N9OIPCFMEoCD+44l0qVQnjr9T78OGsbtevH8f7b/UioHIrToXHjyCZIEsTFBfLAvW2RJHj6iS689e5Klq44wocT++PyvkaWK+ZJ2+3iPWhgPYptDn7+ZQ/IEt271aR5s3hef7UXn362keWrjvLqiz1p1aoSmVlF1KwVwb13tcbqZ2LP/qYcPJRBm9aViYz0p36dKJKSsl33pfw53eZ23NA4XllYzG9OJ49dF821gX6oTgd9GgRTy6IYAbOyoRobWcnKIIdMgCyjuMOBkNiXVMTyPAdFCjzQM5J2YX6kVyrkoXqBgJGSvn6NALpmSmTmO9h4uIBj6LRqH8rYJmGg67w8MJYXN2Sx6EwO9VoG83DDMFbm5/BoXT9PG3Wr+9FadVI7xsqJXXks2J9HrY4hPNsiAnSNbu1CiQqygK7RsWkwOVFFuCKBBYIKQ8oR2ndXNd7ad+Nd2nc2mw2r1Xq5u3bR/N24KO/jcnNsvPj6UrZuPcPnU6+jbp0oH8oOTgxFh7vRpXVIUjiG/7SKpmrIiksRQS8TUOs20loZzwHZRMnI70RTdWRFMdossfCURMG6l0c1VKeKImMYPs8zpmZ4MpRrQ3Idq52lDa/6shnIA/4EKvNf8cE7m/ZdsNC++0dxa99FvujHLa3G8NXwqaQL7TvB30WSJJxOzZCdcakNuGN63DFJuq7jdGqYzQq6ruNwGAOtLBtRmiYf8UyXGlku6bf7d5NJRlV1V3ZaQ0LHCKoFh1PDbFKQZQm7Q0WWJQICzYy5tSWPPWT15Fc6u9ODH2gBODQTOhqybMYkYdgEl2ZgKf0G1WUOyrSnOkB1LZ4qshlFAtVpnNfjlKCCUzeOVTXdo+Bglks+d3gChCVMMmhOQCo5n7sNGVC99AHdbahOkGTX504ZJIfPuDSB4FIijJLAJ742+N2DPbgGM5dDQ+nJgG+duYrCV78VRUJRyjtfWLwcMrzfN28aB5xr5uX62siTkNDx5dfhayx3z1N81S1bXvZ4iRJZVNlHIxJgKVN+rjbO1o/y7901//2zJMG/A2GUBBfM2QyOLEsej7b/Am6V8fMZVx0ZVVO9fgdFUriMNlkg+Ncj5uaCs2IEkZboxh08mME33+1waeC5lsSAHTuSufWuOdz3yFz270/zHHt5+lzSb19lpcvL1jHeG3FK57csEmCSFc/LLAuDJBD8fxFGSXBW3IOze8Zw9GgWv/62zyNc6t5viI8P5sbhTdiw9iR7914e3TvAswdW1qh4lxmpzEv2U4y+uo+7sPO4jz+QfoD+Xw6kx2e9uebzfnSb2pNZO3806gglNYHgbyGW7wTlcA/W23cmY7c5CQ31o16dKKxWE/GxQZw4mUN6aj5168UQGGgmJiaQ/v3q8tOPezz7TJcDWZY4fSaPY0mZ+AVYaNEsHoCU1HySjmWjOTXiKwVTvVo4efl2UlLzqV0jAkmSSE3Nx27XSEgIOe953PenRngNpl3/GU7ViSLL3PXL3Th153mOFggE50IYJUE5TCaZOT/v5fMZW5A0jZq1opj0Xn/8/E1s2Xqa199azraNSTRsWoXPpw7xzKQKCh2XZdnOPUM6diyHjz5ZT0ZKDnbJRPdO1bj9thasX3+CX+fvR3KoZOTZefWFHkiSxLCbZvL6Cz0ZNqQRg4d9zy2jmvHgA+0uOMW7RbFQOaQSACuTVhIZGMl1DQZf6ssVCP7TiOU7gU9WrU7CapL5/psbmTxxALIsoaoaRTYHb79xDfP/uJvtO89QWOhAlt1LY8axFW2X3EZk9pw9rPjrCLUaxmOV4M0JKyksdHDd4AY0axpH1TpRnDyayYKFh2jWNI7Z34zkh592c8udc3jovnalDNL5RFnd51V1FVVz8tXWr+hXuy9BliA0XXNlbxUIBBeLMEqCcjidGs8/243RNzXj8WcWMGzETJwODU3V6dyxGuHh/qQk5xETFeAxRJIEZpOM1Wq6qP2Z/y+6jmdvKyU1j4aNYqlRLYxevWsxe+ZIgoOtPPXMInbvTqVmtTCiYwLx9zcco1u2rERYiB9//LGfgQPredozruf8oqw6Ooqk8Nu+eWQVZTOs0TDXwZfkUgWCqwJhlATl0HUjI+s1fepw95iWHD6Swe49KciKTHJKvmc2kZlZhCRJ5OXZOHI0k9PJeRw+ksHp07mozoqZLklSSTbcenWisTk0+vepzaBBDWjUIAZJgnUbjtGxXRUG9K3LsZP52O0qxcVOXnn9L2pUD2fSuwO57Y6fSU7JR5YlMjKL6Hntl7w3cbXrfvi4R+jIkkxGYQaT1k1iaKMhBFoCcWpOZPG1Egj+NuLbI/CiJD5n/IRV9Bn4Nc889Se33dKCZs3jCQgw06pFJSRJIjjYQvt2VQgKsrB69XFuu/NnNDPMnLmDN8avoKDQDpQOuL1USJKMpuvcfVcrmjSJpV//r+hz7Ze8P2ktkiTxxKOdmf7FZu568Dd6d69J08axHDyUwe59qTz0QHvuuqsVEVF+zJq9C4DICH9Misyffx5ytX/2cx/JTKRZXDNGNL7BY6gEAsHfR2jfXeX40r6z2+1YLOfXqPovkp9v58sZW/nhx93875WedO9e04f2neDfitC+qxj+X9p34t/h6kb3ennjdGqllA3cStyaprveGykjTCa5VCAtuLTXLlMuHlUtrX2nKCX9c3vUGY4Zho6fosiGDp5DRZZlzCaZiHB/Xn6hO92713Rdz9nP53Z2MMnCkfXfhH6Wl+Cfwdf9vNB7LL5JAp/4TG4nGWKmxvuSOob80JUhM6QoMmVl7s7WP7fILOCJr1IUE6NvagZcmOq4JEmYJPE1Egj+KcS3SSAog1PVDPFUoZAtEFQ4wigJBGW4HGk3BAKBgfj2Cf4zlN2odv8uNrAFgn8PwigJyqHrOpprJHeP505niSODzaZ6kvp543BqOBxqufKKwohZ0iksdFBsc5YK7AWw2VVsNieapvuUQ/J21rgYioocFBY6PL/rOhTbnEY/iku08Nz30H1qox9/65QCwX8WYZQEHnSX19rhw5m07vgJP8zahQTcesccnn9xMXa7yhtvraB9+49o0eFjPvxoHbquM3/+Acbc+QuDhn1Ls2Yf8NDY+Tgcqieo9ZL3WwdN18nLs/Pya38xbOjX3DB6FouXHAagsNDB2HF/0L7bVNq3n8Lvfxxg1+4UGrWczLLliQAMGvItEz9Y62rv/JbCnepi6V+JDL/pB64f9g0vvrKEwkIHqakF3PvgXK4f+T3XDpnBt99tB2DMvb8w5u6fkSSYNXs3vft9RUpKvicViEAgEHtKAi8kl6dZo0axvPfWtbw/eS2Hj2QQGR7A+DevYeq0zWzecopt28aSkpLP4Ou/Y2D/+igmmb37Ulmy8Hbsdo1vv9tObq6NyMiACxY3/f+gaRqKIvPVjG1s3nCCm8e0Yf+eVB54eB4H9zzGW2+vJCe7mG3rHih13MvP9WDK1I0sW3GUls0r8fi4Tq6YJMnjIq6UzV3uvlcS5ObYeOrZhdx6SzPCIwJ45dW/qFIljHvubM2zT3Zhw/rjHD2RwwcfrWPkiKZ89P4Abr/zZ/739goOH8jgvbf7ERcXhKZpyLJ4PhQIQBglgQ9sNic9utfgz4WHePH5Pzh27HlAYvu2M/TrXQtN04mJCaRn1xqkpOShqhoDrq1LYKCZ4GCZsY908LR1qQ2SruMZ0E+fycXhVFm/8SSazclTT3ZBkmDvvlTuvKM1qqq76hv9GjG8Mb/N3cfrby6jMOtlJElyKY5L50zB4Ta0RxIz0dA5kpiF41AGI25oTLcu1Uk8msUTzyygckwgxU4dq9WEw6ESGurHuLGd6Np1CuPfHkiLFvE4HOplTfchEFxpiMczQTmsVhNLlyWSm1vMW28N5NXXlyFJ0KJFPAuWHEGWJZKT81m64ijx8cE4HBp5eTY0zTASRuBtxfRVkkqW24KDrNRrEMtH7w/g4ynXcfcdrUGCqMhAfvhhJ4oiYTJJnuDZWbN3ERsdxHNP9uCFl5d6jE1Ojo17H57LnJ/3AOUdJdyGNiY2CH+riZef68EnkwYx/o1rqFc3iiVLj+BwaEydOoz+19QlN8+GxaKQmVnE9C+38NlnI1iz5gTbdyRjMikVtswpEPwbEEZJ4MG9p7RrdzIvvb6Um0c355lnupKcmsczzy9mzO0tqV49nObNP2Dg9d/yxLjOVKsWDkBomJ9HHdxkkitUlkeSJDRdZ9yjHSkqdtCw0UQaNf+QV177C4AJb/fF7lBp0eFjWrSYxNzf97N9RzITJ6/j3nva8PKL3dm45STvvr8GSYLQUCvbtp9h8pT1rvbLn1PXoXKlYJ5/pjutO39Ko9aT6dR9GsnJ+Vzbrw52u0qjxhOZNWc3DetF43CojHvqT6pXD+Puu1vTs1cNHhk3n9TUfEO7T+wpCQQASNlC++6qxlv77m2X9p3NZsNqtZaqp6qaJ5jU2G+RrtjgUrcHYNk9IXe5W1qo7NKiqurY7SrrN57gjTdXcNvNzbj1lhbonDsbhUdmSZIwKSUGuezSnKrpKF4KEcYM7/wpMgT/HG7tu/uE9t0lxa19F+WlfZd2odp3FdA/wb8MX/tA3gbIPdBeqUKlZfdo3P083z6RokhomsbSZYkMHlSPW29p4fqQs1olY4/Kt4xR2fMpZSSLLvV+m0Dwb0QYJcHf5t8ypl5IP90GIjDQwhuv9AJKtO/Odfy/5R4IBP8WhFESCMpgLPNJmM1X5vKkQPBfRhglgaAMwkVbILh8CKMkKId7496jHYcrN5EslcqdpCgysizhdGqufRXJpU5gBINejqUtTz4lScKkSJ7YI1U1srm4cz3puo5T1T11nE6tVGqOC0XXdZxOo21v5w93++gl5zTOgSfHkzs3lVgCFAhKEEZJUA4/PxNnixbwtanvnXvJPeheLs6eT6m8k4HZlU9J133nj7oQjEDb8lbFu3037nOUOEcIayQQlEUsmgs8uIM4/1qWyKuvL+O667/jyacXMOj6b/niqy0AfPv9Djp2/JgOPaaxeMkRioocPPDQPNauPw7AqVO5PPPcYo4kZrravPR+tm7tO4D3P1hDnz7TGHbTD+zcmQzA7J920++6GfS55nMeGTefoiIHW7efoe/gGezdm4okwSOPzWfS5HWu9i5M+w5gz95UBgz5hj59pjPlkw2ee7hnTyoDhn5Lx44fc8e9v2C3qdw/9nfefHsFkgSr1hxjxE2zSEnJB4T2nUDgxiR8869udN0rTbHrb+HkyVzm/bGfUTc25euvtzHkuoYcPZrNd9/v4LuZO/jmmxs5eSqHJ59dxO8/34zFYmLu3P10bF+VtetOcOZMLlUSQi8oc+s/QYn23Xa2bD7FQ4905uCBDO57eB5/zruVAf3rERxqpbjIybTpm5j+xRbuvrM1bVtWZsLENfTuWYuszGJufKaJq8UL074rKHDwxFMLGTmiEeHh/rzx5goqxQfTsWM1Hhr7O/ff14Y2rSqjKDJmi8x9d7Xm/ofn0bBBDL/9tp/rhzYiMjKgVAyYoIJw/dHrZV6CfwYN36lkLuQei+U7QTkURaJty8o0ahBLy5aV6dKpGouXHmH9uhMM6FeXWrUiqFUrgu6dq3PwUDp3jmnJm+NXkpKSz/IVR7luUH0sFsWz13SpcWvfHU3KZPfuM2QV2ijOtdGyZTx+VhPLlx/lpTf+IjzCn2OH0tD61MHPz8Trr/RixKhZ3HbnT2QlP09wiNVjSM8d02QYpaRjWRw7mcXsn/fg0HRCQi1UqxbOtm1niIoOYMTwJp5jNE2nWZM43nipF716TeXNt/ozckRjnE5hkAQCb4RREvhE08BuV9E0neJiFYtFISguiO2uJTGALdtOM3hQfZo0iSU4xMK8eQcoLHQwcGB9VzDqpR9sdc8UT6K4yMnAwY3532u9StV59X9/8eG7A2jfLoGhN3yP3aXssGnTKcLD/BkxrAkzZ+3inrtbI0lGqosvZmylXesE2rSuXC5IWJKM85nNCiGBVub/ekup861YmcSB/enk5BQTGuoH4DHOi5Yc5rFxPdi1K5WsrCLCw/0rbEYpEPwbEI9ognI4HBrFxU5UVaO42IHDqVJQ4OCeu1qTm2+nZ8+pdO41nX5969KyZSU0TWfYkIa89f5KOnZIwGJRKkztwRBkNfaBxj7SgW3bT9Ox06d06TmN8RNWous6XTpV47Y7fmLIiO/ZvSuVkGAru/ekcteDv3LzqGZMer8/701aw0cfb0CSJKxWE5M/Xs/zLy72nKPMWdF1qFsnktGjmlG70Qd06TOdgUO+5cSJHNq0rszQ6xrSvc/n9OwznXsenIvdrnLPg3NJyyhkwtt9ia8UxNARM0lLKyglKisQXO1IWQ7xbbia0XWdELOhffeOS/suK7sATZUICDBTUOAgMNBMUZGTiAh/8vJtHD6UgdlqonHDmFJtHT2WRZXKoZfVzTk7u5ijSZmARGRkAFWrhGKzOTl8OANZkYmJDnR5F0JaeiHVq4UBkJySj6pqxEQHkplZxF33/Ua71pV54fnu59W+27s/DZvNidkkU6d2JFarqaS8yEFAoIU6tSNJOpZFfFww/v5m7HaVY8ezqVY1DItFxEVVFB7tu4cN7bvaQvvukiBL4NQ0ol8q0b5LtQntO8HfJCTYgqKYAfD3L/mp6zrBQVZatKjkqes9I6rhUgy/XGi6TliYHy2aVypVbrWaaNQotlz9wECLy8FDJy42CIC8XBvPvrSYalVDeeH57kbF81ilhvWjS/3uvidly2vWiPB8brEo1KkdeTGXJxBcFQijJCiHququRHglA6w7I6vu5aYnSaV14Soiy+y5kMv0z63A7asMvPrrOQ6CQ6x8MXVoqXbPd0neS2/e96RsuftX7z4JUVaBoDTCKAl84h4rff88m5v05R9gffXvbH327q93151OI9boQgNqdS8j7SnT9ZJy97kl3Sj3GCepXF0AWZJ9tmEYtvJl7j6UM45IpcrPVt+7XCC43AijJPhH0TS9wjzvLhUXq+7gNiJgDPbuQV4qaxzPMvj7qnu28rJlqq6iSIrPtr374l2G7p7Rla7v1JwosuKzLwJBRSGMksAnTqfmURmQZS+9OJfOm64b8Uxu42O3G27Wn3+xhV17Uvh48iBUVb9oLbl/st8mk6HNp6olen3uvEqapuN0apjNMpIk4XBonqy5F8uWU1vJt+fTLL4ZYX6hODUHRzOTSC9IR9U1Ai2BtKjUnHx7PkcyEimwF+DUnFQJq0KN8Ook5ydzPOsETs2Jpqs0jW9KiDWEIxlHSC1IQ9VU/M1+NItvRmp+Gieyj+PQnFQJS6BaWDV0dDIKM0jKTMKuOlB1lYYxDYgMiCSrKIsdZ3Zilk1UDa9GldAEkEDTNTaf3EKxs5hQ/1CaxTXlnl/v5YH299M0tikAZsUsDJSgwhFGSVAOX1pw7v0XXzpvmqZ7PMjCI/wpLnZUSD999cOXUTGMZ4mHm1t7zt1nTdMvOk2FexYycc0HzNoxi+iAWGpH1+S1Pq+SXZTNbXNuJ0AJws9kpVpEVaYM/oj5B+bz+l//o25EXfLt+dzYfCQ1Wo3hjWVvsOboemqG16BQLeK9/u9QKaQSd/1yF7omEWwJplJYPO8NeJdxfzzG3uT91IqsRUpBMhMHTqRdQlveXf0uf+5fRO3wWuQ7C3il90vUl2XeWj6e/akHMSkKuY5cZo2ciY7Oq8teIyn9GOjQrFJTmsY1odhpw6JYLshDSiC4VAijJCiH2azw9YxtLFmeCA4nAwc3ZOQNTUg8msVffyWSllnAgT3J3D6mDd271UCWJaZ8uoF1649zcF8abdpXcbV0Pmfqfw5dNwJQv/9hJ3/O30todDDPPdGVSpWCWbT4MN/P3oVa5KBF68qMG9uJffvTmP7VFp56rDOxsUF8MnUjIcFWRo9qdn6HDdfyV2JWIt/u+I4196zCz+RH4w+a0rFaR9pXaUfH6h15t++EUoc5dScPd3yIe9vcU6o8zD+Mr0Z8TrO4Zp6y49nHaZHQgvf7vV+qrr/Fn0nXTaRHjR58u+NbHp3/GL/fOpdQayiTh0yia9Uunrr70/ez+sRq1t6zBoB2n7bHoTn4cddsTuWcZN5tv5Vq22qysCt5Nx+snET92Prc3/4+gi3Bl92BRXB18e9d+BdcMjRNo2WLSgzsX4/+/evz6Wcb2bUrheysYh58ZB7+VjP16scw7qkFAEydtpl5v+/nukENaNos3rXEBxVlkFRVA0li7rwDrFxxlAED6lM5LoRHH/+DvHw7detG0b9fHfoPqMeKlUl88+12oiIDOHYsm3feW836DSf5ac5e6tWL8vTbkwLDBxrGUuCmk5tok9CaPFs+Q78fRmhAKAczDqFIMptPbKHdlA50/qQbj8wfC0CAyZ+P1k6h+2e96PhJZ2bunAlAkaOI0TNvpftnvejzxTUkZScR7h/G7uS9tP6oHZ0/6cYDcx90Le/pnM49jV2107V6VyIDI0grSMPP5Mc9P91Hj8960WN6L7af2U69yHq82P0Fuk/rwbVf9eejQZOJC4pjZdJKhjcejqqpFDqKsDltAOTbC5izZw4DGwzk572/8ttew2h5O2EIBJcaMVMSlMNkkjmTksekD9cQGhnAnr2p2GxOdB2uH9qIRx/pwJnkPOYvOER2VjFL/zrC3Xe24fqhDUGXWLD4UIX219j8hx27zrB0yUEST+WQk5pPaFQgiixhK1aZOn0zugTH9qfSrUsNoqMD+fHbkVx/0w8MHDqDbesfpErVEhHZC3HUUGSFlLxk7p97P8MaDcOpOTiYfhC76qBmRA3uan038UGxnqVDm2qjb91reKD9A6BDhL8R12WWzTzc6UGuqXMNuq5RObgy6YXpJIRW5tmuz1A9rBpWs9XLocIw9rIk42/yxySbUHWVu9vdybCGw9B1jUohlUgrSOOj9VO4u81d5NnzeWfVBCb2fx+7akdzefF5PzaYZRMPtn+A7tW7sSJpJZnFWf/gv5JAcGEIoyQoweUinJpawDPPL2bBvNuIiQmgU/dprtQQEkFBxn5DZkYR/v5mFJOMU9U8ezmr1hyr0DTi3sG7GemFjL6lNa+81KNUnYcfncdT4zrTt09tRt062+MKnZKST0SoP/VrR3PocAZVqoYChtPG+o0nqF0zgkqVQsqd07353zimMeuPbWT2zbPoXLUzo2ffQr86fVFkE0HWQOpG1SEqILLUkdFB0dQMr1GqPZNiompYVWqEV/eUabpGoCWAOpG1SQhN8JSZZIXKoZWxKBaWH11BTnEulYMr49Ac1I6oXaqNxSeX4FSdjG4+GoDPNk1jx5kdNI5pzMqjK7m52WhMcskQYFEshFlDUTUV0LGarBf87yAQ/FMIoyTw4F6kURSZ4GALY8f+SkR0CDt3pABQXOwkNa0AMJwDTp7Kxd/fRO+etXhj/HJWrkli6dIjtGmb4NXipV3CkyRDPBZ0bru1JY89MZ9778vGZDHRoX0VRt/UjLi4IMa/s4Ily46wZEkibdskkJiYxS13/MSjD3fk8cc6MWjYt7z1eh9G3NAYm03l1rvm0KZ5JWb/cJMPQVYj/qdOVB3u63Av32z5lq83fUN+cR796vQlx5ZDekE6BfYCIgMisDvtWE1WChwFZBRmoKEZhs21N5VdlE12cTY6OqqqYlKMmU96QTr59nxPTJGOTmZBFq8tfp258fNYcXw5L/V4CX+zP+kF6UQFRKOjo+kaiqTQIKaBMYOacy8AdSLr0LFqR5rENWHEDyO55cfbiPSPpFZkTR7q+CAZhRkUOApQZIXMokzybHmX9N9OIPCF0L67yvGlfQcqBw9ms3LlEeITwoiOCKBuvSg0VefYsWxatIgnL8/G9p3JdOpQFXSY+8d+snOK6dy+Kja7SqOGMRUmygol5m/X7hTWrj2GLkGDejF061qdM2fyWLj4EH7+ZmpVjyA+PhiTSWbztlMMvLYeACtWJWExK7Rtm4AiS1x/4w9ER/jz6cfXndO02pw2Zu38EZvTRv/611I5pDL59jyOZCZSN6oe/iY/NF1DlmRO5p6kwF5Avah6pdrYm7qXcP9w4oPjPU4Fxc5iDqQfoHZEbQItgZ59ne2nd7DzzC6cmoM2VdvQNNZIj3Eg/QCB5kASQhM8noFG2/tYm7QWRVboV68v8cHxACRmJrI8cQWqplI5pDLX1u/HttPbqBFRg3C/cHYm7yTYGkKN8Oql2vu3I7TvKob/j/adMEpXOb6Mks1mw2r99y3d/N0UEN7H5eQU8+Cjv5OXa+ebL68nJMR6Uca1oj3VnJqz1BLc+frinnF5B/xeTQijVDEIQVbBP4okSWiajqbpnsHYnUjP7Xqt6yUZX3UdVFcacNl1wOXIDyTLJf12/+5d5pYbMi5F8vTfCLDVkCSJ0FA/Pp86FKuXcve5vcN11x6M4XggS7Jnua3swH82g6Dpmk9FBk3Xyik4aLqGprsDgSWPQfLVhiRJpeq7+ychlWtHkZRS5/M+RiCoSIRREvjEPaB7U1pbDS8PNd2zISXJl1cDz1e/fZUBpTzsvN+7DdKFzJAkpHIzlbPJCZ1tGexsA7+vcrdhuZg2LrQd79+FMRJcLkxixnp1o3u9zkdZVXDvcpPpv7Hn4M0/bVvFQH/loJ/lJfhn8L6fuo+ycyG+JQKf6LqhI+d0ajhcqtmbNp3ilVf/QlU17HYVhyut+Lp1J+ja53PadZvKunXHAc4aeHqpUVXd02/3zM6tc+d0ah4NPEPHr6TOuYJlz0eho4ic4pxSZQ7VQZ4tj9ziXHKKcwH4YO0HLDi0AKfmxKE6RLZZgcAHYvlOUA73slVZHbmcnGIOHMxAUWS8pORo1aoSc2beyK23zSE5+fK5EZcIwJ57+c7t2OCe3Wnaxauau5fift37G68seRWTZGZ402E80eVxUgtSuHX27WTkZaHIMrWja/HDjTM5mnmU6KCYszomCAQCYZQEPlAUiaIiJ19/u42CfBtVq4UzfGgjTGaF8DA/Fi05zIF9yfTv35BatSKwWBSiowKJCA+4bCkrdFe/16w9xprVRwkOD+TWUc0IDLSwbfsZ/lpxFNXupFHjWAZcW4+Tp3JZuSaJIQMbEBBgZsWqJCSga5fqF3Q+CYmU/BReX/4GP46aSd2oerSZ0o7mlZrTMKYBDeMa8uEdk0odE2AJQNWcfL7pSwItAQxsMIAgS5DQlhMIvBDLd4JyKIrM519sZu36E2RnFZGamg+6TkCAmSXLjrB8xVHWrT/OfQ/NxWZTSy2BXQ40TQddZ936E8yavRt0ncSjWbz6+jKKihzYip2omoak60ydvpk/FxzEZnPy3gdrmfzxek6cyOWJpxaQnl4IUCoRn8/zuTzT1p5YS5O4xtSNqsfYPx6l0FnIjuSdKJLCwdSDjPx+FGNm38nbq94BQJYUvtj8JSn5yXywZhJTN04t1Z5AIBAzJcFZSE0r4PDBNMY90pHmzeIAsBU7qVY1jDdf60NWdjF9B36FzebEYrGgqsb+jKbpqKpeYUGzbiRJYtmKoyz8Yx9tutTgTFI2KVlFvPh8dxo1imX6jK3kF9o5sDuZ3XtSubZfXRbNvZUx9/7CdzN3MO3jIbRrl3BRsU7FjmJUzcm9v91HpZDK3N/+Xk7lnsKpOQnzC6NnzZ5E+IcTGRgBGPtMvWr15LkezxIRGMGO5B3uzl+q2yIQ/OsQMyVBORwOldde6cXCP27nl3n7aNx8Mjk5xSgmmbq1I0GCU6dyCA/1A1xxLopMUKCVyMgAFMW3C/alwJ0bCSA1JZ8hw5rwwTvX8uOsm9i+4QGCg6zcc/+vtGgaz8Tx/WjROsGzVxYUZCEyLIC8XBsREf6eNlVVJyU135O4sCxut+56UfVYemg5Xap34eUeL3IkM5EqoVWRJIn4kDhuaTma4U2up0dNQ4tPlmWaxTfDoTqwOW2EWIMu5a0RCP6VCKMkKIckwYqVSfyx6BD1a4UTGenPiZM5OBwap07noRurZZw8nYvZLHPkSCbffL+ddZtP8P3MHSxYfIjiIifAJY+SlyRj2VAHrrmmDlu3n2HRgoP8tTyRbdtPo6OTm2tj374U1qw7zvKVx1A1jdS0Am65cw6tWlVi+qdDueGmWaxbfwJZlsjOLqZrn88Z9+QfPq/Bvf/TKLYR19a7hoz8DD7bOI2tJ7fSr04/nJqT5PwUkvNSUDWVImcRANlF2aQVpGFWzOTZ8kgvzLy0N0cg+Bcilu8EXhijr4TErt0pbNt5BhxOHn2kI40bxZKYmMXNo5shSRAXF8QjD7bH399MSkoBK1cfY+CgehRkF7FjZzJdOlTzavPSzpoMVQmd/v3qYLM7+X3uXpBlunSuTpvWCfzvtd5M+2IzW7adZvwbfWjeLI7cHBtNmsRyz52tsVgV7rqzJcdPZNOhfRUiI/1pVC+G06cMT0Jfq2s6OlbFytv93uHNv94k317AhGsnUDO8BumFadzYZCQRAREosoIFQ1rlugbXUSnE0J7rUbM7LYqbe+63QCAwkDKF9t1Vjbf23QSX9p3dbsdisZSrd6V7iP0T2ne5OTaee3kxO3el8OW0odSqGXFFa98JLg639t29QvvukuLWvot5yY+bW43h6+FTSRHad4L/D06nVkpDzmSSPRpyJpPsCj7VMZtlT3CqG0mSKjSnkhtZlnz2W1V1l7YdgISiGMoUTqeGyaQgyxIOh4osSwQGmXng3raEhPiRUDnEdT1nP6eu6zg0BwCKpKDIikcPT5GVUrMgVVORJAlZklF1FXQjUaBAIChBGCWBT8oGzkLpIFTD8JSIr1osV8bg6qvfiiJ5sr96YzYrPt83bBADXNjMS5Kkck9/vvTwoLQBUiSlorLFCwT/KoRREgjK4I67uhxK5wLB1Y4wSgKfeO+NuAdpSZJcnnclv0uSt3ea7tp/8S3cWhG4A18lqbRaue9+l71GqdxxF4J7udD7ur0DcL3P5/7dXUfsPwkEpRFGSVAOY8+l/MDpfl92IC359fIZIyhZbivbh5Lysv3+Z4yDL109X4b5fPdRIBAIoyTwQW6ujdNnsqhXNwqTSSYtvYDs7GLq1I6koNDBju2nMVlMtGgWh9mskJtrQ9N0ko5nYy+2U7tONBHh/hWaDh0M43DiZA5HDmfgH2ihXZsET3lWdhH7DqSDqlG7ThT+fiZOnMqlQb0oJEni9Olc7A6N6tXCLuqcmq6zdt1xnHaV+g1iiIsNwm5X2bU7hbw8G2aLQtvWlTGbFfbuTyM+LojwMH8cTo1Dh9KpVTMSq/XK2I8TCK4EhFESeHAvL6WnF3LzmJ8YeX1jnhzXmZtu+YnuXatxz51teO6lJZw4mk6eXaNV03jem3AtS5Ye4YMP1xFfOYjjR9KpXC2Srz8fhr+/mYqYPbmzyiYmZvPx1A3kZeZRhMK2rae57962HDuWzeNP/Ul+sQNsDsY90Z0qCSEMvv47Xn62O9cPa8TQG2Zy+y0tuP++thc0czIy7+p8PWMbazYcQ1E1FD8zzz7ZjYAAMz/+tJvs7ELSs4pp3jiWF57rwYdT1rN/fyp/LbyDDyevZ8HCg3z/zQ1ERQUAlzc5okBwpSAUHQQe3INinTrRzP/5FjZuOcXwm35g6OD6vPBsd6Z9vhld01i48E7WLrub/QfTOXw4g6AgC6EhVmZ9O5J16x7knjtbo6puz7VLH/zhNiJzftnD8qWHqVQzCsmu8uaElegavD1hFXVrR7Hgt1tZsOBOruldiwb1o/n1x5v48ec9jLptNo893LGUQXKrVvg+nzEDzMoq4n/vrCQo0EJs1XBmzd7FHwsPEhUVwOBB9YgK8yMizI/ZP+/B4VD5dPIgWjavxPU3zeTQoXRm/3Aj0dGBnn04gUAgjJLABw6Hk0qVg6lTM5K5c/fTu1ctAE6fyqVF0zhPvSaNYsjLs+F0qLRrm4Dd7kTTdK7pU5uQECtw6QdbXS9JZZ6Smk+z5vE0aRTLkCEN+f2Xm5EkOJOST/v2Vcod27hRLBGhfixdcoS+19T2tGf0+1xLj0alo0lZxEQF0KlDNZo1juWnH25i5A2NWb/xJK+8vozmLSpRp3YU4eH+qK44rv596zL/94MkVA4hLMwPp1MTXn4CgRfy2dICi9fV93LjdGpM+mgdNruTn364kfsemMfxEzn06VObn+ftZ+/eFBYtOcz6TaeoXj2cgkIH6emFyLKMJEkuxXAqBEkCTTMG/IYNYsgrdNKxbRW6dK1O1SphIEGzxrFMnrKefQfS2LcvlZycYoqKHLz4ylJq1Yzgw4kDufn2nzh1KhdZlsjIKKJrn895e8JKgLNq39WtE0VQkAV/fzM9utagUcMYwsP8OXAgjYICOz171qao0EFycj5mi8LGTaf48OP1LPljDGvWHufb73eg6/plS/lxtXO5v29Xw+vv3G8xUxJ40F2uzYmJmazdcJxHHuzA0KENad2mEl99vZUh1zVg+LBG3Hffz7z7wRqmfDiI2NggYqKDaNYs1uP5pihyhTo4SJKMpuvcOaYlrVtVYvgN3zHk+u+YNn0TAK+83JOOHapy70Nzuffen1m77gSHj2RyKDGDBx9oz5jbW1C5Sgg//7oXgMhIfwL8zCxZcsTVfvlz6jqEhlqZ9P4AJkxczeAR33HH3b+QmlrAsCENadw4lsHXfU1+gZ2bRjTB4dD47oft3DC8MV27VeOBB9oyd/5+srKKURT5sqWPFwiuNKQMoX13VeOtffeuS/tO151Iksn1ecmgXNHedBfL2fp3Mf3Oz7Pz2RebmfPLXsa/3psuXar/49d9pd/H/zLe2ncJQvvukuHWvov10r5LFtp3gr+L3a4iyzImkxFL49a1M3TkNE8SP8UkI0sSmqaj6/plS4Xuxp3GQlV1kECRJc+szenU0HQddOM6jDLd896tfWe2yCQkhPDGq73o4kqNfj7tO6fTSJ0hASaTYrTn1NC9ZIpMJhmnU3PlnpI8yRDd5xcIBAbCKAnKUVZQ1VtPTlFkysrIGQPvlTGy+uof+NbEc2v3Ge8Vz/Ejrm8MXLj2nbdunqc9H+fz7oO3jqBAIChBGCWBoAxux4PLPfMTCK5GhFESCMogjJFAcPkQ3z7BBXOlbwRfaP8q4jqu9HslEFypCKMkOCt2uwoYTgCG0oFRXlBgp6jI4amnqqVHYF3XL4uLs9uhISenmPx8u6fc4VDJyS0mJ6cYh0N1OUSUTkwIJdd7seTm2sjJKTYcKbz6YrOrrnvlBMBmM366q9ntqkfaSSAQGAijJPCgufZS5v9xkNG3zKZb788ZPORb2nf9jLcnrKKw0MErr/9F586f0qrTp0z5ZAMFBXaGDv+O3+btQ9fh4KF0Rt86h8TETKPNCjBOum4Io+bkFPPKa39x043fMWrMT8yffxBN0/n5572Muv0nRo36gZvvmMOJkzls23GGxq0/YslSIxbp2kEz+PCjda72zt9ndyqMRYsPM+r22Yy6aSYvvbKU7OxiAH7//QBde02nS5dPuev+X7DbVO5+cC43j/kJSYLvf9hF3wFfk5JS4NHREwgEwigJfFBQYOf0mTweH9uJzOwiHrq3PcXFKlOnbWL3nlS2bXuEVYvv5JvvtpOZWUTnTtVZsuQIkgTLlycRE+VP7dqRXvp3lxZN05Alia9nbGfjhuOMvLkVjetE8djTf5CbZ2PkyCaMuaUFw0Y2JflkDjN/2EnrlpX430u9+WTaJp55YTEd21XliXGdPTp0DodWbgbojSRBbq6dp55bRM9uNRh+U3O++XY7fyw4yJHELF5/czlfTB3K1q2P8N1XN2CxKnz8wUCKi1Vefv0vFi8+zIcTBxAXF4SuV8x9Egj+DQijJPBJ44Yx+PmZqFc3mvi4YAoK7Bw+lEGfHjXRNJ2ICH96dqvJoUPpjLqxCWnphRw5ksmmzScZOrQRcGEzjv8vug6ybPwZn0nOQ5IkduxKprDIzvPPdCMo0MKHk9cz9fPN7NyVjK3YgZ+fCV2H64c1xM9i4u0JK3liXKdSfTabZRTFt6Fw1zmSmImsSJw+k8f2nWcYc3sLunSuxr59qdSoGU6jhjGoqo6maWiaTlCQhUcfbM9rLy2kfr1ImjSO9cRHCQQCA2GUBOXQNJ2CAjuqqlNYaMdmc2I2yzRsFMOfiw8jSRInT+ayfFUSoWH+JCSEEh8fzFdfbwVJolvX6mia7jM26J/GO6NraKgfNWtH8f74fnwwcSC33dwCRZH5ftYOnnq0M5Mm9EexWii2GftKM77dTmxMIC8925Onn1vsCW7NybFxx32/MOvHXcDZte/i44Lwt5h4fGwnJk3ozysv9qJKQiixscHs2J7M1m2nXYGyRlxSWloBn03fzBdf3Mjq1cfZvOU0JpPi0e4TCATCKAl8EBBgJjIyAH9/M1GRAfgHmPDzM3P3na2pUyeSFi0+YMjI73nmqa60aB6PpuncenNz5i8+xHWD6lV4fyVJQtN1xj3aEVXTaNhoIo2af8hLrywF4LZbWvDgI3PpPeArggMsVKsSyvYdyUz9fBP339eOF57ryq69yUyctBZJMjTt9u1L45OpG13tlz+nrkN8fDAvvdCDzr2m06j1ZLr0mE5SUjatWsbz8gs9uP3un2neajK33DEHu03liecWUqduJGPGtKBvv9o88cwCUlPzkWWhfScQuBHad1c5vrTvnE4HJpP5HMdc+dptf7ePRUUOVq05xvh3VnHX7S0ZNaqZR0LofOdDKl/v33CvriaE9l3F8P/RvhMzJUE5zvXUXlag9UrDOx9S2bKy771xX7OuwboNJxh+fSNGjWrmOujCziedpdxX/Svx3gkEVwJC0UFwwRgDacm84UqcAfjqk3fZ2frsdjYICDTz8vM9gBLtu3Nd59k+873kp7tu3aVPES8Q/FsRRklwwUiuAfW/jsOhAqVFac+FU3MCEia5RJhV0zVUTTVUwWUFCUmkPBcILgCxfCe4YPLy7Bw7nn25u3HJMZuVCzZImq5hkk2lDJKu68iSjFkxY5JNSC5Dfir3FFlFWZekzwLBfwVhlAQ+0XVDssfp1HA4DfmddetO8ORTC1FVDZvN6QkuNVJ665765wo6vdR498PtKq5p3n3TPH32rqOq2t/ygJMlma+2fs2fBxbg0AzpJUmS2JW8mzf++h+fbZxOTnEOAG+ueIu5++fi1Jw4VIeQGBIIfGASX4urG52SfXzvxSVJKp+DyGKWCQvzc+Uskr3qSq4cRpd/ecoIeC3dD1+5iyRJwmQyynT94pXBdXSKHcVMWP0um05uotBeRJsqrYkKiOJA+gE+2fQp0X5RzN33G0eyDvN23/EEWgIJtgZjksWq+eVGL/Ne55z+LIKLxNf9vNB7LGZKgnKYzTL79qVx7XXf0KHzp9zzwG9GMKxZITenmCeeXUDbtpP49LNNAPy1LJHX3ljO0JEzadt2Mm+9s8ql51YxQaFu7TuACe+vpnfvzxgycibbtp0B4MfZu+k76Gt695nOA2N/p6DAztZtZ+jV/0t2705BkuD+h+bxwaS1rvbO/9WRMPaKBtUfxDPdniYhvDKyZHydogOieaH7c7za5xVe7v0iCw4uAMAkmdh2ejtDZlxP/68Gsf3MdqDi7pPAN8IYXVkIoyTwgcS0zzdTv04UP3x3I1MmDUKSwGJVWLXuONf2rsPrb/Rn0hRDwDQ3z86s2bt44+VeTJ48lIz0AtIzCiosKNStfffFV9vYuvkUD4/tQsfWCdz38FxycosZPKg+jz3SkQcf7khSYgaff7mFRg1j6Na5BhMmruGrGdsoLnJy8+jmnut3OFTPUt/ZMMtmWsQ3x67aKXYWe/aOIgIiqBRcCYAlh5fSvWZ3o59orDq2ik+HfkytiBp8seVLwJh1CQQCA7GOICiHrut07VqdqZ9t5NNpm+jcqRoDrq1LYYGda6+pQ69etThyJIvIcD8AnE6VG4Y1pFHDGADatUvwtFURum5u7bukY1ns35/C9K+3Ysuz0bFjVfysZhYvOcJr45cTFR1A0pEMdB2sVoWXnuvOyNGzuPPen8lJfYGgYKvHDdxXivOy6Og4VAdOzYmug0N1oOnGPpUiK3y64VPWHFvH9GGfoaOjak4eav8gccGx1Iupx+HMQ0ZDwitPIPAgjJKgHA6HypDBDRgyuAFr1h9n+IiZLF98J/4BFpdzANjthhs0rv87HIYjgaLI6OjIFTTQulNISJKE3a5ybf+GvPlG71J1/jd+OR++25/27RK47vrvsDvcjhvHCQ8LYPTIFnz9zQ4efKAtkiRRUOBg6ueb6NiuCu3bVTmnKoNFsRATFE2A2Y+YIMMoI8GkdR+y6eQmfr91rldtCYdqOEM4VAeyWKgQCMohjJLAg3sZyaTIPPPcIpavSSIuzI9+fesQEelPckqBJ0meruuepHVOl8ebJLmVDSruyd/oi7Gn9OgjHbj73l9p1/5jZIvCoP71efbpbvTsXoNbxsymfoNoDu3PZOC19di1O4X7xs7jk0mDqFcnis49p6FqGo881J6AADPTvtjMn38cYPGCMWc1SE7Nyf2/PcjO0ztJzk+h69QePNntcUKsITw69zE6Vu3EgC8HYTaZmXLdZGRJxqE5PcfaNbvvhgWCqxgpXWjfXdW4te+Wr9vIey+/wMJFi7Db7aSkFJGbb8PpUKlWNZywMD9sNidFRU7CwvxwOjWys4uJigqgqNiJw64SEmK93JdDXp6NEydy0IHwMH8qVQrG4VA5mpSNrEhERwZgsSjoOmRlF1G5UggA6RmFOJ0aEeH+pKYVcN+Dc+nUoQrPPt3trNp3OjqJmUfRNA0/k5V8ewFxwbGYFTO5xbkUO4opchZjVsxUD6+GzWlDkU0EmP3Jt+ejaiqhfqEVeXuuetzad/c8/AhVXNp3NevUJURo3/2juLXv4ry0785coPadmCkJfFKlSunB0tiHMWG1Gn8yJpNMVFQAAP5+Jvz9Lv+fkq7rBAdbaeja23JjNivUrRNZrn5AgNmYG+o6UZHGteTl2njljWXUrh3Js093czWMT6skIVEroqbPvgRZgsqVeX8hfX0uEAiEURKchZKnRmNE9hZhPd/7y4UkSV76fFC63+U1+zx99hwHwSFWpn9yXZl2z35OHb3EaOkluZZKdO48PSln23T0Cl3qFAj+DQijJPBJyUBcNuj0/O8vJ2fT5/OlO3e2/judhiv4hSQplLzzVZRqz8f5fB0rEAhKIYySQFCGisiYKxAIfCOMkqAcuq5jt6uYTDKyLJWaOahqibad+3NN042XbixlybJ02QZ2p7NEw87dP1XVPYGwkmTsMbn18MxmGUmScDg0n9JK58PdDpS+bl3XcThKn9P7HJpm9MlkUq6YWaZAcCUgjJKgHIYzgxE8quu6Z6DVNN2le1e6vi9tucuBpuk+jYqiSCiKt4q30WeLpeQaL1QVvCze7bjbNlzjS5cDnnPouu66Z+cP0BUIrjbEOoXAg1vz7eDBDB4e9zsHD6QjSRJff7OdSZPXIcsSy1cmMWLE94wa8xPbthvaclu3nebH2bsZ+/gf3HTTd8yeswc4dwbbS9F3WZb45rvt3Hjjd9z78FxOnswFYMGCg9x8x0/ceNNM3n5vFZIEe/al8fDj8zlzJg9Jkpj00TpmfLO91H049/mMn6dP53HbXXO48caZ/PTzbs+sJzW1gAcf/Z0RI77j2RcX47CrvPbmcmbN3oUkSew/kM6TzywkPb3wgs8pEFwNCKMk8MIYUWNiglAkmVfeXMbWraf59rsdtG2TwLIVR3nz7RWMGtWczu2r8PCjv5ORUciJEzk898JiOnWsSteutfj1172kpxciSRVjmFRVA0ni19/2s2rVMYYNa0LNauE88th88vLtNGocy9DBDRg2tBFr1x7nqxlbiY0JJD2tkLffW83qNceZP/8gTZvEeu7D+VJZSBIUFzt57sUldO5YjWHDGvHZtC0sWnyYnFwb9z04l/jYIG6+uQV9etVCUWSaNonjzXdWsn3HGT6YtJawUD8CA80uQdbLP9MUCK4ExPKdwIP7KT842MwH7/Xn/ofn0aHbZ2xYfS/Nm8Uz9tH59OpWgyFDGgKwZ3cqiYmZWK0mrhtcnxHXNwbgjjvaYDIZezUVsV8iSYYf287dySxbeoijp7LJTSsgMi4YRZbIzbUz+ZONSIrE8QOpdO9ag6jIAGZ+PZxhI39g0LBv2LP1YSpVDvFo350rlYV7ie7kqVxWr0vi2MkskCVOJGVhtihs2XIap6rxwrPdPcdoms6QQfXRVZ3WnT7lhSe78fyz3TznEwgEBsIoCcqhKCby8+0okkSntlXZsyeV5s3iCQ62kuZabgI4cTIHq9WEpukEBVhwOFUUWcZqrbi9Eu/4qKzMIkbf0opXXupRqs7Ycb/zwtPd6N2zJqNune2ZAZ08mUt4mD9NG8Wxe08qlSob6g42m8qqtceoVzuyXBCx66yARGGhg+jIQJYtvKPUp4uXHCE1taBUmeQyPMeOZdG/d12Sk/M9e1tu7T6BQCCW7wReuPc1kpIyGTryexo2jOHbb27g9TeXM3XaJsbc3pIde1K4666fGHnzLConhFK3bhSZWUVk5RQjSxXv8ODWvtN1nTG3t2TFqqPcPuYn7rrvF76asRVd16mSEMqrry/l0Sf+YOnSREwmmcNHMhk+ehYD+tfls0+GcN/Dc/n+h53IspG24q77f2HsuPmuG1P2nEawbdMmsXTtXJ2uvT7nrgd+Zey4P0hJyadVi0o0qBvNNQO+5u57f+G1/y3D6dB4/pUlrFx7jG9nDKewyMH1I2eSlVXk6b9AIBAzJUEpDINitSqMe6QjfXrVxmSSmfndCPJybdSqFcGnkwexamUi1kArw4c0wmyW6dWjJm3bVL5sy1CybKglNG0Sy8eTB7Fhw3F0SaJOnSgkSeLtN69h6bJErH4mbru5BbExQZhMMq+91JNretcG4LsZw1EUBVXVCQqy0KpZZeJiAgHQJR+Br66CN9/ozU+/7KWo2IG/1YS/v5mQECuffDyIufP3U5hvIzI6CFmG7l1qcP/dbQkJsfLeu/3YsPEkFovimi1V3P0SCK5khFESeHAPtHGxQVzbNwww9kJaNIv3vK9VM4JaNSM8x+g6xMcHE09wRXe3FBJG/xrUj6ZB/ehSn8XEBHHTyKbljnEbJE3T6dCuKgA5OcU8OPZ3dF3n7bf6GhXPpsiKkUZ95PDGpcp0XcfPz+TZY3PTp1ctz+fRUYEM7F+vpP9i9U4gAMAkHtCubnSvlxu7Q8Nk0pBlV/CppiNBqUBZSTKS67nTWLj3Ry4n3v1DwrOcqOu65xpAwsgJKKFpRv4nd4CtJEFoqB9ff349ilJyLefUvnOlfXfbLeOeGOfUNN2tHIiilJzD3Sd33Jeg4in7d1/2OyD4/+G+ny5JyFJl50PMlATlkCRKDZaKl7HxFShbUV52F4I7p5PxXvL8NCnlO1jqGr0+L2tA3BhKFoZTgru87L0q6YdUqs2y5/D1uUAgEEZJ8B/jnxrsfbVhlAlDIhBcSsTagaAcum7osjmdmuen241a03QcDhWHo6TMSJGuu441glkreuPerW03c+Yumrf5iK7XfM7Wrac9fXY6NRwOFaerntFXQ5/O4dBcfdbRdHDYVYaNnMnkKes8dU+fzmPAsG9p0WIS701cU+qcF4NTdfXDWXKPVNXdD9XTpremHpTW9BMI/suImZKgHIb2XfnnFXegZ1nNNm+9ubMtZ11q3AP80WNZjBzejAfua0NgYElSPe8+uuOCJEnCbJZKlcsSyBaF6tXCCQ62etqOjQ1i5lc3MOfnPWx2GbuLRVU1TIrslhX0YGjzlfSj5D4bXoX6WTT9BIL/IsIoCTy4ZzuJiVmkphWxb38aNauHk3g8m+ZN42jRLJ4jRzKZPXsnJn8zY0a3ICTUyoKFh2jTJoG42CAKCuys33CSpk1iiY4OrPDkf2azTHCwH6Ghfp4yWZb4/KstnDmZTcPG8QxzKVKkpxfy5TdbcdpVGjSIYcjgBmRnF/PjnN20ahpLl241ALehlQgJsRIREfC3g4MVRWb2z3s4sDeZhGoR3HZzcyRJYvGSI2zYfBLdqdK9Ry26dKrG1u1nOHwkgxuGNUaWJeb8sodaNSJo3jxeBNsK/tOIxy+BB/fy0KrVSdz/0Dzmzd/PPQ/8xnff72DWrF1s3Xaax59eQE5OMfv2pXH3A79RWODg06mb+H7mDgC2bTvDexPXoGp6mSywFYN7+RDwpNiYOnUTh49kEhBgZu7v+/nGJbw65ZP1HDqcgd2hUlDoAMDhUMkvsPPq68v4esY2T5slS23llybPF/zq7s9Pc/ayfv0JAvzNbNh0knffW+NugYAAM4EBZsZPWMmuXck4HCrPv7yEub/vZ9OmU4x/ZxV2h1qqLwLBfxExUxKUw2xWaNQghrvvas2UTzdw751tWLEqiZkzd9KwfjRvvtEHgJtG/8ix49k8cH87fpy9G5vNycJFh7mmdy3iYoNwOLS/nRLin0CWDcM0a85uVLuD+OrhbF17jOBgK7fc0pz0jCL270vj2ce7UqNmOLoOUVEBjHukI/k5dgL8Taiq4Rp/Ls6W7RbcBsT47Ld5e9m3+wx1msRzYMdpTtfI5Uk6U616OJ9M24jF38yWLac4djyHgQPqMXf2aO64/1fQdOb/dgsxrmBeMUsS/JcxCef8qxy9zE8XEeH+5ObaCA3xw2ZTPcn9IoKsnjqBgRZSUwvo17c2M2ftYsOGk5w8lcP997VF1/XL7vIsSRK5ucXoms6LL/SiQ4cq+FlNKCYZXdeZ/MEA8vPtvPDqUtauOcaSBWMICTGuz+nUCAv18+yPnWt2kpFRiOYKiC2PsT9kt2vk5dt58KFOjLihMWaTjMVqwmZTuff+33jhuR40qB/FqFt+9LibBwWaCQ/2Iz2tgOBgi4+2Bf9v9DIvwT9H2ft5gfdYzJQE5SgsdJCamk+xzUlKSj4FhXby8+1cP6wRL722lIhwC2mZxWRmF1G/fhSKItO2TWWee2kxXTtVp1Kl4CtC/VpVNcLD/ejerQbTv9zC6ZQ8dB16dq9BlYRQ5v2+n6zcYhrVjWLnjjOkpRVgszn5c+EhFi87THiYH/7BFq7tU4ewMP9y7RtLhTrj31vNDz/uYNPq+4iLK33tkmSkwbBYZPr3q8ucX/eimIzPWrdKID4uiLw8G+vWHmXfvlQ2bzmNSZHZfyCdBx6Zx7NPduX4sRx69f2SLz4bSr16UZ52BYL/IsIoCTy4B9JWrSoRFxdK3TpRmG9vScMGMYSGWunapRovPd+dn37cgX+IP9M+GUJkpDFY33ZLc/KK7NzskvO53IOmrusormW3l1/swTvvr2bdhuNISDRvGkeVhFD2HUjn6LFMcGq8/EJPatWKICkpi527kunWvQZOu8qePal071ydsDB/j3KFG03TsVhkenarwYyvt1JU5PTZF/ds6567WiMpsG79cUCicqVQGjaI5t3x/ZgzZyd+gVY+/WgwDRvGkHQ8mxE3NKZP71o4HBrp2QWkpxdSv77kUdQQCP6LCKMk8OA2JC2aV6JFc2MgrVs30vNT03R6dq9Jz+41Pce4PcFCQ/14/smuXm1VYMe9cDs3eBtFXdd5alzncnWferx0ma7rVK8ezrtv9ytX1/AiNNy0VVf8kMkkM+O77Xzw0TomvNWXGjXCzzlDVDWdu8e0hjGtS7XbvXsNunevUapuQkIInTtWRdOMVO1PP97F89nlnoEKBJcSYZQE5SgudmAymT1acm6tNkWRPXtLYAzK7gFS141gT7eW3OUiOjKA8e+tYOacnXz4Tn9atqyEroPTqXpmOe5+OxwlQb9GrJCx1+Rwap61b13XsVgUzpzJ584HfiVxXwo3jW7p+gz69qlNuzYJ1Kt7/mU1RZZwODV0zX1O2SVppLlkjSRX/yTP0qDZLHv6f7nvrUBQEQijJCiHLEueYM2SQdD4aQykbiNUeu/EbDZSPzidWoUHe7rPd9ddrbjjjpaoqo7JtXfjK+AXjJgmI+15yRKbJElYzOXrxscHM++n0aW0/xRFIjYmiNiYIE+9880QzT7ui/ueeuOtuydJhkekQHA1IIyS4G9RVg3BzZWgD+dLNPZs+DIIvpAkfBpadyyWpmvG8p4kQv8Egv8P4hsk8Ik7tYKm6aUCQzXN2OA/dTqXN95aQXGxsbmvqkbdJUuP8PmXW1x1K97H1rvf3rjL3OWG04LO7Dm7eXP8Co/O3MVmgDVUySUUWREGSSD4BxDfIoFP3Jv6six50n8bOZNc+YBUnTk/78Fud7ryAhl1Dx/JZPGSw0DFKw8YXmmSz5mSu6xkD8y4xiOJWfy1PPFvGVBNNwxZvj2PG2fexKtLX///X4RAcJUjlu8E5ZBliQMH00k6ng2aRuNGcVSuHAJAXp6dbdtOcexEDsHBVo8RSDyaxfHj2Rw6mEZERECF91l39ftoUhYHD6YREGilc8eqHueBbdvPkJFeQHCoH00axRIQYGbvvjS6dEzgxhFNPEtzf8eV/YM1k9h8ZjNVI6riUB2YFfM/eWkCwVWFMEqCckiSxJo1x9m0/TSS3cFXM7bz7jvXEhJs5cFH5nLqeDaSVSErpwg/fzM7dqbwwMNzCY/w43hiJl2613K1dI484v8g7ridQ4cz+fSzTRTlF1KoSmzfdoaHH2rP6jXHeX/SGvwtEpYAK6+/1At/fxO/zz/AzO82UaVGDD98cwMBgZYLFjvV0ZElme93fs/xnBM81eVJdqXsvujlP4FAUBq5rMqGeF29LzeSBEOua0B4iIXQmGBWrkkiKSmLPxceIiuziKVL72LO96OIDPNDdWi88+5KRgxvzO+/3MJzz/ekuMjhbomKwG1Ifv5tH38tOUh4fCj2fDvvTlqD06mzZ3cKp1PyeOSRznz52VASEkJQVZ2nnujM5I+uJzzED73UHTg/EhJn8s6w+PBiPhw0iTD/cPzMflhMQg7o38Ll/r5dDa+/c7/FTEngwT0w22xO7rr3Vzq0r0LdepEsXXIYWZZITc2jbr1oAJKOZaKYZAoLHTgcRuoHgNSUfJQKdAfX9RJ37tSUfFq3qULHdlXo3CaBV1/rjSzDHXe0pEGjaH7/8wCPPfkHn0weTLOmcQDk5BShmGQCA63nOk0pVE1FkRU+3TSVJQf/YviMERzPOUGBo4Ccohw+GzL1klyrQHA1IBwdBCW4Hm3S04vYdzCNNq0qERkWwOHDmWiaTp3akaxZd5wdO07z4ZQNHDycQVi4HzHRQcz5ZQ87diYz5ZON2Oxq6QYvIZJUkhqiSZM4MrOLaVQ3miZN44iM8EeWJbKyiqlWLYwhg+oTFGhlzZpjoMPhwxns2ZvK0aQs1m84QWZmEZIkkZlRRMce03hz/HLjKspchuKKeXq80zjWP7COyUM+5PqmQ2hdtRUv93z5kl+zQPBfRsyUBB7ceykJCSE8MbYTr766mPqNK3HX7a0ID/OjU8eqbNl2hkcf/Y0RN7aietUwNE3nuWe6Me6ZBbz4+lIefaQDFosxaFeU+oAsG0oMt9/anMysAm67fTaYZAZcW4+nnujCL7/s5bufdmIG2rSvyu23tUTTND6YvI79h9LwD7bw3EuLeeLRzvS/ti4Rkf6EhfixfHkSzz1z9oDYEGsIIVbDAaRjtY5UDk2gckilCrlmgeC/ipRqFzuzVzO6rhNikVi+diMTX3mBhYsWYbPZsVr/fXsj/0SW2/w8G1M+28jcuft5d3xfOnSoet52dXSkyxwwLLgwsrKyqN+gIXc//AgJVatRu249atWpS3BIsEie+A8iS+DUNCq/7MeoVmOYMXwqp4rtWJTzjytipiQoh3tJTFV1JNdsx6QY8UpOp+aJS9J1Q+XArXunY+i7Qck+T0X3290/KJFL8tbrk2TJI/XjrUOn64bskMViol6dKN5+8xo6dKjqafec50VC0zWXMrmQAxII/j8IoyQ4K5Jk+M95y+v4ktpx695dCfjq39mkhHzp0FmsCkMGNwC44JxQTqdhkM5XV1U1T1zXfxVDPFYDdGRZvuyJHgX/PoRREpTD7dF2IZpw/0UMxwnpggfUCxWfvRyzx4tB13UcmuHOr0iKZ9bn1Jwe9QoAs2JGQvIqlzArJiQkl3jslX2dgisbYZQE5TCZZOb/cYBNG4/TpHklBvSrh5+f6R/Zs/k3cDHGo6jIwew5ezh0IIW27asxqH/9cuFZ7hnX6jXHiYkOpG7dyAsO0nUHBldE0kRJkkqt+bv7aJLLDxO6rvssT88oZNqXm1GLHfTtW482bRKuiCzEgn8P4pFGUA5d17H6mTh5MpcJ764mN7cYuDwCqxfDhW5Ul633dza43cekpBTw8Scb0XWwWk1oZbLTQsl9++rrbaxanQRcuJFxaw9edP8uwh3frUKRWpDK3XPuZfBXg/lp909IkoRDczB53WRGfHcjI7+/iVt/vI2UghQkSeK77d8z6KtBPPTbw2QXZRvXBQQHWdm0+TTffLcDuPL/bgRXFmKmJCiHw6HSu2ctqleL4IUXF3sGRUUxkv5lZBQiyRJRkQGu+hq5ecVoqo6/v5mgoMvjuSdJRuBvbq4Nk1kmPMxI1V5c7CS/wI6u6QQHW/HzM+F0ajidGn5+JsOxQ9Ox21T8/S/uK6HrOi2ax/PGG32BkpmNqmpkZhYhK5KnH+Hh/oSF+ZGTW4zJJBMYYPEcA5CbW0xQsBWTIuNwqEiSxPsfrKVB/Wiu7VcHSdLR0Epp6zk1J7IkY1ft5NsLQNcJ8QvFopg9Mx2H6qDAXkCAJaCc95O7jl2188yCZ2lftQPVQ6vyzc5vCfELpXetXqw9sZZ+9fvRMr4FTs1JmDWMeQd+5/OtX/BS9xfYn36QcX+O44thXxAZGcBD97Wjbq0oVqxM9Py7CAQXijBKgnJIkoSq6pw+nYvdrnqeuQsK7Ez/YgtLFh5As5i47tp63H5bSzZuPMnEj9biKHKgKTLPjOtC587VKmzZRteNmUFOdjET3l/Nrm0nkAP8ufPmFgwYUI/f5u7jux93otuc+IX48e6bfUnPKGTUmNl8OKE/fa+pw7UDZ3BN79o8Ma7TBS+tuSksdJCcnE90dCCSpJOf7+DTqZtYsewgutXMsIENuO3Wligy/P77fj6evokzyXm89WpvrhvUgEHXfUtgsJkjB1KIiAnj86nXUbVqGACZGYVompE00UYBN31/Gzc1vZEbGg8nMSuR5xe/wNt9x7M6aTVzdv2CQ3UQFxLHG33fwF+x8uTCJ8kszOZYxnGK1UJ+Gj2bOpF1PG7s7p8pBSmcyT/DPW3uAmDp0WWsPLqSPrV7E+4XQYDZH5NiIsAagEkxsfjwYkY0voHuNbsz/9AfrDu2gX1p+6gf1QBV1UhJyfN4PAoEF4NYvhP4RFFKss+63aZXrznOF19tZfDwJvTqVoMXXl3KoUMZdO5cjbvvbMPAQQ0IMCt88bWRT6mi4j40TUOWJL7+Zgcb1x1nyIjm1K8RzrhnFpCXb2PkiCaMurEpg4Y1IvlkDj/M3kWrlpWY8EZfpn6+mcefXkDPbjVdBolSru8XgjsBoJG+Q+avZYnMnLWD625oSpf21Xjq+UXk5tqQTTLpGUUs/eN2nn+yG9Omb8Fmc5KZXUTnDtXYsmUs0VEB/PDjbtatP8F7769i47ZTzP5lD+99uIYT+530rNOVZYnLAViZtJKYwGiqhlZlWKNhDG9yPdc3HsaWU1tZcXQZgZZAjmUfY3CDQWx4cC3P9XiW9IJ0o9OuS3MbphBLCGF+oYyb/zifbZzGsiN/4af4oekaOcU5fLLuU15c9DKT1kwivTCdYmcRFpOZx/54jKzCTNpUbc2RzCNe90IMLYK/h/jLEZwV9wa77PJCS0rKJiDARGJiJqdO5/LaK72oWjWUn3/Zy7vvr+bgoXSKCh34B1Tc8p239l1ySi5WPxOHD2eABK+/0pPgQAvvT1zL199s5/CRTDRVw99qOG0MHlQffz8zEyetYezD7V3tGaO1yST/7VnesePZBASYOXIkk7SMAt76Xx+Cgy3YbSp33dkaTdOpWSMcfz8TmZlFVKsazk03NkXTdFo0jScvt5j8fDspqQUUFjrIzbORmpZPUZGT6xsPI6c4l0OZh9h4cgPXNbgOgNeWvc6ve37laFYSkgR+ih8OzUGtiNq0TWiDqqmMbDKSDlU7ACV7WpIkgQ6hfqFMGjSJMGsYTtVJo7iGBFj9QYfIgAi+Gvklv9zyE1MGf0SUfxSBpmAmrfmItgltmT50OsXOYsL9I/5f/5YCAYjlO8FZ0DQdu0PDZnNit6tomk5cXBDh4QG89VqfUnV/nLObXj1q8uxTXbnl9jnkF9hdn+hcaqVwSSrxbosIDyChanip/uk6/DhnF6+82JN+fevQoetnFLu0+b74cgvxsUG8+kJvHn9qAR+83x+LWSE7u5iHH59Pv961GX1Ts4v2OoyNCSIyMrDcfbLbVTIyCtE0nT8XHiQwyEJ0dCB5eTby8uwEB1tZ+NdhxtzSgj69a9Gndy2ef2EJnTpWpX//up52qodX4astX+NUNXrU6EG+PZ8/Dyzg2xFf0yCmIb/s+xmH5kBGosBeQKG9EEVWcKgOnxlyJcmYLcUExPBS7xdJKUhh3qF5jO0wFkVWKHQUcTLnJJWDK+HUnASYA6gdWZPErCPc1PQmft7zMxn5GbSq1MqYtcriWVfw9xFGSeCFa5agyDz+5AIW/3UIh67Tv/9XjB3biTG3t+TgoTTq138fJdBM62aV+Orz67njtpY88fxCfp2/jyqxobRoEQ9UjBuz+zyarvPY2I6MfXw+DRtNRDIrXD+kEa+90os7b2/F2MfnU/XDMKLCA6lRLYwdO5P58rvtfP3ZMKpWDeXawTOYNHkdTz7embAwPxITM5k2fTOjb2p2XoOk6zoOh+oRhh1+fSMOHEqnfoP3UPwtdGxbhWmfDqFyQjDvvruSyR+vpWr1cKZOvg6TSSYrq5DBN3yLSdW47vom3DiyCXa7ChKYLQqFRQ7sDtWzNDa6+Wju/+Uhnug6DkmSCDAHcHOL0Yz8dhT1Y+tSLbwa4f7haLpObFAsfmY/wBCSlTCcGoyHBeOhQdNUzIqZSesm8eXGGVQJq8yb/f5H8/jmFDoKiQ2KJcgShEWxoEgKmq5xT9t7SC/MoOnEpkQHx/L+gHfxM1lRVQ2HQ/WklxcILhahfXeV40v7zm63Y7H8+7Tv/gmKCh0sXZ7IexPXcN/dbRg5oonP+Z579nT0aBYT3lvNxx8NAi5cBcKN06lx46hZTPlwELFxQf/chVxmlixN5K9lR3jzjT6oqnbF7DEJ7buKQWjfCf5xjC+o+1sqeWYLZb+4kuRdt+Tp+3K5ARt7QiUnP1f/vL3s3MZE12HnrhRG3dSMkSOauBrlrKuQiiKxYeNJxoyZzbUDGjB8WCNXP0rX89UP97lTUwuw2Z2GF2EZuSJ3O2Xvp67rIOERgtXRS12iu22Pl53rWo9mH2XymikolCi5F9gL6V6zK8ObXF8qusm7bV+Cs55YKNepZUkiJbWASVPWsmpZIq1aVfF5LwSCcyGMksAnxphWfiDyZWxK1728QSm+lgzP1j9JMgZrXS9JsxEQaOa5p7sCJYbq7NcMcXHBvPW/PiQdzaBSpWBkjwPB2Y4p3Q9FkZjwTj9iYoJ8KjeczbiXq4fk85/AY0xcPwLMATSKbYiMgtsw2pw24kMqedcu3/a5yt22HvCzKtSvF029mhG0b1/Nc40CwYUijJLgqkaSyhsdh8PYD7kQDTeLReGaPrWB2n/7/O3aJvytYy/qPC4DEhsYy52t7/jn23fdw9BQP24d1bzMZ8IoCS4ck5hZX93oXq+rkTPJeRQU2KlVM8IzeF6soKiqap7Z1t9xI1dVvcJmEzo6qqaWK5cluZxX3t9qXwdV0+D/cT8qAr3M+6v5O3ApONv9vJB7LGZKgrOiqronbkdRZM9Sl3vzQtf1UuXufQ1F+Xt6bf8EmqYbQa+SkdvJ3Q+34ZCkkky1OvDSq0tZ+tcR9u0ci9Vqumg1h5J7Uhr3+aDkfninrtB13ZWXqmLTO0j4Flj9x9qXDO9NgeDvIoyS4KwYg2XpPRjXu1I/y5dfPs72dF7e+0tCluCl53tw15jWmF0p3C/WmEqShMl0IecrKXOrRoi9FoGgPMIoCcqhKBJ2m5Oxj//J5q0nkBSFTz8czOFDGSxZdoSTp3KoWSOCPQdSmfrhYNZvOMnGTSfZn5hOUaGTCf/rS8cOVSrMFdh7ljbhvdUsWrCXoMhgXn6mOy1bViItrYDHnvyTo4fTiYwN5sP3BlC9ehjPv7iEVSsOcM21jWjeNA6r34XPlNyzrm3bz/DsS4txFti4dlBDxo3tRFpaAU8+u5BTp7LRZYmnHu1M32vqcOf9vxIfG8Qbr/Rm6bJEPpy8nqkfDyYuLkikdxAIXAijJCiHJMk8/Oh8goMszP/tNjRNIzIigI8/2QAK1KwRwYkTObRpnsCu3amcTs5j+fKjLF92J999v4PxE1YyZ9ZNmM3yRS+H/R00zTB+07/cytYtp3j40a4c2JfGXff9yub1DzDrx12oqsZnU4fSqFEsmqajqhpPP9mF6tVCmf/HIZyqhtWrTYdDRZalsxpVSYL8fDuPP7WQm0c1ITzCn9deX0Z0VCC33tycZ57szL59aRw+msXrby6nV89aPDOuC3fd9yvf/7CTRYsOc9cdrYiODhAqCAKBF8IoCTy4407y820cOpzOZ58OISY60PN5SLCVpk3jOHEylzq1I13xMMai3WNjOxIVGUD3bjVYufIY6en5xMeHVEhiQPeAfvx4FkcOp/PVt9uw59u5pm8dNE2nc6dqLFmZyIdTNtCxQxWGDWlEYKCZ4GArMTHBBAVZcDpVT9oJ4Jzp3T2Bs0lZpKblMe/PAzicOlWrhVKvbhTp6YW8/tYKslPzwGLCqeo47Cp16kTy6os96dHjE94aP5BBA+vhcGgiU6tA4IUwSgIPbtthtZooLnKyevUxatcqEdnUtBI5HbtdRXa5U2uajp+/keNnx85kbA4noaH+rkH+0lokd8Cpoeyt07tvPcb/r7TmXPPm8fw6axSnk/Podc2XFBc5ufeeNoBhaP2sJkJD/T3tFRQ4mPzpejq3r0rnTtXKGVZJMhw9AvwtBAVY+GXWqFLnm/b5ZnJzbfzx5x0sWXKEp19YhNmioGvw67z9vPBCX7ZuO0Nycr5YuhMIyiAe0QReGAOjxSLz7oR+fPTxBjr3mkanntPYvScVk0lGVXWPV56m6djtGoGBFl5+aSGde3zGJ9M38eJz3QkIMFfILMndvqF914F9+1Np1foj2nb8hNffXA7AlCkbaNP5U26/bTaNG8fSrm0Cmqpx34Nzuf+R3/htwX46dPuM3+cfQJIgMNDMjO+288prf5U6h/d90nWoVSucu+5oTY3679Om61R6X/sVKSn5dOpYlVOncmnTbgpvv7ea0GArDofGXQ/8is3u5LXXelG7dgQ3jJpFamqBx7ALBAKQUoT23VWNt/bdB2W07zIyCsnMLkICEiqHoqrG3od3dlWLReGtt1fh768wbGgjQkP9Si35VTSFhQ5On85FB0JD/IiJCSQ9vZCsnCI0p0Z4RIDRPx1OnMpxXYOJgkI7sdFB+PmZOHU6l4fGzqd7l2o8+USX82qdHz+Rjc2uYpJlqlQJxWSSycgsJDOziOjoQEyKTECAmZTUfKIiAzGbZVRNJzk5j9iYIE/eKsGlx619d9fDj1DFpX1XU2jf/eO4te8SymjfmYX2neDvomk6kZEBRLpSnp+tjixLZGQU0rhJjLHPBBXi3OALXdcJCDBT29UPN1FRAURFBXjVM2Y/VRJCy7WRl2tj/IRVNGgQzZNPdHEdwDmtUtUqYeXKIiMCiIwofe/i44I951dkicqVQi7swgSCqwhhlAQ+cYuTumOwDZ04XO9L1x00sB4REf4+BUUrEo8IaZl++hJHPVt5cIiVqVMG+6x/NrzbKWm7RMzWXe42ht7nFwo8AkFphFESnJWyoqxlB1C38TG039x1Lv8oW7YLZxc19V3ucGpIUG5Zze24cSHtn10Y9vznPx9uFYmyfXHvS3kLu7ofFNx98uzBee1heT9EuMvdZd7Hl22jxMnE+3ylFS6EA4fgYhFGSXBOHA4NXdexWBRXAjcNP7/Sfzbe8jlXIkVFTiwW+YIDec1n2eO50OtTVZ2MzEJkCUJC/LBYzu5efrG4dfJ8pbIoa1zcBqSsgSzr7edebvUV7OzreO82yqual+7b5VrKFfx7ETusgnLoOthsKna7ym13zqHvgK8BWLX6OPc/OA+nU6O42OHJLqoo8hVjkJxOw13dbldxOAzh0Xvu+401a45jt6vY7Krnyd/wHjTqurPG6rqO02lkTzXa0DyZZQ8fziQlJR+73XdmVfcsIyOjkMef/pPmzT9gwvurStUpaVctNaPw7vfZPPEMrUGJM2fyWLnmGDk5xa5ywxisXX+c33/fx7Hj2Z6UG4WFDhYsPMjvfx6gqMjpEY5NOpbN77/vY826456lWUWR2b0nhU1bT2GzOQHIybWxeu0x/lh4kMVLj3j6IcsSebk2Vqw8SlpagaePx0/k8OfCQ8yfv59DRzKEQRJcNGKmJPCJ1Wo83T9wfztOnMgGSpZmTCbZs7R1Je2L6Lru05NN13X8/EylZizuwbl0mX5WLTuzWeGN/61g8KC6DHMl8iuL2zBHRQXwzRfDGf/2KoqLHZ7PNU33GZSrab77XbaOrsOKVUeZOXMHc/84wEcTB3DD8MZIkhEbNXX6JqpXDsI/OIA3X+tNbGwQjz7+B4cOphEWHci6tSf43+u92bc/nQfHziM8SEEzmTh1ogkjRjRh9k+7mfHNdvYdSuO32aNo1CiWpUsTue3uOfTvX5fEAxn82bU670+4lu3bzzDjmx38MHsHTz3RhUcf6QjAwYNG8HJhdhG5RU4mTxxI0yaxIhZLcMEIoyTwwqUILkuMf2cVG7acJCbMSr/+9V2fGyKm736wmrUrD3PPvZ3o17fOFbFE4+7D/7F31nFWVO8ff5+ZG9sdxMICS4d0IyEpgkqIYjd2d3e3P8TExhYLFQSluzuWXGC769bM+f0xO3fvLncJBcWv8+a1L+6dmXvmTJ1nznOe53M++HgNP32/CSXEzlWXdmPokDRsNpW16zN5+qUFNG8Wx923nUpCQhjbd+Rz30O/oXl8XHxxF8ac1Za9e4tYvGQfGzZns2XDQfr0b85lF3Xm0af+YP7CnaTvzePjj1cxcnRbrrq8W9W+OWRsR9cl5eWeGgZOUQRPPD2XVcv3ktYqmUfuH0REpBNFEbz6+hLmzt8FQvDYQ4Pp0D75kPOqqgJFCK6/ricOu82/Li+vgilvLee7ry+gceNo+gx4m6kfrmbAqU3YsiWXBXOvpLjIRZM2LzJ+XFs+mbaePj1SeOLxobz/4Wrue/Q3RgxvgaoqPPLwabz44sLqOYcFjBndho/eH4eU0LPvW0z7fD3t2yYxdmwbwsMdOKoMrZQwa01xAgAAhjhJREFUZHAaQwanATB+wuesWLnfMEpSopwEgr0WJz+W+84igKrBaiRDBjfjmiu7g1D55NN1AERGOpg5J53YmDDGj+/IA4/MYe/eIkD8o8mfmmZYhdVrMpkxYxtjx7bntpv60LZtEgAuj4/vvtvCNVd2Z+GifXz97SayMku59oYfGHV6K666ojvPvrCQZcv34/XqPPLYHyQlhHPNNb1ZvHgve/YUcu74DjRrFk+/3qlcc00v+vZu7N9/MHtssykBEYwGd983i4z9xVxzTW/Kyjzcdd8sAJ5+dj6LF+/lmqt7cNXl3fyh4oEGyexlDBzQhE4d65OXX46uGy7EdesyadU8HodD5aJLvkbXoajQxew5uzhjZEtWr8lk+Bkf0q1zCjNn7qS4yMVpp6Xx1jsreH3yUlq3SGLDphzGjmlL/XqRFJe4axxLaakbj0cDJGeMaMnatZmccko9+vVNraqHcZBSGonVF1/xLR06vEyzZrFMPPcUY6zK0vazOEqsnpLFIUgJ3bo2BKC0xMPsOekAVFZ6ObVPY664tAsA07/fzpYtuaSmxvyjiYem/l5SYjhun8b0H7bx6MODSIg3pINUIbj1lr4MHZLGbzPTcbm9zPljN6mNYrj04s4ArNuQTXp6PtFdQ+h/aipXXt6ViAgnQwY3R5fGxH/NmyXQvWtDhg9vedj6SEnAOJUxbpWZVcr6dVm8+PzptG2bSOPUWF59bTGZmWXMW7CHpx4bQpcuDY54rGa5hqySMfYlhKC41MOka79n2NDmnH9eR775dhPJSeEsWryPFcsP8MJzI5i/YC8lpS4iIhy8+MpiUhtF8fmnE3j00T/QNInL7aOszA3CGPvyj5sJ8zwb021ERjhq7Nvn0/F4NWyqipQ6zz4xFJ9P45nnF/Lya4u5/54B6FLWOa26hUUg1uuLRVA8XmPAvaTE5Q8C0DTpTwD1eHQOZpWQlPTPqTeYmL2IlJQofvj6Ar76/FxuufMXLrvyW//6sDC7oQ6uSxx2lbi4UHJyy/xl7Npd6B/XCQmx4XL5jEn4bAo2m9ETdLm9eNyHztpaG7tdweFQSUwIJzEhAodDJTY2FI9Xo7CwEoCCgkry8isIDbVRXu7hwMGSozpWh0MlNNROdFQIKSnR2O0qnTrVZ82GTM6d0IHrr+vJzN/Sadoshu7dU1i0fB8ffTiefn1T+WnGNsac1Qaf1Cmv9PLG/52J5pPs219Mm9YJhDhtpDVPICrCSWpqLDabghAQFeHE4VApL/Pw44xtdOpUH5tNITTUTmxMKPWSI3DYVRTF6CHWrx9Jo0YxNKgfSWZmKWDYNUsxweJosKZD/49T11TQAlEV3lv9dmu3KXz29QaKyt3s2VNE716N6dKlgT9o4J/CHETftCmXl/9vMVLqJCaE06KZISZbWFRJZaUXRREUl1SSm1fBZZd05ZPP1nHmWR8THRuCT4O+fVLJyS2noKDSX6YR3CFQFBh1RiueeHYeM2duYfDQVlx0QSegekzJHAPan1HM8y8vYsas7Qgp2b4nn3tuO5VJV3fn9vt+pXXTaHIKPZw/4RRiYkK49uoePPzY73zz/WY0TXLfXf1p3SqxxpiSOb3FrzN38MXna/l17m7WbzjIyFGtufPWfjzx0GC+/WEzv/6ymYN5Lt684UxSGkRx8cTOXHvdd+QUVdK2XSLdu6fgdNp45oUFXHzx5+zaX8aF53ckMTGc1ycv5Y8/djJ30V4uuugLJl7QmVCnne9mbOXSq79l44ZsevdszODBaaxYeYDJk5cwd/E+on62s2LtQR68ZyDf/7iVP+bsQCoKDrvKLTf3QdNk1Yy//9QdUhMZ8H/tP4vjQ+D5PNZzbLnvLA5BCPzTKdjtKrpmzD/UqVN9pr49huJSN6EhNkZXBUD809F35v7j40MZPiQNj1cjNMzO6BGtAHj26WH+cZp77xqAw6kSGmrjjddGMXPWDjRNZ/jwlsTFhhIV5eShBwcRGxtaVXZ13s3YMW2JinGSl11Gq9ZJh+zf9HNFRTkZOKApg4c0A2nkeoWF2Zkwvj3J9SI4sK+QpmkJ9O7ZCCnh/Imn0Cwtjl17ChDSkCiqnR9k5g81bRrLsGEtmXhhZ8pL3UREOhECrri8K4nJ4ZQVu+jdJ5WmTWIBeOiBgfz663bsITZGj2iFlJJTTqnHPXeeysYNmdRvGMOgAU2REjp1rE9SYhiTru1JSX4FzZon0LRJLJ9/OoHCwkomjG3PyBGG6zI5OYJhw1tw7sRTcLt8CEUhxKnStm0idlWAIujXJ5XGjaNPikCYurAM0cmHyLIEWf/TBAqyvlolyFpeXklWdiUet48775vFkNPSuPmG3v+48TmeBAtlP9GNZ+2waE2XqIrwJ8QGkr6zAK9PM0WKQBrTgzRJjQladu2616U+Eawex3LcdUlN1cXJFgpeWFhIqzZtuerGm0hpnEpay1akWYKsxx1TkLXRwyFMtARZLf4sZlJpaamHBx6dw4HdeXTtkcrVV3TzT68QKDmjKMpJZaikxB+RBtX1C2ygTYVzI2FU1pDVMZNID6ffp2mGE+JwChZGPWo6KxTFiMYL/L1a9XtVFWi69Lf4LpeP+x76jazsUhSbEUituXy07VCP554cTni4HV0aD75ZD0OR4dC6BTtGRREB11L4DWLt62u6b4Od08Byq7ZGVUWNMk5mlQ+LkxfLKFn4MRuguLgQPvvwHP9yKXU0Tat6m65uiHT9yIP+/ySB9Qt8Cw72Rlw7pF07wqEZ4c9HroN5xmqfq8P9PizMxpefnlvHfnUjAMM/3nVoOXWVHTxsv+561NaxI8hxHK6coz1HfyeBBtbi5MQyShZA9cOqKAoOh7PGOiEU1OMn32bxF7CuxV8jMjKyRm/Q4uTDMkoW+ICE+ATWrFtHl27d0Kt6RVKX6FJH13WkrlsP8zEgEahSR5ES358KOxNIoaMJDVWqCGm5wf4qQgh8moaqqhx+2kaLfxLLKP3HEUJQ6YVmzZuzZs8B3O7qbP6CvDx27djO7p3pZOzbi9vl+gdr+u9BkZJKp5NumzbRKDOLX07th64oiKM06jo6oTKM7epmfnP+yNnuidTXUvAIt5WA+hcRCELCQo0IU5sNVVFO2sjA/yqWUbIAjHEPh8OG01l9S9htdiorKpBSJyoqyvLHHyVC13GHhdHC4yXJ5qBjl67IYzBKmtSIVKPQyrzMyVRo3awtzUNbUaFVoIiTJNnnX4ym6zjsdmLi4omIiiIkJOSfrpJFAJZRsvBT2+Y4nHaS6tVD6jpRUdFollE6KoSu4YuIIH7nTiILC0ltlmZkjh6DUYpxxrJrfzr6Lp16DVNoGt+CMk+ZZZSOEzabjaiYGJKS62Gz26xw8JMIyyhZHAZBbFwsISEhRo/pn67OvwVNQ4+KInL9BkJzckhr2eqYjJJP95EQGs8GbS24IaVxY1qktKHEXYwirCiH44GiKIRHhGN3OCyDdJJhGSWLwyIlhIaFEhIa+k9X5d+DpiFDVJyRkdhCQ4mLjzeSio6y8fPpPuKdNiIiI8EHUdHRxMc5sXniLaN0HDHyrf7pWljUxvIFWBwR68G1+F/Euq9PTiyjZGFhYWFx0mAZJQsLCwuLkwbLKFlYWFhYnDRYgQ4Wx46uWw75w6FpoHFojP2fxKf78GgevJpmBTpY/CswVcL/DJZRsjg2JOBUrPDww6IaE5qFh/+lme2EEAgpSAhPIkZ1EBEKlkmy+DcgMOTLhBDHrEJiGSWLo0fXkU4F29qN2NauRYaGHrfewP8Umo4MdeL4Y16Vg/zYZWwE4Pa6kHbJw7/cTkxIJF5d/qmyLCz+boQARSj4PB68uu+Y7lrLKFkcHbqOdAjU7TsJe/JJ9KREZGICeLz//NSzJyOqCnYV1xVXgR3wBplVsA4UoVCuQ7v6p9C5dQ/+2D4ThAJYLwAW/xYEutRplNCE4W3OoAyO2vUsMq2ZZy2OBq8X6VSwr1pHyNtvU/HQQ2gNkxE+sOZSOAwqhh/jT6AIMKdAOobcWwuLkwMJujTm/go6lVcdWD0liyMjJTLMboyTREZCWCgyIgKpqqCC8GJ5leriGHpItdGlcVqFZZAs/o0IUMSxGSSwjJLFkZAS6RA4Fi4FVwXqzt0oe/bimD0bPToCPbkBvk7tEW79Lw3q/8/yF12bEivQ0eK/heW+s6gbXQeHQNm1l5jxF6AczDIMj9sDYaFQXoG3T3dKPnwXGRMDmrQMk4WFxV/C6ilZ1I2igEdDa5yCDAtDyStAhoYZPqXiMkRZETIhAS02GsWjgc26nSwsLP4a1mutxREQYLdRcf1VyMgIY8RdUUDX0Ro1puLKSxGKUhUdZmFhYfHXsFoSi8OjKAgd3GeMQouOQPg0EALh9aA1aYj31N4IjwTVupUsLCz+OlZLYnFkNCAiBPdF5yF1I75ZhobguvB8YxTeiryzsLA4TlhGyeLI6DpSVXCPPweha8b3UKfxHWElz1pYWBw3bFClU+TzoVmSMRbBkBJ08DVIpmTMGYR8+Q3lk27B7bRDhRurq2RRFzabDcWKyLQ4BkSWV0pNQrQdwv/p2lic/Pw6F0YNhj1ZkJL4T9fG4iSnCKjwWi4Zi6PH5vV6iXfaeff9j/jxm6+NICqpHz6DvGqlEKDrEp927D0sKcFWJT8hA8YlBEaA17G8fetUlWFx4tAlUhWoGQewazqeCWOQ0ZHGybc6ShY1ENhsNmyqytU338LQgQMo9miolhyVxVFg03WNUMXOjO+/49RunenXfzCFhRWoqjk9QU1l4kB7IZGEhzoID7cfow6KjsNmo9jlw6ZAqE3Fq0sERhvn1kBq1QUG7rPG5yr5FZswDJzFCUQAEqTDgYyKQiksNOYNqlpuYWHi8/mwOxz832uvsnDuXMacNoAiXbc0Ei2OCpvZwoeGhdGnb19eeMOBq7IUm9OOkDqK1AENHS+61JFSInUJmg5CJyOjkE1rr8F2jPdbsQ7Pzt/LkBb16VHf4V8+3wMv7IaGDvCUg16hoVV4kZUaeqUP3WX+6ShujfxiD5cPTeaSvpbz0cLiZGLBgvnkuf6kGq3Ff5bqFHypk5dXhMcnmDOjL5CLho0CwEMkGvF4NIF3H0SVQZIL7PFe+k6YzJ79hTRrFG1EB9fZYREgNVBt6MULuOj9Xdx/9ij+2L4HvTyOIWnx6FJyMMNHqaKRW6RTsLcSvdyNr8yDp8SNXubBV+5Fq/DhKfOilEny92lkdbKh66F4fRK7zeoxWVj8k3i9Xux2OxXl5QhbyD9dHYt/GTV0YRRFoCg2fNm7cMuf2JwQwXINSpTWCNkDtschF/tIKxR0l5JGSdnISg+q3YiwOdywjkADxQbFC5A776NJ4vU8NWsjfVsk0atxLF4d7KqCR5MMktAz1EFRgoIt0YmuadhtOj6PBopEl6DaJSE+wYZNFbhdEkVRUBSJYrnxLCz+UYxnUUEoCl6v1xh2tJ5Li6OklliZNMZotDJ8yn4qbVFkC0mRqAdSR3cp+LIEUdkCn1Sw5ZdAeSWoAWNOdd57KhTNR9v9IGrajdyx7Be2hXRi6KCbAYlHM7aq8Gh0CVXoa7cT28/u//WG7dChpZHHqQJrdkDnFpDauJyv/sg+fmfEwsLiuKCqKvk5OWSUVFDpchEbF2cpnlscEZt/kNp/s0jwlKCLHRTKOHbrGvlKCoruwVsq8eyVxO2XeBQVST6+ssoab0H5+T4yDrjwaBpSSlThxe6MoEXcMpyZDyEbXcf6V79l736d5tePZvuOLBo3jsduNwyQ8Gq4nZLfV3gZkazy9U/wx1qBMySX+g1i+OZthYFjVCrduTRqEMvn37i57Iq/9ZxZWFgcBTabjdysLHampyM1HbvNTmRUJLr25+eYsvjfp2ZPSQBIqCxCCcmiWPjYr3opVrIRaFSUCcoyFBodFPhsKqKyCF9lhSHIiXGfXXbjDrIOVtCylRMpKyn1OhEFP/HCpV+RNvBevDPmUFhm55Ooc9DeWcrs31by3qsXMm5EFwCkV8cuBXtzKin3RXDJOAW3Gybdn8lZg0PZsCSMT7/RufDWg4wbFconr9r5ZoH1+mVhcbJhGKVs9u3cSWhEBDFx8YSGhVvJtBaHxVajoyQU8Lnx5GVRGF5JQWIFhR43FUo+ql5ISX4chQUe8kqhyGmnqCQbl8+FCFCI9mhuPvu4LTvzSjiYH0rvRktpFTUfIu4n86Of+GJGMWXjXqWb4mZw9xRSm4eRl1/s/73u0xGaQlZJGZu3hfHTHrj6fAV7s6Zc0CuScuCCceBs15bxrR0s3VpS5XS0sLA4mVAUldKSYoqKilDtdjweD5quo6rKMc9GavHfodaYkgDNQ9aBHLYLN1l6BR6XF5dShKLvwLvfhe7yUu6BPdKB7t1LufTUKMSm+ti5t4wrXtlLEmtpc84HaKfdSO7HPzPl02ze8N1I6VML8ezKZ/y1vWnQvBKIrC5A01Ek7M4uJb5+IpM/ktgj4aLMdBY9upPKKA+5ngqko5xp8U5Srp2IIi1XgIXFyUiNxHh/fqOFRd3UMEpCCHTNw9792Wzzusn2VlDh8eJSClH0PbgzK9EqvZS4Ya/moNydgUv3IQL8wxIPNhs0iHMyqdkKeg4cTOa3C3jj40ze4UYcuov6sXYO1gsnMdoBQgehVf9eM3KjbKrC1ddolJbBD3NVPCXbGNF1Mp4IH018GhXect77uh7jrppouactLCws/keoNaYk8Pk87Nifw/YKD9nlFVR6NVyiECF34sksQK/UKHPDHp+dPO8B3MTX0rVy49FDCHNvICxnHsueSebzNc351nYDDs2L1DW8mgSvD80nsQlvDaNkF5BX4OXT51qwM1Pj5id0rh0gOWfQML6/qoTCfYWUCBe5nmLqjYhCCGlF9FhYWFj8j1AzTwnwaT4278tla0EFufkCtyZxKyUIuRctMw9ZKSn3wj6fDYeWjUdE1zJKXqTUWLGhnCW72hHb5Dyyip2oWj6aywduH+g6lBWSmVVBk8Y+jEBvA82rkxTtQBEQ7lC5epTK2SMB4rno+0mHHMCm3eXoloPawsLC4n+CAKNkaNyVlpexpTKXPFcIWbllFLsA9oJeAqV2KNbIl7ARBTs5VNIIqenoVdNeVLpdREb4mPHeRPIrL8NbUYgifXg1BZ8m0TWJ1KG8tJJunRsw5ceVkOjx/z7CIZjy6wEWbSzApkgiQiVzp0jsQqJ5NUN/TYLUdRSbwp5cDx3TItB1HV2X6Lrly7Ow+CcxnkXdEkm2+FP4jZKuS2Kiw0lpmMrWjZeihNiway4aKIYhQJUQrUOkhkACOlLXaBoSQ1JCtZRI+zb1uOueuTRq6sQnK0HVkHhBcSMVLyheEB6k6uWPjS42bNzMtWc95g8Tvah/Eq1Sk8gt9CKQ+Hxgb2kYssAhUoHR4YoIVRnQzshxclZL6FlYWPxDOJ1OAMLCwvwvmxYWR4sNjKbe6Qxh4aLF3HJdP9zuU1FUBSGEMbOof66KQwsQaMyZM8f/ffQAyWndwvD4dARh1b/1l1H9XQjB5f17Up6ZyZzMTABUReC0K8QeXkivev8umD9P4vXphmq49XJmYfGPomkaNpuN9evXExoaahkmi2PC31MKDQ3lp59+Yt36dWiaL8iMBHUbiMAxHSEEqiLqmNLg0DIkxk0c+L3WbBl1x5AG2kvLa2dhcVKg6zo2m430HTuIiEuo8XxbWBwJ/3TohYWFvPTii/Tr3/8frpKFhcX/AlPfe4+nnn8Rh8Pyq1scPf6ekqqqZGVlGVnX2n9jlkgpJbpuuBH/rLq4EVxhdNdUVdTI2Qq2L0Wpe5sj1heJrusoQjnqMqSUaFJHEQKlSnlDlzq61BGII5Zl1tv0pqqqJRFjcXjMqSvy8vKw2WxWwIPFMeE3SlJKbDYbDofjP2OU/leQSHy6z//wCwR21X6EX1lYnBiEENjtdssgWfwp/tOvvZqms2RZBgcOlBzzb82HbX9GMdM+X8/7H6/2lxPsOfR4NFasOIDPd2yDvoHba1Jj5YGVuDV3jW0EArtix6E6cKiOGgbJ7XOzeN8Scstz/ctWHVjFBys/ZMGehbh8LqPOtQbuzGPwejV+mLGVDz5YwYqVB+o8PgsLC4vjQVCjJKU85C/YusBl1Z//uUbL2Hew+gUur65vWZmHwSOm8uln66q2O/qKa5qx7RdfbeT5lxaybn0WpaVufzm161Fc7Oa2O36hosLrd4lV1y/4uQaw2aovkVtzc+evd1NQWVDlljMGkMu95by5/C1u+fE2bvz+Zp6a+zRu3ajLwdKDDHp7ML+lGxGSutTJLM3kx60/cdvPt/uNlZQSSWA9DGOo+STbd+Tz3febefCROcd8niwsLCyOBVvQhbagiwGCjj8ELvsno+CMfQerX+3lxufo6BCWzJtEvXoRVdsde+VtNpXbb+rLhRd29C8LNj6lKILk5AhCQmxGqH3AJsH2q+uS0lI3r7y2hNtv7UtYmB0hBUkRiYTaQo0oRwwXa25ZLj9s/YHhzUdQLzyZiJAI/7rGMY1Zdv0SUmMa+8se1XoUvVJ7cf2PN1aF/Bu9LYEIEM80PoSE2rjjlr5cOLET9z3wW9W6Yz5NFhYWFkeF/zVcIlGrZpB94cWFTJj4OacNm8qFl3xN/yHvsW1bHkVFLkaN+YTOnV/h9LM+4sCBEmbP3smEiV/gdhtv7e9NXcXjT879Ww/CfHHftjWPsed9xpAh73DbXb9SVFiJlJIvv9pI/wFv06nnZB557HcANm3KYegZH3LF1d+yZk1mVTnH3gOQUpKdU4bHo/l7T1mZpVx8xbcMGfw2l1/zHZmZpdgdChXlXh594nc6d36Ry66ajs+nM2/+Hsad8xnjJ35Ohw6v8PrkpYBhxKKiQli8OIOICEfVVPUKbp+HVxa/SueXO3Px15dS6avErtpJjUllRMvhnNl2NIOaDcSm2Fi0bxHDp47k9p/uYFveNn99NV1jb+FePD6P32mnSY3PN3zBsPdGMPqDs/h03TQ03Zio0evT2bu3EK/XCu21sLA4sdRw35lt8rwFu2nbNommTeMIDbUzoG8TVqw6wHU3/cDoka1ZvvxGBvRrwv0Pz6ZPn8ZkZZexavVBfD6dH37axqABTWuUd6IxjclNt82ge6cGXH1db5Yt3cerk5fi8eh88dVGRp7RmrXLrueRh05D1yWtWyfw83cX0SItkYyM4hrl6brE49GO2kipqoLDoWImTd1+z0yS40OZdH0fivLKue/B33DYbezZX0jjlBiWLbuF9J35/PLrdjRNsmzFfp58ZAhffHk+H36ylk2bc5g7fzcffrSa0nI3n05by5w/duFx6WSXZxLljGb5TcvZnruNFftXEumMYHvudi7+4lKGTz2de2fdB0DvRr35+dIfiQwPJ7ssxzhXSFRFDRh3Muq8NnMtk5e8waSeV3N+p4k8MudRVmeuNgatbQp2uxX4YmFhceKpNXWF8X9CfBidTmlAcbGbjh3qUVTkYvv2PIQUnD6iOaqqcPqwlmRnlQGSsWe1ZfGSDFRFEB3loEuXBn/bAZhh1gcPllJa7mbDpmw2bc+ldYs4Bg1sitOpMmZMG36csY3b7vqVfr0bM3ZMWzQNVBXCwuwoikDTJOaEmIoiqozMsaGqChUVPoqKKqksc5FdUEFUhJ2xY9pSXu6hdfNELrqwEw6HSp+ejcnKKqV+fcHEczrQqlUCpSVuWjSNZ/u2XNZsyGbjuoNk5pTy3Y9baNE8kdZto0mNbcxV3a7ArtppGN0QVVGo9LlondSap4c/RZQjyl8fIQQ2xUaYPcyYlqRqnEiXOprUkEg03QgP31W4mwpPBTO3/4bb52JCuwmkRKccl2tkYWFhcbQEHTzy+XTcbh8+n47L7aO8wkOzJnFs3JzNihUHadwohqXLM8jKLiMkxM6IES14+ZXFZGWWMHRIc8LC7Egp/3Q+zrEghEBKabi4hOCRBwfTsmW8f70ELpzYkQsnduSTz9Zz170z6X9qExISwgDDkISF2v2uSylh4eK9fPPdJh64awAJieFHfSx+wybh6qt7MmJ4C/+6vLwKPD6NsDCjh7JoyT5GndGS0lIvXs0wFjt2FrBjdx4DBzZjzJh2AIyf8DlffXYeAB7dTYXLRbm3nEhnJF7Ni0QiEHg0D9lluYRGhwJgV+3GKFFVflK4IxxFKOjSyHOKckaiCpXokCgUoRDpiKBedD3eHjulxjEdpdqThYWFxXEhqFFyOFRsNsMl5XQaPYaExHCeeHQoF1z+FU8/9RsNmyby/FPDURRBWrNYYuJCWLx0H3ffderfGn1n6N0JoqKcPPX4MM4c/wn2EBsORWHqW2No1TKB8y76kt37CkmIDuGySzoTGelg4cJ93P3gTPZmFDPnjx189/NWXnnudOrXj8SmKrz6wnz69WjM+HPao2kSm63ullnTJT6fjhCCkBAbLzw7gosu/5o77/sVhOD5J4czdEga+/YX07XvFHxlHkad1Y6+fVKZ8/supn25noUrMnBVenny4SHExobi9WoUFFSiaTr5+RVERTnRpE6IPQRVGNfEqTpRhYpAGOHgih27asereQH4YduPvDD3JbJKs1iTsY4BzQbywshneWre00zf8D2lnlIGvzOUq3tdxZXdrmDNwbW0frEtMaGxtExqzntj38Wu2PFp+jGHsltYWFj8GcTuUpdsEuHkzHPP5/Jzx3P22LG43V7sdptf7cAUo1NVQUWlF1ell4gIZw0Xl17VMP8Zt9fxwHyjL6/w+IMuoiKdqKpCSYkLTTPUEBISwgEj/6aszIPDaUPTdKQuiYhwUlhYwa+/7eTtt5cz9Z0xpKXFIeWhEXU+n47NpvDq60uJjQ7h4os71VjvcvmoqPCCgIhwBw6HisttLBNAbKzRo/n+hy3MnJnOE08MwaYqREU5a/ROvF4du7166M+re7EpNgQCr+41jJIQaLqGqqj+aDowQsgrPBWE2ELwal6EEEQ4I6jwVODVfThVB26fG6fNSajdqE+Rq8hIpFZsRDqrp6k/cLCMBx+ezdR3zv7besEW/05MRYeXXnyRN6d+wLW33kZ8QiItWrchpXEqqt1mzYluUSd19pRqSu9Uu7bCQu2Ehdqrvlc3Tn92HOZ4YSqEh4c5CA+ruS46OuSQ7e121W8YAtmRns/3M7bwzFPDad483j9mVRcel48Pf1pDQUkFY0a3JTU1Bl2XhITYCAmpeXpDnDZCnMYys9zyci+VlT7iqupS210WaJAA7Io96GebcuildKpOnKHGNAKm0QEId4T7PwcuB4gJianx3e3W+Oa7TSyav4vMzOrkYMsmWVhYnAiCGiWjwTRfZapzamo3RCfb2/LxqE7vXo35qpeR0xOsh2RiLj/jjJZUer3kF1T6Q6brqkegETf/79kjhYYNog5ZfyIxx6EOu42s7iWXlLqJiwtl5BltgKO77v7IRcER93WycDTn5bjtyy+Hf/I9RxYW/yRBjdJfEQ39t2O6IVVV8Qc/BMM0Sm3bJvFQ26Qa6+o6d8GSjNPS4khLizvs70xMQVYzeMGMpjOFVo+Wo2l4zbo4nTauubJ7rXXG/5puRPAJoaDWqkPgsUgp/XUFUBTlsHWQSHQpDynzaDHFZs06mEoVRzpPweqkSc0QraXm8UiOXN5h91VHoreFxX+doEbJ5fKxd18JqoD6DaKIiPjvSM8frRvSdGGVlrrZs68Ir1ejebN4oqKcQbfXdUl+QQUJ8WE1GmxDgVvWqb5tjl2B0WiqSnXd/myjmFeRR0xITFCXX111MHtOZl2klDXqokvdPymkV/eyp2APLp+bepHJJIYn+oMzjgaBQP0LL0W1z0uggaoLTdcochUR6YzEoVbf78HqXT355Z8nO6eMrMxSYmJDSWkYZamvW1hUUSt51nAn5OSU89Rz8zh1wFu89fbyqnXGNl6vjsej4fXq/mU+n7HM49Hwaf9clJaURgCDx6PViBYLrJ+puuDzVUeUSSnxeo8+WRYMMVeAjz5ey5ljPuH+R2azIz0fMAyNWQ+v19iuoMDFhRd9TXGJu8by6nrrNepnEqh9V+IuYU767xwoOYBEsjVvGzsLdiGloRJuHoupGK7pGl7dW/Xnw6MbUXmXfXs5u4t249E8eHWvX4xVlzoezYNH8/h19XSpg2L86cLnL1sIwS/bfuW9FVNZdWAVilDwal58uo+3V77D2Z+M47afbueP3XPJLM3ii/Vf8vHqT/h+8w94NA8S6Q9pN/fj031oUqOwspAVB1ZS4i7Fo3n8vSxN14w6a94aPS+v7vXXWyLZVbiLzNLMGudtfdZ6v5q6T/fVOHZd6mzN20bqs035NX2Wf1/lnnJWHFhBfkWBcU50DU3XOFBygDWZa6j0VhrHUHXf+Muttaz2/gBm/raTm2/+jiEjPiA9vcB/H1hY/NepYZTMt8mUlCg+em8c117bx/+gmC+adrsRKm63K/5lZvi4w6Fi+wff+IQwAhjMkHaTwPqZLjmbTcFmU/wNrN2u/imXpcer89B9p/HLdxfTtSppWFGEvx5moIIQEBJiIyY6xL/cHLOy2RT/eQ10GVZWevn8iw24XIYxSc/fyeiPzuSFhS8iELy+5HWmrp7qT5I19mN8NmYAVrEr9qo/G46qwAin6iTKGWUoiit2/1u/IhS/0rjZQ1CEgk2xYVcNFXKz7P9bOpnnFjzP8v0ruOvXe5iV/pt//fKMZUyb+DG/XTmTCe3PYfqW6Tz+xxOs3L+K/1symafmPu2fXiNw3zbFhipUyn0VPDDnAVRFxaE6UITiV6IwVdADe0OBCukCwVsr3uK9VVP9brvtedt5+PeHERjnxqbY/Mdu7rtdUls+mvAhXet3BkBVVMLsYdw/5wGK3cXGOVFUVEVlS94WnlnwDKH2UOMYqnLl/OVWLQMO2Z9AICVcfEFH5s69lkGnNvVHi1pYWBwmeVbXoajIRXh4dYSXpuncce9Mtm08SMv2DXj8wdOIjHTy4suLmDNvF3g0zh7Xjquv6B6s2BOG6UoryK/k5jtnkJ9VQv9Bzbnnzv54PBoPPDyHjZuzEFJy7aRejDqjFU89P5/KCg+PPzyEAwdKuPu+WTxw7wBat048YsRdIAIoKKjA49WwqQqKIvB6NG69+xd2bcumXacUHn9oMKoqUIRg8pvL+ObLVQwZ3p777u7PqlUH+eGnreTkl7Fjcw633HYqo0a2Aoxk3ClvLufss1sDYFNUujfuhiIUcspzqRdZjyhnFJtzNvP7rt+5odcN7C3ax4erP+TiLhexYM8ClmYsI8QWgoIRLv7wkAdx2pxM3/QdX679ip5NevDAwPsJd4Qze+fvvLLgFZyqk2t6T2Jo8yGsOriKZfuXs/bAOnbm7GB8p3MY0XIYX236imnnfkrDyIa8t2oqX2z4goLKfKYu/4CdBTvZnr2TelFJTDvvU2yKyo19rmdS90lM3zydzzd8SWZpJs8vfIE7+t1Og8gGLNizgLl75tI2qS1vLXmHXQW7GPvROJw2J48MfYguDbrw4eqP+GLdF8SHJXD3wDtpn9yeSp+Lh357mA2ZG4kPj+XpEU/RqV4nNuVs9gvM2hQb9SPrs794PzN2zCA9dyerD6yhQ712vDLqFRbtW8RL81+hUXQj2iUbScvL9i/jqd+fJj17F1d/MwmbYuPOAbeTVZrFywtepcJbwfD3RpIYkcDTI56kUXQjnpr7NAt3LaBJXDMeHHw/9SPr89yC5xAozNo2my4pnbl/0L1EOaPwaToet0aFy2tFMlpYBBC0W2P2OFRV1EgnuP/B2YQ5bUy6pjeVZR7uumcmAOeMb881V3bjyqt68P6Ha1i+Yj/w92vf3XL7z3Tr3IBJ1/Ri0cJ9vPjyIhwOlUsv7sSkK7ozbkx7nnp2HtnZZZw7rj2zZu9k+g+befX1pbRulUDjxjFouuEWCnRPHglVVXDYVX897rp3FgmxYUy6pje5WWU88NBsQkPtbN2RR052OS+8cCZff7uRefN2U1jk4qVXFnHG8FZcc20vHn9yLhn7S8jKLiM9PZ/wCAc7dxaQlVVGpcdFYngCLRNasHjfIsKqwrlzynNYsm8JAAUVBfyW/hs+3cvkJW/QIKIBSzOWUeErp8Cdz67CXRS7SliTuZoXRz3P6oNr+GbTN6QX7OSNZZO5usdVnN95Ig/MfoBdhbso85Tx+pLXOafDOO4+7W52Fu7km03f0j65PQlhCXg0D10adCa/Mp+uDbryxPDHaZXUgsu6X8LjQx/DqToJs4fz2OzH6fF/vXhu3gvc2OsGEsIS2JS9iQV7FgAwffN3uH1u+qf2Z1KvSTRJaMJt/W/liWGP0SK+BT9u+4nZO2dzTa9r6Nu0D9f/eANun5tvN31DVlkWD5x2H8+d/iz1IuqhKiqxYbHM2DaD5xe+gMPmoEFUQzSp8eayN2kS15QXRj5PsbuY1ZlraJ/UnnsH3s2yg8tIz08HoE1iG+7ofztNE5pwdc+reOb0pzml3ikMbj6Yi7peSIukFjw69CHuG3gPSeFJvLbkNbLLsrm297XER8Rz84xbAPhuyw+sy17H8yOfYf6eefyWbiitq1Vjl4plkSwsahC0pySl9I9v+KrGRoQQbN+RR2ZGESvWZVKaW8roMR0A+G32TqZMWUJSSjR79hWh/Y3Z/1IavZq8vAq2pueyL6MQNcRGWV4F9epF4PVqfPn1Rmb9soXIhEhy8srxejXSmsXx7htn063fm5w3rj3PPTOuRv7Nn5keXVUVPB6Nbel5FOeVsXhFBqV5ZXS+oAsVFV7SmsZx0w29iI8PY/CANHak59OgQTSXXNiJUWe0wuXy8dXXm1m+bB+/zk5nzcr97M+t4LIrvqFD+0aMvS4Su91Gj5Re/LZzFtvzttOjYQ9sqo2YkBg8mofokGgSwhMAQUpMCkNbDmF7/nbObnsWs3fOwat5iQ+L5aY+N9EusR0jW51OesFO4sMS2Jy1mfdWTsXldRHnjCfMHoZP8zG69WiGNh8KwLAWw5i2fhrb87cjpY4Qqn+cJCU6hRbxLYgJi6F9vba0T24PQJm7jCt6XM5d/e5iScZSnp3/LN9dMJ2LO1/M0oylnJraD7fu5oYu15MYnsgp9doTGxpDp/odSY5IBmBn/k5WZayitLKMYlcxjWMao0mN1omt+WT1NL7e9DXntD+H5IhkmsQ0YVb6b8Q6YzhQvJ/fd/6OTbHh1bz0btSHcztMICEsnvfHve+XXeqW0o2mcU1QhIJP9xHljKJzg87EhsbQoV4H2iS29icot05qxfqc9XRL6eZ3m27PS2fJniXsLdhHXnk+fZr0RpcajaMb8chpD9M8rjmtk1rjMidotGyRhUVQgholp9MGKMTFhpKYGI7DoeLzScrKvTz1zAgGDWzm3zYrq4yXX1vMxjU3ANCt95vof/OIrTkxnZCCrz6fSGJidXLovPl7+GXmDpYtvp6DB0oYefbHfn//H3N3c+nETuTlV5CVVeafV2nrtjyWr9rP+LPbVen4HV0OlBHgoOOq9PLiS6Po1bORf11ubgWhoXbi443M3k1bcxg0qAm6LomMNJJ7Cwoq2b23kO7dUxg3rj1SwrkTv+DLz88FYHXmako2ltE+uS1zdv7G/N3zGZI2BLfPTYmnFIfqYMWBFRRWFKIIBVVRcfvcRhCB5kPTNRQU7IqdJjGpAGzO2Uy7pHZIIWmT3IbpF3xb45jWHFyDTahU+lyEqE6EEHRv2J3JS6dQ4i4lKTyJ+bvnExMSg1NxUuwqRkqo9Lr843USSXJEMhHOCJrHp2FXbLg1N2PbjmX5/uV8tO4TYkJiaBZn3Fe61HFr7hoz6JZ7yzi97em8OOKFGvXr2qArv1w2g8zSTIa/fzo39LmegU0GsLNgF4OaDqJzg85szt1Mm8S2/jBut89dFdZdM1LP6FE18Bsar+bFWxU8AcY4kyFiq1HpragRvVjqLuGGvtdzWZdLa94U0jge8x492ohHC4v/KjWeENP9tGVLLo8/M5/5C/fgdKgsWpbBYw+exkP3D+KGW36kfv0IQHDL9X3o3bsRDetHMnDgWyQ2iObA/pK/NcdJCIGuQ2JiONdd05PThk8lpXEMNkXw7JPDadE8Hp9PZ+TIqSgOB6UlHhx2lRdeWcTMWelM/3IiU95czumjP+LLaefSokU8O3bkcckFnxHz/aWceWYbNE2vEThRG3MmWSkhPNzO3befyjU3/OA/T/fc0Z9ePRuxau0Bzhj3CZ4SN8kp0QwamMaixfv4/OsNbE7P5cCBEi447xQaN47B59PJy6sgN7ecvIJyYqJC8fg8FLuKESiMazeO1xdPZmf+TgY1HUBOaQ5nfnAWJb4SvLoXn/RR7CrCp/sorYpiK/OUoaOzv+QA4z8+F7tqx26zc96QCcSExPLj5p/o92Z/kiOSSYltyCtnvGz83lMGVWHVUkpaxLfgvA7nMv6TCcQ4owlxhPLA4PtQFMW/P6/u9d8HqqLy4twXmb9zIUWuYi7peiFh9jAkkh4p3Xlu/gu8OvoVfyRck5gmNI9tzsj3R5EWl8ZdA+/g0s6Xcf0P1zPsvRGEO8LpmdqDe/rfzZcbv+SztV8QbgunTWJrmsel4VAdrNm/hrIOZQxqNpAn/3ia5v1bogiFUk+JP3zdp3tRhJ1ftv/Ceys+YGnGUrYc3MboNmdwS7+biQ6Jpk+jvlz0xcU0jW3Ktb2uYXDaafRu1JsPVn/EaW+fRsukNjx02v3c1f9OrvvuBqZv+B4hYELH8VzQ8QIKXYX4pA8hBKXu0urp52vNPmxhYWFQQ/vusgnjGTNuLIWFFWzYlIMzxIauSTRd0qlDPSIiHGzemktmZikAbVon0qB+JNnZZWzZnE18UgTRkSEkJIT51bD/LszezKrVBykqcaEIQZdO9YmODmHP3iJ2pufRqHEsoU4b9RtEsiM9n9jYUOolGy6+9Ruzad4snrAwG2vXZXHZld/ywXtj6da1YdDAB7/23WtLCQu1c9VVXWus37Q5h6zsMoSA9m2TSUoKZ+PmHHJyy1AkdO3akMhIJz/+tJUPP1rLddf3IDTUTu8ejfw9DE3TycgooVHjaFRFUOmtJKssi9SYVBShsLtgN6H2UOpF1iOjeD/bc7fTPKE5NkUlITyBrNIsEsISyK/MJzYkllJPKXGhcWSWZpJRtB+f7qNj/VOIDzNU1Su9lazYvwIpISIknK4NulLqLqXMU0a9iHr+Xo8ZMbdy/0qKXSW0TW5D/cj6AP6Q6biwOCIcRs+z2FXM1tytuLxuokKi6Nygk/88fbvpW95f/QHTL/jWSApGQQhBkauYDZkbkEg61GtPbGgseeV5bMjeiECQGJFAu6R27Cnaw97Cvfg0jeSIJNrXa49P95Gev5P6UfUJt4exJWcL9SLrERMSQ055DknhSdjVaiX7AyUHSM/bSXRINGWeMqKckbRNbotNsVHhrWTtwbV4NA+tk1pTr8qdmFmaybbcbThtIXSsfwph9jD2FO5ld8FuENA0tglNYpuwp2gP9SPr41SdZBRnEOmMJNoZ4+95XzXpe266oRcdOiT/z8g3Wdp3Fn+FoIKspgBrbTRdotZqnE+mBymYTM+RpHtqr/9j7i7uf3QOt1zXmwnntEfXdRTl0F6SaZSee34h29PzuezSzrRtk0hsTOhRR+9JCZ9/sZ4F8/fyxhujj+FIa0ri/FV5HCnlX5YDMsdmjmp/SIoqi9iYs4kHfnuARwc/wsCmAw9bxtGW/3dIBQW7p47p+CVk7C9mZ3oujz05n1dfGskpp9Q7qZ6lv4JllCz+CkEd3JqmI2o9YIoiUBVRw+UghKgSQpU1ItX+TJDA8cBw5VVXxJRLMutXreEn/K5K43N1wMSggc1YHDBmFswgmb8D6NmjIUtX7uOl1xbx4N0Die1kRMQFO0+13TWKImjePB6PW6tT2aF2A2h+F4gacjqm9I3ZIJvL/MdaJfYeuC3UVDsw83r89avKDzJ/VxszgVUgajTItY1cYLma1LArdvYU7eGNxW9wdfdJDGw68BDZnsDfmLJKweodrM5m3Wqcp6rPQV9capVR1zkxy6h9DhWh1F2/gP35z4sQLFqyj08+XE7L1onUrx+JhYWFQZ2jrkcSIg3EbHRPBkTVJHuBL8vB6ldbhy6w4TB7OofrYZlJrgMGNGVA1fTvJsdy7rp3a0j3bg3Nmhx6PLXqEPg9sBEPJn1TW/zVXF2XTE4wOR4z1yfo8dTRMwhWhl9Nvuo3net35rOJ04A6erOyuo7mmqDHWIeEUGDdap+nQ+p7GBmiutbVdb7ruga1P0+c0IGJEzrU2jZoFSws/lP8T4UC+Rs3Uev7MSCEOKwQa21MAVcwVCKOtZeo64YRPFwgxb8dKUHXjennTUxZIVPJoTaBl+14urU0rWY9/ik0TfdLShlqIv9whSwsThKCtoRmQ2vqtwXqxZkuKOOhqtaOM7XlPB5DMmXO77u4/Y5fjCnVXT58vhPrRDbUqgV7i/axIWsDRZVFf0sUoCng6nCof8ptacoM/RvRdfB6606SrspDZttWnTMv1GjW28cXX1VN74GCggN0Gx7voeVs2ynZsFVS6TIMks9nGBQTn6+6fK8PowxfdRmaZmzj8YLbbSzPzpJcdI1Gsx4+Xn2jujDzOGqX4fNVl+EzpAWRsuby2nWqfSy6Dh6PsXzSLRrf/FDl8lSqpa8sg2RhUU3QnpLdHrwDFdh4Bo59CHGosrbL5aOo2OXXmDuR6OgoKHy/9UeemPMEoWoI7eu359EhD5MYnuRfb3F8URTj73DrAVq2UpjxGVx9vUZRUfV6Wx09lmdf1fjsO0lMvCA1EV59RiUmuuY2tqpb1KdBsNs1WG8oPkEw7R2VBx/TKMg/8nHYapWrS1DEocuNMclDl4NhUB1VouM+H5SXH7qNhYVFNUHzlDZtymbbtnzS9xZwcF8RV17Rnfbtk/lpxjZatUygRYt45s3fjaZJThvUjJzccp5/aSEVZW7atEnmhut6YrMphDhtvPvBKjau3c/FF/egS5f6x30iO4mRNFvqKeXpuU/x7ti36Vi/IyM/OIMpy97iodMeRMi6x0Us/jzrN0kWr5RMPEshOqZuN5vZaNdu/H+eKdE0yZzl0KwBXHupwqo1kp9+liyZoRIaJph4uY8PP9ZISRGkpAh6dhN4vTDjF520NEGHdoKXpuik74F2reC6SxSECn/M0yksgvmrICoSbr1KITqquo6BRmvtOsm07yVlbmiZCtdepOAMhW+m6wgb/L4EeneCCyYoHMyCRYt0Csph41a44Gzo1cMQJ/7wC51lq6BxI7jpckFYuMDjgecm6xSVwqLVkjOGWzeihcXhqPF+aCoxbNyczYWXfIVNVQgJsXPjrTPQNMm0z9azZu1BAL77YQvTv9sMwOTJS6ms9NK9W0P/hHVhYXZ++mU7ZaVuFFXl1rt+qZqZVRxXTTwzsmp91npSY1NpFteMW3++lZyKXHIrcnH5XH9rMu9/AfP6/T5fcsO9GjnZssbyYJiXQAZ8n/yezuPP6LRvBd/N0Jn6ic7sORrDBwpCwwQeL4wYKNi1G7alw/+9ZfjKcnPhlTd0oiLhjXd0CvIk3TvBps2SZ182tpnyts5bHxhlL1uq8823GooS3GjGxUGXUwQ9OsHqNZLJ7xoutnsf1/lkmk771vDyFJ05f+jk5ksuuVYjO1PSqAHccp9OaYnky28l69ZJuneG4iK471GjHnc9rLN1i07blhAZLmq4+/5LSKwocIujo0ZPKfB5nXjeKdx2Ux98Xp3TR39ERkYxKSnROBw2NE2nXnIEpWUeAFS7yrKlGZx5RhuGDU0DoKLCS4/uDbnlxj5kHCjlvAs+Q/NJ7PYTI9Tq1b1oUuO6H6+jVUJrHjztAaZvmW49CCcAs2G//iqFqy9RCDWi4Ot05RnzRRnuL3Osx6ZCYhxcdZHC2aMVwhVYuEQnxAn16xvbGMLA4NPhggmCW++UZGZJfp2l07mTILWx4Oc5OtlF0DhDsmULDO1r7LN+PbhwkMKZoxQuP0+huETi8xkNo66DLozxI5sKEWEwa65OVj7s2wuJ8cZd0yJN8Oj9Ch3aC7IyJCtWSoYMEYwaofDQXSoIWLxQZ8UqyYp1MGse7M2T7NoJrZsKtm/TWbtO56sPVZKSBKtXarjdJ/TSWFj86wnajHjcGk1SYwEoKnZRUenFblcoKnYRFelEVRV27S5EVA3sP3T/QFYsvZZN23Jo2vJFiotdOBwq9ZKN/IvcnDIiT9DstWYIbpukNqzJWEff1L48MPB+1meuJzk8mVBbyAnZrwWUlMKe/RK36/Db2WyGcYmJgKSEqrEXAboGp7Q1rl9+kbG8YwfBijVVv7HB0lWQECdJbSxomqawcJFk+Wq44iIFtws8lZKn7xZ887bK5gUqrz5j+OUcDoiMMMacFBViY4W/zLgYiI82PgsBdz4i6dgCfv5YZeRAgTmhrsMOHdoYnwuKICLCMJbJifjzvsorISQE8nMlN14B37ytsmaOymfvqqh2wysQG2Nsu323sa2FhUXd1BxTqvo/LMzOTz9vxaNrrFufRdeuDWjYMIqUhpE8+/JC/liwm0+nrefmm3oD8P4Ha9idUUiEQ6V1y0QKCipxVfrIzi4DjHmBDh4sPSE9JEUo6FInOTyZq3tdyabMzTw46yGWZizlmdOfBo4t297iyJjX8adfdS6dpPHLlyojRihGDyjgjtJ1o/e0fYfkq58kPy2QrNoOBwt1Lp8gUGzw+GuSlIaShQslD92l0q2j4NtfNK69WyMuRnAwFyZdYViJkUMEDz+n0bKpoGULw/Ccd47CM6/qLF4LUoOzhgk6nSLIzYWyMqMn5PMZY0hZWZJPvpZ89bNESKhUdC6bIEiMlXz/m8Sn6nz7ncbppxv3SmGJ5M4ndVQBm9Ilt95oo7RYsni15LFXdLZvldRvKOjTW6GoTPLCaxqZhToCGNAdevdUaNBQcMmNOmmNBStW6Fx54UkQj25hcRJTp/vO4VAJDbVz+vAWXHVZN6SEW27qQ+IX6/BpkhnfX0R8gqF4HRpqI8Sp4nZrPPLQaTRtGovdrnLLzYbRSmsWy3NPj8DhrJ6F9XhiKg/cfepdvLPiXXJLc3l2xDN0adDFv97i+CIEDBuo0LyphlbHy4Z5ne02CA2BW29QqKwEh2qsVBRwOCShIYJH71Ho38f4weTnFT79XqJr8PKTCo1SjOWDT1MorBS0bwEOh7Hs8guNIIv0vYZRMgMYrrlaoXHV78yxJJtNEBIiufwiBV0Hn8cIyb/7ZoXPf5T4JLz9mo34eMPNaLcLnA5BeBi89pRC08awbKWx79AQ6N5NcMW5Rm9o5FAjAnXFeonA2JfTCS89rjDte0mzVMGsb2wkGtJ5/EOiJxYWJz01tO8uPWcsY8eP54MPV7F1Wz7PPDXsTxV6vCPsjnq/tXTPrB7S8cfs/cyarfPE65JzT4fLL1FxOg8fHh6Mcy/ReOweQas2ir9sQ10j+D6DKTKa6443Hg+MOV/jh2kKapUB1CXMWyD5+DOdqVNq9nhOlqTck4Fg2ndxVdp3jSztO4sjEDQhKT4+jKiosqrZV6U/41xKiU8z3gQRoAiBogh8mo4hgyZRFMWYsVbKqix+403ySNM/HC98uq9Kx05BFVYrcbwxDcCAUxW6doH4uCP/RkpjbMf/XTdcb01ToaTCCDgwehfGel2Hqrxs1IAwcoHhigsMLVcU/AEMgdtrGodE28mqQAt/BCDVhsSnGd9No6go0CQVsvMgMam6flGRkJRUlWSrG8sUxShH0wzDFVgP81jMnpFZtoWFRXBqGCVTfHT0qDaMHtXmkI2FENhth/aAbKoCtdp/Y9zBeLc1XCcn/kkUCGsStb8Jp9P4g2OQAZJG421eomceC/7ScLik3GAJqsGWBauTCJL4alI7AVdRYPKLh9ava2dB186qYWxktfE0DVPtXxwpwfjvxDTKqmrp7FmcvAR9RH0+H4ry52RzTIzfWnf+f4EjNXBCBFddqMtddzyoy/gcC3W55EyX4eGMTfDJX/5ZDmeULSxOFg77DqdpEk3T/UoP5vQK5mdTB890z2ma7hcnXbZ8Py++vKhqinDtb5tl06xH4P40XR6yPFj9/+ZZ3P/1mG/edWFq023frnPO5RqDJmjMmq37fxtYxpGSSk1R18DP5v+aZvRYNM34Xl4O9z+mU1IiDynbv71Wsw6By82yTYNk7heMfCuAH36SDDhbY/AEjV9+1WuUA1UR4wE9KTBce7peXT5U1ztQK692/aB62dGep9rHIiVs2CyZcLnG9u1GpXxadX31gHoEHm/tfWoB5zvwnOoB59/C4q8Q1CjZbDZj/iRVoKpK9bQDAdM5KIrw96QM2RYFVa3WucvOKWft2kwURWC3/7Ve19FiNCRGPZSAuZ9URdRYbkjeCP82Zv0tl8axUVuupzZmTyIlReH5RxSiVUhPlzXW+91eVeUsXKTTspePb6YbLeFtd2t89LFWYyzG/Gz+r6rGGI6qGt+9Pli6wkjUNsuWskq7LmB/otY4j7ncLHvBYkmXwT66Dte49nYfxcVGvpWiwKdfaNx6peCbd1X69lWY/LZOWk8fXUdqDDjbx4qVunF+Ap4wRVQf8+ZNkutv9KEq0l8Xcxysdv2gepl5nh553Mf3P+r+MasFi3TuvFcLeiymKzMmCvLypd+w2lQoKpRcMclHeVl1PRQFvv9B5+FHfTX2qenV51lVqo1m4HU8WVyVFv9eanbmq+6ygweLKSpys3d/MUX5FQwZ0pzExHA2bcohKSmcxMRw0ncWIHVJixbxVLp8fPf9ZtwuLw1TYhg6OA2HXSUuLpQFi/eSsaeAQYNaUL9+xAmdXVMI+PLrjZQUVdChYwN6dk9B0yS/zU5n/4FiFFVw+rCW1K8fycLF+4iKdHBKh3r4fDpzft9J1y4NSUgI+8eiB/9tZGVL9h6Ajm0EIaF1jy2FhkKTxoJG9avFSQG2bDVeCFZthgaJMKif8cJQWghr1sGZo6Co2FDYzs6FoiJJqxaCgkLYd0CSlgp5ubBjD8RGQ4UbwsOhRRNBQpwhTbR+k6RTBzilnRGXmb4b5i7SCQmD0YMF0dGCg5mSygrYsB0qK6Bfb0F0ONz1sMarj6qc2k9w0dUab76rMXyowu9LJLsPwq4DELpKMnyQ4GAmPHu3wjnjFJ59WePZyZK3X5Rs3QE9ugpUFTIz4WCmxBkCn30nWbkZ3v5YEhMNg/tCfLxg+RrJ+k2SuDjBWcMEatUTOmO2JCdfkhAtGNxfoOmwaYvkrKoJi8vLjXNVUgo5WZI9ByEzG9q3hc7tBdt3SFZvhqceUWnSxDjPu3ZLpv8qWb0F3vtckpQAfbsawR3TZ0oOZsKHX0nio2FwP0FoGMyaK9l3QNI4RTBsgECXsHGjRApYtxk6tYV2rU/0nWfxv0wNo6RVGaUFC/dy7Q0/ce55HcjYXcj0H7byxbRzeeKpeYwd04ZzxrdnypvL8Hg0Xn91FO++t5JFS/cRHxtCbl4lQwenERZmZ87vu7A5FDavP8jX323lq8/OPSFjTeakfO+8s5JtO/MIswvmL86gssJL3z6N2b2nkMzsUkqL3cyfv4fXXxnFpi05PP/iAhbNvYpffk3n/Q9W8cF7Y4mLMzRzLJtUN6bx+fQryR0Pa2xbZKNla1GnUTLHYEypITC2u+dRnYP7dbr2U1mxTOe+mxSSkwRdO0BkuNHYJcQbygyz50rmL9R561WV5Sslz76uM/kpwaQ7dGLjYPt2aFhfEhsreP5RlaxcyWtv6ghV8PrbOh9PUQkNFbz5nkZouMAnYdVSjScftTHnD8lLr2kMHKqwdTPMnSfp2EbQsTWc2k8ggXPOhC++krRqKVm1XlJSAYtWSPLzYfggQUQUTPlEsniDTsYeyS1XK5SXwZU3aHz1kUq7NoInXtBAh1EjBBt2SEpdsGS1JDYSenYS7NwjmfaVTmSUYMNWne2b4J47VX74SWfatzr1UhUi7Tqn9lRIaWjkea1dL/FpEBNtCMHu2yu5+EofXXoIfLrC5Ld0vv1YJTNL8tMsWLxE57MpCj17KmTnSNZslJR5YNUGSVQ4tG0m2LlbsjPDMNALlklSkqF/T/j9V5gzXyc8SrB8pU72fsH5ExXOuVSjVRokNlR48XWdT9/Sad/2xMiJWfzvEzR5VlUV+vdLZcpro/H5dAYMfo/MzFIaNozC4VDRdUlsbCgutzHJzM5dBeRklfL8U8Np1MiYY8Dt8ZGUFMGLz5xOZnY5Z437GK9HJyTUdlx7S2avxuXy8cY7y0lNiSKpYRRzZ6fTuFE0Awc0pWPHeqx4aw8+1cbc+bspLnYx6YpuOGwqo8d9Soumcfz0/YVERjrRpUSxLNJhMU/PeeMEPbvbaJQqaiyvjTmmYf6ZRio6Cs64TOHqyxWmfgizftcZPVwhMUnQpo1g9Tqdykqj4PBQo+HVdQgLNXTznE6B3QYP3aHy5Is6V18oWLBIUlwCIU7BpEsFPbsrXH2jZO58neT6gq9mSM4cJcjLg3nz4aF7JOFh0Kmj4OXHDT/V5s2Sr7/TiImqHiOJjhKUlEvOHq1w9kjJhAs1Jj9l1BVA80FSPLRoCvgE8xdL7rtDYfCpggULdJo0Vigvk9xxs0qHdoJGDSUvvKzx/ssK5pP37sc6vy+WDBok2LwD5mdJ7r4NDhyU7DkA114CAwYYdYyKFGzbLiks0snOkXTvJIiPqwplbyJ49WmV8HDBpk0Cp1Mw4FTBgFPh3At1FNV4OejTS6F9a8lV12m89bRCWIRRj06dBE5FZ+lyyXPPVPvjPvxcI7sIOp4CKzcYrr9zxkCjFMEj9yp06SwYNl6yZ5/RQ7Ow+DMEjcWprPTStYsxRXdpiZuwEDtutw+Xy0dYmANFEVRUeBFVM7S+/MLp7NpVyIuvLWbp0n0s+P1KBIKOHeqBMNyBcbGhJ+QAzCkRcnLKCQu1c8P1vUlpFM3Ddw8gITGcLVtzue+B2Tz31DCKSlxs25rj/2271okU5lWiNBNERhrxzZZBOnoa1hc0rF/9va5TZ0Z8hYdCVETAuIOEgf2MH6kqmFkDbjcM6i+4/1HJmnWSUSMERaVG060o4PYY4dg+DZJije1DnOAMEVS6DZdgw3rQs7tRdlioYTT2Z0j6dRdcf4nRq0t6ykZMDFS4JO1aVYvAtm0r6Jiu8OFnur+uO9IlCbHGuM++DPBokHEQYmKNcSavFy4cKxg1UmH9BsmDj2v4fHDxBQofT9OZ/oPh8mrb2lAKP5gNFS5wVUJI1aORmysZPVThkguMsdv6yQKhwLVXq4waBV9O17jpIR/Tpqg0bgRfTZdcfL6C2w1bt0sapwrcHkhrUj3xYbt21RfF7TaMUWy0Mb6l67DvAJS7oLgUwiKq87gyc436mVRWSiorJBeNU+jfV3DbVQrJicY5i42Gls2NhOOIUAg5MTKXFv8Rgg5LOp0qK1Yd4KdftvHUC/OJiHZWSQcpfPv9Zr6ZvpnXJi+DqrfIFSsPknGgmNP6pSIk7NpViKbpHMws8b8dZ2WfIO27qmCFRo2iadUygTl/7CQ7p4wduwrweDRKS9xkZZdSXu5mxfL97NxZiN2usmLlfu57+Dc+/3QCdpuNm26dQVGRC02vjja0CI7Z23l/mk5kUy/z5xs3Qu3IMPM0ZmdLZv4hWb1F8vsSybwlErcbhALfzTTGS6Z9JxkwUCEsDPZlSCKjBN06C1ZvlhQUGkm6q9ZLZsyRPPykRm6BIeialWM0vnn5UFEBJSVGPXbskXz5g+Szb3RWbpAMH67Qt49CTrZk+3ZJXgHs3WsYsMoKyMmpToTVdcNt59bgxckaP/0m+W4WnHGG4h/0Lyw0/rfbjf/dbvhmhuSHWZKPvtTp0tkQgO3cURAXK/nkS50+PYU/GKBlc3C5JVOnSWbPlxQXS/r3E2zcrHOgajwoK1OCgM1bJLv2Stq0VaifCFvTJYoCv841lM+7dITZCyAhXuD1QXaOcQwOe/UsuNt3SL79WbJllzFetHaDBAkNG0B4uGTqpzoz/5Bk5UhsKnTqAOm7JZ9PlyxYangPevVUWLRYkpUL+/ZLiotBtUFWNpRXGOOFOXlQaSmhW/wFahglsym221W2bsvhw0/XUlzs4t0pZwFw68198Ok6v87ewbNPDmVg/6YAzJyVzutTlvLJp2u59ea+tGqVQMOGUYwe3RohIDk5gosv7IzNfmJCc4QwEnT/79VRFBW7eO2Npbz5zgoOZpbSo0cK11/Tk8mTF2N3qjx8/yDCw+wsW3mASy/pQtcuDbjv3lPRNEleXgWqoli+8KNAUWDkYAUnkFfVQNc+b+b3rGyY9o1Om1MUPEJh+gwdV4VEtRkN6wdf6ow/SzDhbIXkZMH5E4z7ZPwYwZ23q6Q0gtP6w4hhCh98pXPheQpXXyCIiYNzxys0ToFzzhakpQmGD1FoUB9GDFX4/jfJ9JmSJ+9XaN5M0KWj4PabVT7+VjL5A51fq8LTO7QX9O9frcsoBMTFCV5/VmV9ujF537WXC8afbWwTHQ3nnqOQnFR9rEMGCXwCPvtOJzwC7r9D9YeVpzVXKKqE/n2MwABdQtMmgiuuUJm3RPLVDzr5BXD+eIXRIxUmf6gzearOgiXGCVyyTPLmhzrvf6FzxnCFcaMFjVMF109SOKW9oHMnlS49FRo3FjSoB6ePUPxq5GYk4Zp1kh9n6QwcorB6szFNiOYz1NNvuN7GxnT49Fud3CpHQt8+CmeNUfn2R50fZ+m4XJL7b1domiaY/IFRv02bJaEhcO5YQXi48buJ4wRNUy1vg8WfJ6j23cefrGFHegGPPTL4TxV6IiPsjpUjRdJZkXbHhnltFy6SvPyeTsuGkltvUkmIF8ecCHvhlRqP3i1Ia1GtfXeiQopNA/lXLvWfrd+4C32MPUPhgokKPs0IxQ72jBxt+X9HYm7Q+smjFZL1Apb2ncWfI+iYkqoqlJa68XiMpFenU0UIw01mJseKKpVnVVX8GnlguNNsNsWfnGqzKYZmnk/Hbj+xWnTGZHLVPiS73cixMuqnI6rEWW02Ba0q+8+sq1E/xTJQR0laGtxwhUKPTsZb8uFeRHTdGHsw5yDSdUOiyGaDA1nQKLV6Qj8z78Zuq7qevuq8GFNvTijVunWm6oKZ42PoLVbp4Zk6dIG5NgHJoEIx9lM7WfaQetcqw9TyswXkEgWWax7fzFk6j74q6dFBMGGcoUxuqypDiKrkVWMyZuy2ah0/M7hCUaun3vAn5So1z41Zh8DPmnaocoO/flXXQFGqtwmsu+nCFKJ6v6YShCKq3YFguO7M6xJYD12rlqCysDhWgmrfjRvblvHj2uNw1HxKFUUcsgyMxv9wCCFOuEEy9sNh6lezjoFafHUdl8WhmI1w/XqC+vWMz0fqGRtTVBy6/K1XVX8yauC2gUmyDnv1umBSReb+zQbW/K3dHnzbQOMSuM+66m23Gw2tqXZgswWXTQpW7sABCl27QWJ88PJtKoeI5R2ttl/tcxP4Odj2wepXozzl0GMKVk6w8xr4O7sNvFYvyOIvYAt2/xgKDH/NjxKo+PB3oksdTTde+2yKDSGEXzkcDANpU2w1tjPqa6iKBy5XhIKqVD/Jmq6hS91fxn8ZM4Dlr2jXBTZwdfVWjsTx0nIze1amSkWg2kNggy9lde8JDq9iEBJi/Gnan1cH9yusBzyodWnYBYbbB/bgjrTvYEKyf/Z6HFKngD8wYqNULO+dRd0EfaSllDUGrc0b/HBvxNU6YkYi67ZteWzclM3YMe384zYn2jMmkShCQVFr9YqCGJBg2x1uOYCqqKiHPL7/TUxjdLRBIcHup9o9pMBtg91zgWXo0nAdffODTrvWglYtDs2V8m8vqsdgatfX3L52I2+6rQoL4ZW3dPbmSAZ2gcsuUoP2Fmo/G4HfA91+wep3uDrXJWYbrIxgsk+1vwdub37+Y6Fk5y7JZecLbHZThit4HYNdRwuL40nQ1tfQuDv0LfhwN6G5rdk72rI1j6++3uhf9ncYJIFg1o5ZnPrmQEZ8MJLNOZtxaS6umn4VQ94dzqC3B3PHr3cAsPzAcs786GyGvTuC094dyifrPgHg8w2fM/y90+k7pT/Pz38Raca9A68tfp3e/9ebS76+lBJ3yYk9oH8JR3tda99PJcWSK+/QePF1o1c6c7bkpVc1/5t9sAY7sAzzveHr6ZJt22XQHpt/ew5tvAO3lzrcfJ/OqaM1LrtFIytL+nsb336nsW69ztjTFTq0U9i5S3L6uRqDz9UYdI7Gb3N0f7nBzouU8OiTGjt2yEMa9hp1qNXzNIvbtk1nwlUap03QGHWxRv9xGnc/rFFZIQ8pIzfXOIcHDkh/T+ezL3R+/LnaktTYZ9X3hUslb3+gG+NFVct+myOZPEWrsb0ua547K0rV4kQQ9B2sosKLlIKCwkrcLi9Nm8ZhsykUF7sICbHhdNooK/MgpfQnnW7bnofPpxMR4SC1cQwhITbq14skK7uU4iIXTZvE4XCemF6GOcPse6unMn/3fH685DtcPhfRIdHkleextziDx4Y9QuuEVpR6SpFIdubvJMwZyrtj38aYsNBo5YalDWNo2lBK3KVc/PVFtExqzlmtz+L2X24nOiSan6/4mUpfJWH2sBNyLP8m3G6odBkT3x3OPVRRaTT8uQWGJE6zRgKPB9askmxcDbdeb+S9rFlriIWWlBpqDwCFRYaeHToUl0o0XeB0QGkFpDYw8pdCQ2D7Lkl4qJHQa7Jpm6ESntpIEB1pDNKb5ReWSOJjBUkJhtxRRanOuy+rTPtact9jOq88o5KTL5m7WNKjm0K/boZiwvyFEocCn72lsnCxzp2P6cztIvBqhuqDw2G4zIqLjYY7I9PI0WqWJvEBifGGLp/bA9vSJUKBls2MYwLIL4TMbInDDvWSBI0bKzzzgKGH9/qbkndfUQh1QmiocZzbd0p0CWmpRuDR3Pk6XbsIGjY01m/eIklMApdL4HFDdoGRc9Q4xeiBHcyUjB0tuPR8lZAQga5Bbh7MWyzZslUy8DRJWCik1BfY7bB3v6GYERMNjRtaXSWL408No6RXhfj8MnMHDz/8O63bJ7Jzax6DBjfn5RdO59bbf+HM0a05+6w2PP3sPDwejeefHcGXX2/k3Q9WoXt9tGlTj9dfOYOQEBurVh/k/kdms2Lxbk4d2IrXXx4JcELGmry6l1+2/cyE9hP4Y9dcmsSmUi+yHopLodhVzIqMlZS6ShnQ7FQEhp7ZgZKDzNs1nyZxTeie0g2AuLA45u2ex+6C3XRq0IkOyadwsPQgW3K3cFe/u/gj/Q+6NOr6nx5TMt/o3/5Q556nddbNVGneUhwS0mxGxn3+jc5rr2u06qiwbpPkygmC665UaZAIbZoLfv9DJz4OIiMNkdeb7tT56iMVTYNxl2g8dZ/gxxmSFRsl+XkQHwuFFfDJ6yqhYYKpH+mUIji4T/LI7QpnjlL49AvJrAU6PiA5Eu69XaW8XHLzHRpqCOSXCHSf5Kl7FLZs0nnhaZWWzQUXnwP3PKjz9bcaMxbByrWwbpfOL/Ml7zyvEBlpGOL5SyWbt0iGDzBUFy65QuO88QoXn68wb6HkiWc1bpqkMG2GZE8OvPWZ5J3PJbdeLhg6WGHqRzpLN0hsdmheD+64WaWyUnL/4zpZRcY+7rxKMGSwQrNUgc8DDZIlLZsZz06lC15+Q+PH2aA4oFNzuP924xgcdtiyXZLaSBATC40awnff67z7kU5UsmDjBsmEMwWP3Kvy/ic6n30PbZtL3p+sEh4m+PgLna9+NWaYvu4+nbQUeOEhhQOZMPk9nZIKY5ztsnMUBgw49LpbWPwVgrasAoiMcvL5hxMor/AyePj75OdXEBFh9IrMKSLsVW93s+fsJD4mlA/eG4ezqjekS0lxqZuXnj6dgiIXYyd8isetnRDtO0UolLpLqfBU8vP2X1B0G+lFO3jotAfo36Q/57Q/hx15O/h207d8s+kbXhv9Kl0bdOHU1FOZnT6bVQdXcW2va7ii2xV4NA/zdi9gb8EeYsNj8fjclLvLya8o5NvN0ykpK2bKyrd4d8zbpMakHp+D+JfSu7vg4TsU4qqiy+q8plKQkCz44m2Vmb/pvPyu5MqLjHHLXj0NJe/EBOF3HZmRelIawRBhoYK9B3QmjFHYvFUSHSYJtRu9KyGMBNDPXzUa2C+/0+nTU+GZ/9MYc6ZCbAw894pOt046QwcJyiskLz1so2MHwezZOjv3QESYJLRK5Tw62ggsOOUUhcsvFdx5t482bRUuv8RodVeskhzMkcyYo1NaDM0bg8MhOOsMhcVLjMTedRt0+p8qOPsshbPPgvMu9PHA3YL2HarKWC35v/d1rrlSweuFZ17UGX26xOuRbN4mue4KhfPGK/5zAIYR8gYEY/wwQ2feAsmSn41H+NxLffz+h0Z4BBw4CFPe0xlzhgAdEhJg9x6Ij4cvpqoUFUjmLTJ6pfffqTKgj+TNdzRDLFfAnTcppNbXWbZc8uLz1d6NG+7W8Ero11cw4xfJC2/o9O+v1pgew8Lir1Kn+27E8BbYHSqyzEOD5EgKCiqN0Gm7ihAQEqJSWmb0rO67ZwBz5qQz6YYfkLrOh++Nw+vROW1gM6JjQkjfVUBiQviJPRJhGMIbel1Pt4bd+Gz9Z/yWPpshaUO4o99tALg1N51e78qmnE10bdCVp4Y9AcB3W77nmbnPcEGnCwixhfDQaQ8AcOuMW/lozUdc1Pliop3RPH/68zhVB3f9ehdzd8/lks6X/CeTb83D7dbZkAKqvbw2rkrJGcOMN+pKN8RGGss1DVq1UCgskEz7UqdbZ+GPbHM6DINks4FXh9goQ+duk4QWaYLt6RKHw3iBuuBcY8fJCeBUYcMmnbhoSGlglPX6cyqn9YG8PGjfWlAv0ZAmGjJEYc8eydfTDd02IaCsDDSfxOkwjEClG0rKje3tNsM4DOplqD0ADBrpY8KZkvFjBPMWGEZr8xZ44kEjL6moyNCQKy2rPh+7d0nqJwsiIwx34rR3VZqnCcJCBfffLVi2TGfMpRqXjRecOapaaUIJGN/ZvUvSOUDXrvsphqZebKxgwWKd4acprFytGxPvSSN4YVBfgdcLMXGCs0YLf+5TcamRE+W0V1+X3AJwe42cI0U1tO9clZIWrQ1x3AvOUejesXrs6z/2CFicQOqY5E9h//4SDmaW8t1PWygqc9G0aSzlFR42b81l+458/u+N5ahVo81xcaFceklXrr2qGytWHGDr1jxsqiAnp7wqFFtQXOwKtqu/jBACXepEOCJIi2/KxuxN7C3cy+z0OSSFJ6FJjYzi/ewr2sdby9+iflQyTWKbUumtZF9RBnuL9vHtpm/oldoLh+ogryKfvUX72FO0l0pfBZ0bdCI1pjGxYTEs3beUXQW72JC1kQaRVS3ef/BhNEOPv5iu02mQj9Wrg2vfmXh9kJNbndhpNtAlJeAMgb59BOs2QUGx4RbKK5Bs3SF5a6rOkhUSpx1KSw2DUOmCkjLDiHg84HLDlu2QmWNozzVqptCzh4ICdGwOky5UOGuYID7OaJgLi4zxHIfd+H1KiiA+SWHa1zqZ2fDl95KoOIW2bQwFcq/XCAF32Ksb3r37DSHTxcslEVGQlATxcYK+vQXvvu8jLByS6xkbR0dDXAysXi/JrNKIa9FCQZWSoX0E116sMLS/IDISfDoM7C24YZJK4wbw2bfVkQS6DuWV1ee0Xz+FRaskGzdJdu2BX+ZJUlIEpeUw83fo2tkwJtk50CBZUF5uaAiaCcrmrLP5BYZeXX6hcUwVFYbLtUljY7wpfY+hK2izCZLrCaKdcMV5CheNF7RtJf6T97/FiSVoTykszM6MX7ayYVs2oaF23pp8JjabwjVXd+e2e35h9rydjD6jNa1aGH6b++6fzeIVe4mwq1x+aVdatoynsKiStm0TEUIQGemgc6f6JyxvSQiBgsLd/e/huunX8cbiN+nf7FRu7H0D5Z5y7p11H/vyMwgPCeW9Me8SHxrHon2LeGT247g8lXRK6cgrI18G4JXFrzA3fR4CwaTeV3FO+wkATOo2iXt/vQ+BwkVdL2Bo86HGvv+jT6WiQJcOCps3auzaA1261B1u3bABhIcZEZgJ8UZvxWaDTqcIVAWatxJcdrmC1yNplCI4b5zCxTfodO0A544ShIZCq5aCpESjl9SwPqgCYmKgVUt453PJe19r9OgguOdmY/vnH1e54T4d1akRaYNpbytERUHrlsKvC2cmlL70uMIND+mcdZFG5/Yw5QVDeFXq0KKF8Pe4AOolQ3ElXHSzhvTCM/cqJCUZ6txnDFN4eark7WdEDTWJSVer3PGYzkc/aNxxpeCcMQo3TFIYc4VOaAQ0SYRP31FZsVzn/uckPhUaJsKDt1bfW+Hh0K618V2XxkSE112hcNmdOnYV7pqkMHiQwoEcnfbtjfPYqrXC2h2SxARIThL+4BFFMd5GvV548AmNtelgtwsuvlXnzisEY85UGDlM4Y8lcOEkjdat4JXHFV59SuXSGzV6jtbAC/deJxhzlmKNKVkcV8SuUpdsWkv77tNpa9myNY8nHhvyT9fP4iTDbGw3bTaUvQ/u0XngHpW0ZjXzW/6LfPqlzo8zdKa9r/4jieMnC16vF7vd0L6bEqB917J1Gxo2TsVut1nh5BZ1ErSn5PFoZOeU4/Pp6LrEXjWOJKVE0wLzIwzVBk3TA3IvBKoqkFJW6ZCJKneP7nf3nSgk0q/GIBB+NQZN15BVOeSqohrRd1KiySDbSq1ax08o/lDxwO0Dl/8XMXtAcbFw/aUqDRse3iD5tdyUatdfoF6d6dYDY7muVyevmr8z38ZrJ2+a5ZnfAxNVA92JNlvNfddAGq4zZM0yate9drmm7FBWluTxl3RWrJa885JhkGon/Zq/MWWUzGMMrHeNOlflYgWWUbvugWXUKFcaEkbmepvt0OMwMeWTTAJlnsx1geckcPvAbS0sjhdBte9GndGKQQObGRvYlADJFYHNdugbYDBjYxgn83PwbY43guDyP4FSQf5thcAmgmwr1KB+8rq2N4VnwTDAhwt60DSJqv79b9CmoRUIFEWpCokPMOBCGMd9FJiH176doH07Q0DGCP2u+7gCG67ABi6wgQ38HKyxC7yXatcnWMMYTIonmOKBsaJaKPVwda9drtlgx0Qb027cfh2kNRWH1DNYXYIdY7DtDlf3YGWYrrna6+syHoeTEQq27q/KDllYHImgj0BiYgSJiX93Vf6dHIvG3/EwSF7N6+/1KUI5Yr6UlDKooa3LgB8bRkv3X22oTMMTGgYD+1aN91jjKxYWf4karZLZLc/PL+fnmTuQXo2+/ZqSlhb3T9TtpMYMBd+7t4jf5+3C7dE4Y0RLGqVEB83Z8Hg0Vq46QI/uKTUUyo+Ez6fX2N6u1hReO1JIuhCC5fuXszJjFXHhcYxoOZyYkBg8modft89kf9F+Wia1ZHDaaccUtJGdU870HzbjVBUGDmxG06ax/8nweJO63GMWFhbHRq1HyLBKHo9GRkYxjz85l8+/WG+skYcq+wYbrPwnBzAD911XPYJt82eqbI6tffX1JiZPWc6u3QVUVniryj20xOJiN3ffM4uKqm3MRuxI9Q40SBLJa0te57rvbuDKr6/ip60z/EZABhyFRPrrkFWWxR2/3MHmnM3sK8rArRlzVf+641eemPsE6fk7ySzNBHloGUE/V5XrqvSxc3cBb7y5jM8+31DjnPwXscZXLCyODzV6SmYDl5wczn13D0BqEBpqq1pXvZ2uyxoiq4aYZJVL6R+MOjIHvk2lchN//QQoAQfiHyv7C/u021Vuub43F17Y0b/M3Ld5nsxlyckROJ22qu816137s65LSkrcvPjSIu66qx9hYQ68uptP103jhl7XYxM2nvjjSZIikuiR0r1GL8ccMwJYvn85KdGN+L+zXq9R7yUZSzi/0/nc0vvmGst1aVjLwECOGmVXVTA1NZrnnxzOtPYbyDxYcshxWFhYWPwZgr7beb06Xq9GXl6FfxAfIDu7jMsnTWf4sHe4+Mpv2LmzAIAnn57L8NEfMmL4VO5/6DdcLl+wYk8YZu9i86Zcxk38jBHD3+WWO36mqMiF2+3jpltnMGL0hwwZNpX/e2Mpmia57+HZnH3OpwCsWZtJ3wHvsHFjNpJqDcCj27ckO6cMj1fz9xQO7C/h4iu+Yfjwd7hs0nT27y/G7lApL/Pw8GNz6NTpBS667Bu8Xo258/Yw+uxPGHveZ7Rv/wovv7oYMIxYTEwIK1YeIDLCiVo1dtUwqgH9mvSlX5O+pMQ0JC4slpUHVnJ7lfr51txtXPDlhWSUZDBp+rXc9uOdrNi3ivYvtefVxa+xPmc9Q94dxmerv+CtJe/Q8bXOzNszH6/u5ZO1n3L6+2dw9kdjeX/1+2i6xrw987j+pxsY++k4Orzcget/uAGv5sWnaXi8GtnZpehWfK+FhcVxIqhREsLoAaiqqOHauuf+WYQ7bVx5TR88FV7uuncmADff2IerLu3CJVd0Z/oPW1mxcj/w97nyzF7azbfPoOsp9bn86l4sX5rB8y8uxOm0cc9dp3L5RZ0YN64Db7y9nOzsUh578DRCnHaeeGYuU95czj13nkq7dslVBkng8WpHXX9VVXDYq6cuu+PemSTEhHLlpN4U5pbzwMOzcdhV9h0opkVaPGvW3M6+fUX88usOdF2ybkMWzz85nG+nX8i0z9ezYWM2s2an8/bbyykqdTH1g1X8OnMHlRUa+RV5XPL55Zw37QIaRTUmNiSWUk8p+RX5AHg0D/uL9xMdEs2bY97g2ZFP0SO1Gxtu28DNfW7ilKRT+O3KmZzb+Rwu63EJa29azYAm/VmftZ4py6ZwZfcrmHDKOTw653HSC9KxKTaWZyzn1VGvMG/SPFJjU8mryMOmqjjs6t8SVWlhYfHfoY5J/gz3kZSga0auksejUVjkoqSokllz0okMt3PG6LZomuSxJ/9g/fqDNEmLx+3xHdNA/l/FdJEdPFhKeaWH7TvySN9bSKdTkhk5siVFRS7ueeA3KksqiYoPN2SJdInNpvDkI0No2eFVLjr/FEaPal0Vsm3U3REkjPxIqKpCRYWP4hIXmsdL8Ww3yYmhnD22A+XlHlq1SOD8iR0RQtCrRyOys0tRFMG549qTlhZHSYmb5k3jSU/PZ+OWHDatyyQ3r5w5v+8krXkCp3SOp350PT4c+xFO1ckV317Jrztm0iyuKSG2EDSpER0S7Z9Wo7ZLr/ZnUfUPYFfBbjw+L3N3zcPtdXNxp4upF1GPPYV7OL3FCOpF1Meu2rjr1DsBS4DTwsLixGAzMk1qoqqGq8imChwOm/HZpqAIwbnnnsKE8e3922ZklPDDT1vZuvFmvB6N9p1f/1sHvIUQVfM6OVAVhbvvHEDbttXx7HP+2MWmjdmsXn4dGzdkc/aEaX7D89rkpbzw9HAWLNjL/IV76d8vFSlh/oI9fPHNBh65bxBJyRFHHVVm5iEpwMWXdGXUyFb+dXl5lbg9PhwOBZ9PZ8HivZw5uhXFxR48HiNfaOu2PHbszmfQwGaMObstAOPP+ZxPPzKkjjy6i0q3mzJPGc5QJ5rUSIluiC4lOWU5qELliw2fk1ma6c87klL6x4kC0aVeY3lMSDSJkYlMrjX2pOkaFd5yfNKHHRs+3VeV92VZJItjQ9b6s7AIRq35lIxbZfPmXG6+4xd27S1EAWb+ns4br4zi9VdHMe7caTz21O+A4NEHBjN6VCv6902lbdsXaN66HvGx4f7B/L8DI7hBEBnp5NmnhjNu4meodgW7qjD1rTH06pFCgwZRdOjwEs1aJtM4JQaHXeXBR+dQWFLJKzePpEGDKG685Sc+/fAc2rdLIiTExpTXFjOoX1POOac9miaDJg2baJrE69VRFIHTqfLyCyO54NKvuOeBmYDg+adGMGxocw5mldLt1LfQyj2MGdeB3r0aM+f3XXz21QYWrszA4/LxzOPDiIkJwevVKCioBAEFBRVERjoRikqZp4zR75+FR/Nweuvh9GrUiwpvJWG2MLq82o1miU1pEtcE87G3q3ZC7aGH1DnEFoLTZkxF4tW9DE4bzJrMtbR6sS0xIdGkJTbj0wmfYFfthNjD/D0qUxFDlxKfT6JpRz/+ZmFhYXEkxM4q7buzzj2fy88dz9ljx+Lx+PB4dOx2BSnBp+mEhdpRFIHPp1NZaYQ1h4TYsNuNN/KyMjd2hw2nQ/1HXDvmPt0eDY/HBwjCQu1+yaOyMg+hoXa/a9Hl8hESUm083W4fqqqSX1DOjF938NFHa5j69tlV+TeHRhWa+UOvvr6U2JgQLr6o0yHrzfNk7tfn06l0+RBARIQxadD332/ht9k7efrpoaiKQliYvcb5C4zgA6Pn4vK50KVOpDMy4PglZZ4yIhwRNXp1Znh4bVkkcxyudg+w3FNeFb2oEGYPq/p9zajFQD79dD1Z2aXcfltfNO3ES0lZnPzUpX3XwtK+szgKgnZpbDaBw5xpLQBD60vxT4EeiDkBIPwzYw1mOLjToeJ0qLXWiUPqHGiQAH/vbvfuQmb/vpNnnxpGs2ZxhxiF2njcPt77YBWZOaVMGNuepk1j/WNWtfdpsylEVhkjs9zyCi/l5R4iAyZQDDx/tfetKirhjkPnphJC1DBS/uUElz6qyx1Zu2zj94dud+BgKZ98tpZfZmxj6JAW/rpbWFhY/BXqDHQIxrEam7+7x3Q89tWrZyN69WwEELSHZGIuP3N0a6QCXq8W0Ps4mroaG/Xu1YjUxjH+/Z3swQP+8TUp8fp0Rp7eklGj2gCHz1GrLaR6/OsVvPwTvV8LC4vji+1Ejjj+GxsBXZf4fIYb6vAio8a6Vq0SuKtVvxrrjiYowtykadNYmjaNrbHsZMY8toYNo3jg7gE11h3OKB3LsWla1YiYPDqlhMMZ83/DOf2fp0aEg7QiHSwOywmLSKiockslJp7gadCPM4oicDiOPhxc16sH+w1F9WNrBY3Qe/mvG4uR0jDeYITCBzNIprGoqID03RKbExrXE0REHL7s2gKvR+pBCgEHMiUHsyEiDJo3FdjthnFL3y0pKYd68dAoxbJQFhYnO0FbQrO34PXpeDyaPypPq8pZMj5XN8ZSSjxeDY9H84c3z/l9F3fc9Ss+n47L5cPnO/GvRlIabjSPR/M3mGAEHZh1M8PVfT7dv42Usob77VhQFIHdrlbNOXXsjZ6iiH+dQQJzahIVRN3HbZ7OA/slz0/WGXS2xudfav51mmZMNe7xGlOmS2l8n/Gb5J1pOm99orNrt0QIQyswcB4jX9X2Xh9k7JeMu0Djjsd1prynU1wk8fpg+vc6Z1+ocfeTOj/+XD1lu8drzLpqCneYZXu9xrq6pnW3sLA48QTtKdntwTtQgY2n4doy544RVYoGAQXbjEgym03525JpTSWK2gTbv7nMeAsXQX9ncXiO5Foz17VoKfj4DZU77q6pkhFsyou8PLj5bo3RZyoUFEi+/U7n/ddVGtSvqVlozjtkt8HqVTod2wneer1mgYsW6zx5t8LYMYH3bfB5ieqqj4WFxd+L/2k13L1GizF/wW7uf2A2l18znYGD3uGHH7cC8PKrS1i6NAOAjz9Zw9QPVgGwZUsuo8d9ysDB73DrHb8ARqNfUeHl7gdnMXDgFL76ZhNADS2944XZ0OXmVnD+pV8xYsR7PPHMPKQ0FM/vuPtXRoz+kBFnfMD3P2wB4Iln5nHP/bMQAvZlFHPuBV+wZUtuVR2t3JvDYZ7vX2ZLLrpeIytT1lheG5/P6IWUlFUPJQgBr0zWeeo5jaETNS6/SSM3R2KzQ9cO8PIjCh++rFBqaL0yf5HknfeN67J2veTRZ3UO7Ne5/GaNu56TzF8r6T1c44vpOkuX6gw7T2P6XHj8DcnAMRqbNht7/vwbyYhzNcZfpbF4iVHe73Mlr7ymMXGSxoDRGu99Yiy3bgMLi7+fGu+5plHKzilj8ptLuWBCR268sQ+PPfkHLpfGuvVZ7D9QDMC69Vls2JANwBtvLadNywSm/N9ZPHDvAKSUOENszP59FwP7NuGqq3rzzPPz8Xh8/qmijydmvW+5bQY9ujTk2uv7sGTRPl54aSEOh8pVV3Tjuqt7MOGcU3j6uflkZ5dx0fkdmb9oL199u5HXXl9Kl04NaNIkBk3TEf/hqc6PhaxsydJVksoK4/vhojbt9kN7Vb8vlMxbJHn1MQWfF157WyfUAeu3Q5cRGq0G6IwaJkhOEuzeA2s3Vt2fufD7fElCgsL9typMHCXo2Fzw7qsKg/srtG+v8NLDCj3awoTTBVOeVUhrJvh9vuSr73Suu1xh1GCFm+7RKSyU5OZJ3vlI5+4bFG6/VmH9Wp3CIolQ6j4mCwuLE0NQP53Xo3P5pV0ZfFozyss9fPjhGjIyikhKDEdVVXyaTr16kRQUVgLQpXMDPvhwFXFxYZw2qCnx8SmUl3sYeXpLTh/Rkm3b84mMWIV+Anz15jQVubkVpO8uIDOrBDXERmVhJY0aR+PxaHz06Vrmzt5OVGIk+YWVeL0aqY1jeGfyWXTu9QYTz+nAC88N/09PUncsmKfosgsULrug2tLU5crTddB0439f1diNzQZx0XDZdQptWwjOGib4bbZOTr6kTTPB1MkqqgoXXO1j8RKdqChBZAR4PBAfB9GR4HRCWhNB4/qQmw3tWldfu/ZtBPFRkNoQ2rQ0lu/cJVm/Q/Lu5zplZZDWQuB0GPU6b4ygUwdBpw5w5siAx8K6HSws/laCGiVN0/3JsNnZZRzIKiU+PozcvHJCQ2zYVIU/5u6ma9eGAFx2SWcuu6QzP8/czpljPmHV0usIDbGjCKNXVFnpPaxMz1/Fnx8k4YtPzyMxqTrib+78Pfw2eyfLF13HwQMljDjzI7/hmTkrnasu6UZWVin7D5SQ0jDqiMmyFtVs2CxZuFwy7nRBUrKoM0rOXjVZblQEJMVVf9c0qJdk/GDDNgiNEkSEg8MOMTHGNk4bREXB/iwoLweHA+YulFR4ql2GXh/o0hQSNsaGvB5jmRlAIQS4XdCvM7w/pebgkaZJf/I1WGHkFhb/JEGNUmSkk48/XcPKdQfIyirl8ku7EhcXSt/ejbjrwVm8/cFKNmzIoWcPI8n07vt+Y9XaA9SLCWHo4ObY7SqVlV7KKzwIYTz0JSXuE5KbYKh+Q2JiGDfe0JuBw96jfkoUNqHw4rMjaNUyHiklQ4e+gyMsBFeFhsOu8tyLC5jzx26+/XIib721gjPO+pivpp1H8xZHVnH4r2M28jt3S66bpFH/S5WzzxJoWnUAAhgGQlFg1WrJM/+ns2ydZMZimL1M45l7FWwOuOwOnZho0Fww+TmVECesWCc58zKNygpo00TQqpWCTZW8MVUy8mKNggydyBjjuisquN2Gwao9WWJ5Obg9xmefDyaeq7B4paTfKI2oGDglDZ55VMXthopKyxhZWJwMBDVKHo9G716Nue66HoSHOejcsT5SwuWXdaVrt4b4NJ3GDaP9EWsXX9iR0aNa4vNotGmbRFJSOKf2S6Vzp/oAtGuXyNefT8QZamx/vB9+pcr3f8HEU+jQIZmSEheKImjcKJrISCfTvzqfPbvzadAwhhCnjdi4UMac1ZbLL+lKeJidm27sxdChadSvH2n07o5v9f4ncbuhcYpCr94asXHGstrX1fye1kxw+3UK4ZGG+01qEB5hSLxeMhbatVNISxXUTzbcez9/pVJQbBi1Lu0FIU5o107wydsqGZnQvLECCMyhv4svUJkw3vhsRtCpNnjhGZXQUOFfHh8Lb72ismGLMQtxTFW+1PixCl6PZZEsLE4Gghql0lI38XGh9Oud6l8mhNEr6dyx/iHbt2ubVOO7lIbgqCk6GuK00bhKSudEYbhfJKe0T65VF0lKwyhSGkbVWN6iebx/vc2m0CHgd9Ybc92YvZ95C3SemSJ54C6VAacqfrdZIOZ5jImBXt0OPakFBdCtg6BrN3P6eLCp0Kp5zW0lxtBOaoogNeXQOpmuvtr7rlevZhi5lBAZAX261yw/OgqswSMLi5ODGkbJHGtp0yaRsDCHf6K/QLkdXTfeMv3TxFUZg0B/vFlOYODA3xFEYE7gZ6Iowj/fUuB4h7ms+nN1wITF4TGDGYYNURg25NDldeG/LFVjP6oKZwwXREULf+i1WYapRIM076eA5TWuY/XywO8mtZebhklWWTkRsCzY7y0sLP5+/EbJeECNp7JP71T69A7+g2ANtxDBlaQDjdDfFdV2tPWrWbe/r37/K0hpRNQpChyNLfdvE7DtVZdWJzBDdY9ImC89QdyBwe+z4Pusa9u63IwWFhb/PEHfb71eXw2ZHguL2ghhuNqOR+fSNBSHK0pKI2jBkgCysPjf5rBOF1NHLlAvLlAHr4b2naem9t1vs3dyy20//+3ad54g2ne6Xl0/n0+vcudJCgoqadPpNd5+d4X/OCyOHl03co7qOm2mAXn3Q53nXtbw+sDlrl5eWgpbdkjWbpKsWifJyzfcfD4f3PO4zpCzfLgqjcL37pGcf5VGs14+3nm/Wj8PjLBvj6c6/NvCwuLfiy1QVd6kLu27QA25QB08IQ5V1vZ4NErL3H+79l2gBp85jlVb+dtcHhcXyqUXdqZ1q8S/pX7/axzNtBIALhdUug2dusBb652pGm99IWnWTFBeAnddJxg1QkGxwcghguR4Bbvd6D+lNBZ886HK7fdoFBcZvzeFWuu4XS1OEmQdfxYWwajxOJs9hQ0bsti0OZedews4sLeIq6/qQadO9fnu+y20aZ1Iq1YJ/P7HLjRNZ+iQ5mRll/H08/OpKHXRtl09br2pDzabgtOuMuXd5WxYvZ9LL+tJj+4NT2jAg8ej8eBjcyjILuXUgc24+ILOAGzclM3kyUvxIRnQtykXXtCRPXuKmPzWMuLjQmlYFZlnjSsdHWawwZr1kvnLJJeMF8TE1p08q6qgeeG5yToHsmHSedC2rYKmw3N3Cc46W61R9tSPdNIzYPCp5j0p/AEKOjUNoaLAC2/obEuH9q3hxssNo/ZvmDDRwsLiUIJq323emsvlV35LdKSThIRwbr79Z3w+yZdfbWTd+kwAfpqx1S/U+n+TlyJ1yWmD0jilQz2khLAwOz/9sh3NqxMVHcrtd/+K16thNjDHE9Ol+ODDc0iIDaV//6b8OGM7n05bh9utMXnKcuolR3DawGa0aGGEgoeH2+napQEffbyWWbPSaxy/xdExf7Hkrkc1cnOM73WdvrBwwRff6jRIgqJ8ySMvGBvabXDvC5LB52kMOEtj/kIdAbRoDtlZkhdf0XF7agWk1Cr7pdd1Sook/XsLtm2XPPVi9aCTdTktLP59BHd8SMkF53fkhmt74fXqLDvzYzIyikhJicbhsBnad8kRlJR5AAgNtTNz5naGDWnBgFObVE3s5qV3r0bccG0vMvaXsHDJF2g+id1+fBsLM5S7pMTN7D92EhaiEhYdwo4NWfTvl4rdroCA3+bt5qyz2tKpKqE3MTGc887pwKKFGTgcKl6fjqoEjyK0qIl5jm68WuG6KxS/bFBdrrzKCsnI4QoXnqPQqJ7OM6+Z45Iwdphg4nkKUofGDQSaDv37Kng9Oh9Pk/g0w0VnzJUVoJ/nM96oFiyXZORAo10627fB8P74Q8kto2Rh8e+jTkWHxo1iACgqqqS0zIPTaaOoqJKoSCc2VWF7egENGkQCcP+9A7j/3gH835vLSGv9EutW3oDDYSMpwUiZz8srJyLcfkIOwHTTlJV5sNsUpn18Lo0aRdfYZsrrowG45a5fWHTNd8z7/UrCwoz6qIogOSkC+9807vW/RH4B7M+StGomCAs7vMusfrJhUIpLITzUWKYo0DQF2rUMzIMz/rerxnbRVTnPjqrLExtdpZ9nA49bUlYqee4+hdMGHHr9rBcMC4t/H0GNUliYne9/2kKZy8OGjdn06t2IBg0iSU2N4ann5zNzTjpffLmRm2/sBcBb76xk554CokNstG+bTFGRi8pKL9k5ZQD4fJKDmaUn5M1VUYyE2QYNIhk1sjWXT5pOly4NUIXgmqt6UL9eBK/+3xLyCisIs6ukpsZQWell375iPv5sLd//vIW16w+wfVc+l13UmdjYUEst/AhUz6ekc8mVGj9/pXL66coh2ncmZWWQm28YIZcbsqrcfSUl4HFXJ8sqwugNTf1EZ8Yfks2b4fZHdS4ZJ4iNhqmfSb6eJYkMh5wyncsmCC69UOGx53VmLwE0GDdS0LWz8CtPWFhY/LsIapRMmaCkpHDGjWnLpRd2QUq4+cbe1GsQgU+TzJxxMbFxxitvQnwYZRVufG4fjz0ymCZNYnA4VO64vS8AzdPiePmFkTicJ0r7zhineuC+ATT+NJrcvHJURaly3Qni48MRqkD36Tz3zHDi48MoLnaTlBjOgw8MxF3hJSzcgc0fUWgZpCMhBAzur9CyhYaso/E3jcJZZwj/2FDfnsb8SAATxiuoas2xIlWF2BgYNVwwYYwx+2yIE5xOQWKC5PYbFbwew3WnKHDBeIWICMHuDCMKIjSkun4WFhb/PkR6iUs2jXRy1rnnc9k5Yxk7fvz/t3fuwVFVdxz//O7d3WAgUULCM0Zq1YJaLW11FFqLTlERsdiHrR0dW3VGax+iFmvr1NqHRaniWF+dMlhsO9qCAasQBq2gEbQqGBUDJJCQKM+QhDzIc/eeX/849+5uwkYDQ0Cc+5m5czfnnpw992b3/PL7nXO+P/62YB2bKhq4b/aFB9XokfI0+vu+4cqsgyfwQFa8aPjDw8pV0+Gaq11isSPjmXhemMb8k0Y8HicajTL3gQd4/IkF3DjzVvLyCzh53HjGFBURjUbD+b6QPsnoKQ0fPpg9e9qTm2WjUTepcRdspA2keRxH8DyTph8muK7VlrMineLnuTE99jYNDNJj06zrOn7aglSZ44jvWaXupXf9kL4JDM/5X3M45xybbO/jSNe2S8951FvzLsDzei5SCIxObzUH17VHwiO58aW/e6dCQkI+mfQwSo7/bZ52yTimXTJuv8oi0keyPkHVII6kibfasnjcGqOBN0i+9I2/YMEaSvX7nGkSvK97OQjsSveP0cc4CNRv2yUV3woGYPHLjxCxmD36Q7qREEkZmb6MR1+eT6b5KrByRyEhIZ8OMn7NE4kEjuP2WzXbdQW310iSbiCOBIfDCKbebIDaFfb/C4UDcEhIyKeYjCN3oKrteYZEwiTDXKpKIhGUpUJif7p/Neee+wgzZ5XQ2tIFQF1dG9dct5iJEx/lyb+XHYZbsSGfRMLq2/329ytZvqISsJlvg36np7aw10z/Ns0a//BIeSsKdIK52WD+5T+PwLtJf216/ZxeFhAHuv2z37bWKOYHBn071T/zqMFcZjC/Nmiz9t23kJCQkKOQjEYpCHu5rtWtC0JyQSjMljkoVk3humu/xI9/8hUqN9bTnbAjck5ujHvvmcKZXyhiU0X9YbkZm7DPJRJx2FzVyPbtLYD15IJ+9/b+7DySn/NpicHM9iCBPRoUM9OD7fjLvbCeSuCtCDDIV4KIp5W5YGZ5mJXG1nV6XkuWGaBG8S738KZ7eJd6mNuMLRcgD7RLU0bOA+f7Ds61Au8rBGoHplffhNAwhYSEHJVkDN9FIi7dXQmWPL+Rlr0djBydy/Rp49i8uYGVpdUkuhKc+Nl8pl50Mgjk5R3DiScOIycnKznARyIOo0bmUFh4LInEwOcbULWLGIqf3cDepg6qqxqYNvUUAHbubGXp0k2oA6eNH8GkiUUAdHYmeGPtNk4qymNMUS4aA7ZgDdIgrDFoAjpBqxT2+teHgUwRaAItVZwZDnKabyD2gq5RWA+4oLsVTgH5skA76BLfyJwNMk6gDWQsyINuz4XoWxXeBmemg3wu7cpQoAgYQmqeKQJaq7DK7/cUkGHhio2QkJCjj17ad/bc1NzF7Xe8wKJnyikr25H0dJqbO9lT30ZjQwd/fWItCxe9nzRCXZ2JHqGxZFqBuDfgmnLGKCJw/9zVPPjQGsre2cmeujaiURdjlIcf+R9r121jfXkdNbVNyf5s29bC5K8+zlP/ftf2eSgwHKgDXaoQAwoAR9G7DXqfQcsVc5eHeclAl6IVivmFwTztp/HoVHSzoh2gdYquV9iNDfM9ZtAd1rjpQ4pWKgwBrQG9zWDuNOh8P1TaBFqmmBsN+lZaFjywYT5DKp1rraLzDTQCO0DvNWiDhnLMISEhRx29VMLtwPryK9VsqNjDCyXX9Kh85hmjWPhsOTt3tbJ1Ux3vvLeTK75zOsZoMnW652ly0PdM8Nouv3YGQFsuCDXu2rWPRcXlLHzqu5xwwnH8KPEcHR02plZV00hnl0fx098gEnWSRuz443N5/Y2fMrbQyhI5BYK2KfqGQZ9XNCbW88gCjgOZ7iAXCtwkaCcwQnBmCabd2DoGZJQgtwim2oPLBGeKn131A0UXKTJJ0JiiryhymcCpINnAqYLkACPsfckEQSYIZodnQ3LBHFQwf6Sps74Hugy4WKEZ9DWQa4FhpEKBISEhIUcBkdS/0pr0blqauzg2N2u/yj+7tYQRIwbzm19O5o/3vpLMUeQ4NjfR4OwoBfnZtkysrlxuThagyXmpQ+01GWPbbt3XRXZ2lIICq7e3u67N37MiPP3PK6isqOeq64tpb+1m8cIrEYGsLJdzzi60AzsK2Yp2KFoPcgHoawrHKBpXNFch3587GpV8YvYcVxgM6vjeSQJ0n9pwXVBnu4ECRW5yIAvkDoEc0ApFRytyNdYzC56Rb0jUKORqag7KAY5TdJBaoyOKbjfIBJAb/Lm/fIFYWjuhtxRyGEl9x/Uj/iEKP5QhmXEC3bFAWRngixNGse3DZmbPKWXx4nJeWlkFQH3DPnbsaqH2gyZKV9fQ7nsiq9fU8syS91n37g4WLFhH9dZGWlu7Wba8kpWvVrOqtJqlyytoaGgHDq16c7Cpd8zoHGIxlzlzXuYv895i6bIKROxm2lWrtlLzYRMXTBpLS0sn9fVtiAhVVY1Ecu/mz4+8hiAYV9FNQJki5wv6nkKXwBCBOqANiJIKn+0GfUHRckVfV7TUeipEgdNsCFBLFN2gyOcdyANTYtBaRd/VlLezx7aF57cNUKXofxStAl2h6FprEHWtossV3Qy6yKBbFJkoaKNi3vLb3qh96b+HhBwhFPzISZAbKzzCI9PRY04pWJl2+ukjmT/vciqrGlhUvJ5X13wAwF2/mkzCMxQ/u4Gf3zyJi6ecBMCrq2vZtr2Z8yaP5cX/bqGqqpHuLo+lJRWMGpPDyDG5PLdsE42N7YhI0ns4FIhYdYbs7Bhz50ylurqBxqZ2Fsybwanjh5NIGJavqGTBP8ooXbOVe373dUaOtDIEQ4dmc+ft53HWWYW2rXwHuVpsWK1QkCliFzAMAZkqcHzwoOyhexVdociZggwV9GW1HhLg/NBFCsXOTW0EhoAz24Va0MUKJQodwAiQSwVySa3KE9AtoKsUuUigHjuvpMCbiu70F1q8CWwGzhBklgOrQIsVSv26h+4xh4QcPOobojCMHNIPpLK5Qz+TO4gZV1zJ9d/7NjO++a2kdlU6fenKHajO3UAueuhvP4I5pfT6yX4FRUrm0ENQ3tf1vn73o+ofSNuZCMJ6vdsKCTkCxONxYrEYcx+4n8eeeJIbbr6FvPwCThk3ntFFRUSjsQEdB0KObiKkfTjSPyjBJlSwg3c06iQ30wZlji8r1N3dc4WdG3FwRPxMsymiUeeADNiBEvQv2Pwb6NzZFYB+31wnTY9PiSc8Im7a/qU4qf1Ewd6jCDa05nsxyQHfYJePpxPx6wTXlNT+IZPWPtgwn/ptB+G2oO0EKfki9d874pebtPKg7Xha/UxKECEhh4lgLNjf7vSK04SEZOD/zzhFGdNFOJgAAAAASUVORK5CYII=
- data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAfIAAACcCAYAAACEGClOAAAK5WlDQ1BJQ0MgUHJvZmlsZQAAeJyVlwdUU9kWhs+96Y0WiICU0Jv0FkBK6AGkd1EJSUhCCSEFFRsqgyM4FlREUBnQEREFR0faWBALtkGwgH1ABhV1HCzYUJkLPMLMvPXeW2+vdXK+7LvPPnvfdc5a/wWAksIWi7NgFQCyRTJJdJAvPTEpmY57DGBAA3igAYhsjlTMjIwMA4hNz3+3d70AmphvWE/k+vfn/9XUuDwpBwAoBeE0rpSTjXA7Mr5yxBIZACiEgdFimXiCf0NYXYIUiPCHCeZPMpo8wWlTTJ+MiY32Q9gJADyZzZbwASD7IH56HoeP5CGnImwn4gpFCG9G2IsjYHMR7kZ4TnZ2zgR/RtgciRcDQDFGmJH2l5z8v+VPU+Rns/kKnupr0vD+Qqk4i730/3w1/9uys+TTe5gigyyQBEdPMXQ7MydUwaK08IhpFnKn46HbAnlw3DRzpH7J08xl+4cq1maFh01zujCQpcgjY8VOM08aEDPNkpxoxV7pEj/mNLMlM/vKM+MUfgGPpcifL4hNmOY8YXz4NEszY0JnYvwUfok8WlE/TxTkO7NvoKL3bOlf+hWyFGtlgthgRe/smfp5IuZMTmmiojYuzz9gJiZOES+W+Sr2EmdFKuJ5WUEKvzQvRrFWhhzOmbWRineYwQ6JnGYQCwRADkSAC3hAAtJADsgCMkAH/kAIpECM/GMD5DjJeEtkE8355YiXSoR8gYzORG4gj84ScWzm0B3sHBwAmLjPU0fkDW3ynkK0yzO+3HYA3IoRJ3/GxzYCoPUxANR3Mz6j11N35WQ3Ry7Jm/KhJ34wgAiUgTrQAnrACJgDa+AAXIAH8AEBIAREIJ0kgYWAg/STjXSyGCwHq0ERKAGbwXZQAarAXnAAHAZHQTM4Ac6AC+AK6Aa3wD3QD4bAczAC3oExCIJwEAWiQlqQPmQCWUEOEAPyggKgMCgaSoJSIT4kguTQcmgtVAKVQhVQNVQH/Qi1QmegS1APdAcagIah19AnGAWTYXVYFzaFbWEGzIRD4Vh4AcyHc+F8uBDeCJfDNfAhuAk+A1+Bb8H98HN4FAVQJBQNZYCyRjFQfqgIVDIqHSVBrUQVo8pQNagGVBuqE3UD1Y96gfqIxqKpaDraGu2BDkbHoTnoXPRK9AZ0BfoAugl9Dn0DPYAeQX/FUDA6GCuMO4aFScTwMYsxRZgyzH7Mccx5zC3MEOYdFoulYc2wrthgbBI2A7sMuwG7G9uIbcf2YAexozgcTgtnhfPEReDYOBmuCLcTdwh3GncdN4T7gCfh9fEO+EB8Ml6EX4Mvwx/En8Jfxz/BjxFUCCYEd0IEgUtYSthE2EdoI1wjDBHGiKpEM6InMZaYQVxNLCc2EM8T7xPfkEgkQ5IbKYokJBWQyklHSBdJA6SPZDWyJdmPnEKWkzeSa8nt5DvkNxQKxZTiQ0mmyCgbKXWUs5SHlA9KVCUbJZYSV2mVUqVSk9J1pZfKBGUTZabyQuV85TLlY8rXlF+oEFRMVfxU2CorVSpVWlX6VEZVqar2qhGq2aobVA+qXlJ9qoZTM1ULUOOqFartVTurNkhFUY2oflQOdS11H/U8dUgdq26mzlLPUC9RP6zepT6ioabhpBGvsUSjUuOkRj8NRTOlsWhZtE20o7Re2qdZurOYs3iz1s9qmHV91nvN2Zo+mjzNYs1GzVuan7ToWgFamVpbtJq1HmijtS21o7QXa+/RPq/9Yrb6bI/ZnNnFs4/OvqsD61jqROss09mrc1VnVFdPN0hXrLtT96zuCz2ano9eht42vVN6w/pUfS99of42/dP6z+gadCY9i15OP0cfMdAxCDaQG1QbdBmMGZoZxhmuMWw0fGBENGIYpRttM+owGjHWN55nvNy43viuCcGEYSIw2WHSafLe1Mw0wXSdabPpUzNNM5ZZvlm92X1zirm3ea55jflNC6wFwyLTYrdFtyVs6WwpsKy0vGYFW7lYCa12W/XMwcxxmyOaUzOnz5pszbTOs663HrCh2YTZrLFptnlpa2ybbLvFttP2q52zXZbdPrt79mr2IfZr7NvsXztYOnAcKh1uOlIcAx1XObY4vnKycuI57XG67Ux1nue8zrnD+YuLq4vEpcFl2NXYNdV1l2sfQ50RydjAuOiGcfN1W+V2wu2ju4u7zP2o+x8e1h6ZHgc9ns41m8ubu2/uoKehJ9uz2rPfi+6V6vW9V7+3gTfbu8b7kY+RD9dnv88TpgUzg3mI+dLXzlfie9z3vZ+73wq/dn+Uf5B/sX9XgFpAXEBFwMNAw0B+YH3gSJBz0LKg9mBMcGjwluA+li6Lw6pjjYS4hqwIORdKDo0JrQh9FGYZJglrmwfPC5m3dd79cJNwUXhzBIhgRWyNeBBpFpkb+XMUNioyqjLqcbR99PLozhhqzKKYgzHvYn1jN8XeizOPk8d1xCvHp8TXxb9P8E8oTehPtE1ckXglSTtJmNSSjEuOT96fPDo/YP72+UMpzilFKb0LzBYsWXBpofbCrIUnFykvYi86lopJTUg9mPqZHcGuYY+msdJ2pY1w/Dg7OM+5Ptxt3GGeJ6+U9yTdM700/Snfk7+VPyzwFpQJXgj9hBXCVxnBGVUZ7zMjMmszx7MSshqz8dmp2a0iNVGm6FyOXs6SnB6xlbhI3J/rnrs9d0QSKtkvhaQLpC0ydUQ4XZWby7+RD+R55VXmfVgcv/jYEtUloiVXl1ouXb/0SX5g/g/L0Ms4yzqWGyxfvXxgBXNF9UpoZdrKjlVGqwpXDRUEFRxYTVydufqXNXZrSte8XZuwtq1Qt7CgcPCboG/qi5SKJEV96zzWVX2L/lb4bdd6x/U7138t5hZfLrErKSv5vIGz4fJ39t+Vfze+MX1j1yaXTXs2YzeLNvdu8d5yoFS1NL90cOu8rU3b6NuKt73dvmj7pTKnsqodxB3yHf3lYeUtO413bt75uUJQcavSt7Jxl86u9bve7+buvr7HZ09DlW5VSdWn74Xf364Oqm6qMa0p24vdm7f38b74fZ0/MH6o26+9v2T/l1pRbf+B6APn6lzr6g7qHNxUD9fL64cPpRzqPux/uKXBuqG6kdZYcgQckR959mPqj71HQ492HGMca/jJ5Kddx6nHi5ugpqVNI82C5v6WpJae1pDWjjaPtuM/2/xce8LgROVJjZObThFPFZ4aP51/erRd3P7iDP/MYMeijntnE8/ePBd1rut86PmLFwIvnO1kdp6+6HnxxCX3S62XGZebr7hcabrqfPX4L86/HO9y6Wq65nqtpdutu61nbs+p697Xz9zwv3HhJuvmlVvht3p643pv96X09d/m3n56J+vOq7t5d8fuFdzH3C9+oPKg7KHOw5pfLX5t7HfpPzngP3D1Ucyje4Ocwee/SX/7PFT4mPK47In+k7qnDk9PDAcOdz+b/2zoufj52Iui31V/3/XS/OVPf/j8cXUkcWToleTV+OsNb7Te1L51etsxGjn68F32u7H3xR+0Phz4yPjY+Snh05OxxZ9xn8u/WHxp+xr69f549vi4mC1hT0oBFDLg9HQAXtciejkJ0Q6IlibOn9LbkwZNfSNMEvhPPKXJJ80FgFofAOIKAAhDNMoeZJggTEbmCZkU6wNgR0fF+JdJ0x0dpnKREbWJ+TA+/kYXAFwbAF8k4+Nju8fHv+xDir0DQHvulM6fMCzy9VNqpqVMsugJzS0A/7Cpb4C/9PjPGUxU4AT+Of8JizUh8jnksS0AAQAASURBVHic7P3Xk1xZnueJfc6517UMrTWACCCgVYrK7MpS3dtd3dOznJ0luQ80o9HIF/If4AtpNBqfaHziy9KMtkuzGdoMd2anZ6ane7qqS2RXamgEQgCB0For1+73nsOHc6+LAJDIrKptVfFNi3S4+/V7j/7p309orTVnOMMZznCGM5zhHyTEP/tn/0wLrN/wLuq305oz/Jp42/jLv5VW/KOFfsv4na3/32mI31AU0uK3045/qBDitzsAp2XT0/d/2/e/6fO+Ld72/Nfd33VdACzLoq+vD3EmkZ/hDGc4wxnO8A8HxWKRbDZLIBDgX/yLf3Emqp3hDGc4wxnO8A8JwWAQrTWu6yKEwAZYWVkBQCmjIrQsyxPnzXulFVJIXlHRamnUAtpFa4UQ5nshRIM6wJUKIQRS+2oC/z6nVJLaNi+WRqvadRKn4TKlG39nmW4ACq0VUhpTgX6LzspXaSh0te9Svq4Ppv3uqftJr/0SUf3EPNetvq+/T/3z/M+FELiua56rTz27qrJ1vDkINnyvlMKyLFxVQQqJUrX2Ayj/927tc6UUVrW5/ji53v1r41iv7tHKM72cUiFX+6BrfWvsq6r20R8PrTVaO0hpoZRGCPlG1aKo6ixl9b5+n80Fjtcsu/q9mX/xyjprbF9tXrRW38DyUBs7KSXCX3/S7BOJPqX+qs2jUi5CyFf2xOvhj2+t3Uq5CCtw6nuq83X6vkopbOn31Xt9q+aw8bl+P/1Xvy/mnrX59edWa9d7bXxQ7Tduw/2F0K+dn1o/ZMM96p9Z3SsN37t8HcQp04j25k8I2XBu/frwxs87v/x1WX1edVje/Jz6dV0/n99s3bwetfFq/ExrXT3TzTXarGtvXvxzxN9/rztH69dGPZ2wpIWrXI9eeN9qx3tvv3Kf+t+fHh///JKnTVun31fH+/T41tpVj9o5d/r53xSN689fk9XzSp1S5f+GlgP/fE03txCPR00LZGNfbYC7d+++QmwANG7twFMaIRpt6f57ody6z/wDUlcf6AjzffXO/kScti16G8HFRQoBSJTSWLJxo9a3SVoS4QpzaGrHPM9xsSxDGP3Dpr5fSjUSKreOsEpZ+039OJjXRkIrvANIKP3afmnV+Nzq872P6seonsD47ZPSXKOpNIyP34b69r1ufrS/EbAa5ldo17yXdpVhEEKglX9oKISsa7e2vbGptdkfI6UUFrV+1rffXz+1+8jq5/XvXd5wUHntF1776+fHfGE2sPQIebUN0lt/b1xntU2gtUZbbzkoT11ve+OgqoxmI8Pi+5ycHqvT/35Tf0+3239ObV35c2m9QmD99vjt0FqfPlfe/lxOE+paP+q/r77WrffX9k+ohvV5en6q7/3nqtq930TEGp7zFh8Fqd5MQH8TQlm7yesJeZVo+sNxigCdHuOGPf2Gz/3vTt/nTd8LIRCyJqi89lpfIBMK5araOVK3/6BGvF8Zrzcw+LXnKXMmEKhe4+9loOE8aGhb3fnVCFk9Y8x5Umn4/el18cp4nb7fN/BxadgLr5lHM77m3Dy93t62/962/vzz9f/yf/2/8b/93/1vGp7r/94G+Bf/8r8/9dNax4QU2JbEsi18CatcNt/bliQUCnkSuUa5mkrFqUrFwZCN6zhUKmajBoM2UkqsN3qHiMaOa0mxWHhtR4PBoMcFSRBuw+9LxQpKuUhpmfYBpVIJ5RPcOg7Q5+iltAgGA17/ytUB8gcsHI6gBbjKxak4OK6DLcyCsj3uU3nEJhCwCATsqiTmoikWC94zglUpQGtFuVxBubWD+fQGkNLCts2BXSqZBavcGqE197S8cfAlm1McqPY3FziOQ6ni31cYxset4FQqSBkgGAyAUFQqDq5jrguFzQZ0lIvjODiOwrZsQoEASilc10iOIFGuwrIlwWAAIfH6atpUKWuUchsOFTsQwA54G9zbUKWi63HRRmoIBK3qpi+Xy7iuMMRM+IyUwLYDBII+hyQpFPK8UfODwrLt6lxYbxHJHeVScRwcpbEtm2DA9LPkGMnDklTnyHUdKuXac7TWSEsTDAbfKJlLThNSf4NWEHWamhq8dV6q4DhOVbMChshLIQjYAYIhTwPyFoFTVRkpc1+nAhWnYoivFAQCAtu2q+1wXU25Uq4xFFJ782TmsVJ2cV23xkR7hForQTgcxrIErnIplx200g3XWd654fXGI+ySSqVCpWK+t4N4jK6RLIPf0ln3t+8WdFoT4T/HrH8tT09AjTgr5VIu+fvn1XbadqC6/+o/f93zqutGeeuwUvEIplmbgYCNlD5TbPa4UnXzJKS55tRwuhVBxalgNCcSIbW3d1xPmyEoFgsNggZAKBQw2lGhaho118w7gLQEwWCwer18ZV68/shT7/3rPAZE6EYNyLdlfN5GaH1aUixUcF2ner6hJaVSCZQmEAhg2zRod4S3r/Vb1ufbNErKm5uRkUunfie8P4+Ql8tlj9ApgsEgli2qmxRgbOwCA4MDgOLw8JCHD54C0Ds8wODAIKGgjdaKk+MsU1NTnJycMDIywvkL59jZ2ebJ4yls22JwcIienm7kGzkgj0MTZsJz+SLPJiY4Ojpq4D601oyOjdHW1oZtWUjLlxgMwZ6anGFtbY2Ojk7u3LmNZdl8/PHHHB8dG8JhC2/h2hQKeSxbMjQ4yMWLF9nd3eXx48fVZwkhaG5p4crlywQjYYrFIrMvZllfX8cpl5FSEgoE8VXdynUZOTfE2NhFLNswMseZE2ZfviSZTHL+3DkCnn2jkM8zNTXFxsa2t1gC2JaFkMIsEBQXLowyPDzE4eEhjx89NRyftFAVF+UqItEIV67eIBqJIIRGWobhqodQGqQhPsdHx3zy2VcEg0HOX7hEd1cX8wtzPJuYIJ1u5vLlK1gWzM/PMz+/SF9fH1euXiYUCnGSzTA3N8fi4rL5/NI4hUKBl3NzbG9t41RcAsEgvb3dXLhwnpinBhICKuUSy8sbLC4uGOIDVByHwYEBhs6NEIlEAEWhUODRwwlyJzm0dkkmk1y9epVYLIYlLaZnplmYXzHMljDrVVU058+f5/z5QQLBIMVCma/ufcXhwVGVsZJSeup8l1AowEB/P4NDQ4bpfAshP8lmeD4zw/LaOmOjY5wbGeT46Jjp57Pk8jmuXRmnp7sHjWJ9fZ2XL5YoV8r4kkhXdzvnz583fbDsVxgt4RNS7RNSw+wEwzZoBa+RSAqFPPfvPaRYLKKRlMtlpCUJBoMErQD9I/0MDPWB1lXJ5k3Q1YPNvK6tbjE3N8dR9ohQKMTFi5fp6upCYFEul9nbO2Dm+QzFYtGTRhxaW1sZHRslFo3x8OFj9vb2qFQq2LaN5e23ctlheHiY3t5udnd3mXg2ST6XR0pJIBBAa5fW1lZu3bqBbdtIaQh+qeiwsrLC9NQsiUSCsUsXaW1tJWhLFBqpvh1hdhynKs2dVlH+ejit+nVBCJyKS7lcJhKPNX6ta5pO13GYmXnJ4uISgYBdFSIM4yfo6Ojg8pXxtzy/UTXtOorV1VUWFhaqczQ8PMzQ8DAB22iv9vcPmJqaolAoIKXEdV2ampo4f/4CzS1JbNtnykpsbOwxNTWFbwK5cvUynR0dSMtIouVSha/u3SOXzRMIBnFdM743blwjkUhg2X67HO98fUogEGBgcIj+vr4qIy/06XXq04NXVe9aK5QLrlKE7NMaoG+ny/6mqu+vvnrI1uYm3d2d3Ll7l3LZ4dNPPqFYKNDb28uF0ZHTd/Ze38ZovkUj4J1bUsa8a2uaB8tj0myAWCzC3Pwsx0cZenp6GB7ur2689fV1uro60Fqzu3PA48ePmZubQylFLldAEmR4uAspJfl8nuXlZba390gkUpw7d45CvsT8/CKWlLS3t9Lb21udGN92dfqg0VpRLBaZmp7lycQ0TakYHR0dWJbN8fExy0trOBW4dfs6XV2dVY6rUtHMTM/y9OkkG+vrlEZL3Lx1EykVc3Mv2d7aN/0712eGz5XMzr4gXywSicZp7zzm/sPHzM/PMzIyQiQSZX1jndX1bWw7wvil80gNAcvicH+f5dVNmtJNjI0O4zgO6+sbHB4eEYlHGD5/DhtBNpvjxctFJp5Nc2n0AkODioDtIrQmYElikTB7e0fs7OyQSiUYHh4mGAywsrzCweExTU3tRCMxZl++5PmLF1y8OEYsGqXiVNjZ3GVxfglhWdy9e5dY1EYI0y8AIT3JX6rqoioUCkxNzxIKhejv7aS9pZm9/QxTM/O0tR0xduky4UiQtc0tJqdnqTiCc+fMAVAqVlhdWWdm+iWCAONjo9gBC7Rkc2OLvb0Durq7GRjoxrJFdS5dB1ZWN5mcnOLw4JCu7m4ikQizsy84PsogLIvhkWFcRzM19Zzp6eekUilAsba2gRAW169fJxINELADZLN55ubmCAZtrl69ytraGoV8ESkEIyMjhjgLwdrqJsfHR/T0djEyPAJCkc8X2NnZo7mlrY6gfv1GKhbKLK+sMfN8jlSyhaGBAXL5IvOzixwfHzPQ20dHRzdbmxtMz8ywvrZFT083kUiMpaVFDg6OEIS4dGkMGZJoXFzHQWmBFAKBxrasqmC3ubHF4dER4+MXjd20SmcFeCo8rTTbW1sorSk5sLS8RDoZZ2DAMBkd2U40GoTHyFmWLyKaP2MnAa0RFp4tP4DWioBlUSoUWF5YwZKS8yP9yK4unEqFg709nk8/Z35ujq7uTpKpFOurW+zvvERoyaVLl4hHojzf2WVrc5fW1lbOXxhCCMmLqQlwjEYuGo0ileTF9Au0FFw4f4FypczO9iyRSISLFy8SCFqUSxVWVzaYfDbN3Nyc+Z2Eixcv0t7RZDQFb3VyqICQoASuq9je2qOQz9PV3UksHjfzr3UjARCiNlb+v/3PzcKufS61mZeqStd8ns3mmZyc5Pr1q8TjMdMGIRAIzNQIXKU5ODjm+PiEeCzJ9PRzwuEwfX19IBS7u/sN56I8LS4DxodEVdfx1tYuz55Ns7+3RzQWpVAoUCyUCYej9Pb0cnx8wuTkFNPTM3R1dtLS2szm5gabG7tUKnDn7mVD3B3FxsYWT57MsLqyytjYeQLBIJaUVcGqXC4z8Wya6anntHe0k0jFOTzI8/LlSyKRODdu3CCZCuNUKmxu7jI5Ocnz5y8RQpDLFdDKYmiwE8u26/ahp8r3TarKH1ZfkxdAuZqDgwMODvbpaGulqbm5No/V+fFNBKfmr14CFgL/bHyd6cj/XAjB6somL54/RymHu++8g1aCubkFDg+PSKaaOD923vy2ehu/4W8z3X391yjXZ9Ewa90z6WkFnjbCBvjud7/LysoKx0cZuru6+eDDD6qq3GcTz0gmk+zt7TEx8YzJyUmGh4cRQrC/v8/DRw8JBq+bWLZT9jqttbFXVx1mfOeSr2+3lBaZTIbp6Wn29/e5fvUS169fp1Kp8PzFC5aX1picnKSnt4P2jnakJSgWi8zPLfHlV19ysH+IkKKqwq09W9PX18fv/d7vAVAuKRYWFiiUSriuy/7+Pk+ePKGpqYkrV67Q0tLCvfv3+OzTL3jy9Annzw2SSqcYHBpid3eXlbUtWttauXXrFgDxWJLnL54jhOD46Jjj4ww7Ozs8m5rh6OgIRutUL0IQCAa5ND7O8soOB/v7tLa2cvfOHaKxGMFgkMln0wgh2N3d5cWL52ituHHjBm2tbezu7VLKl1lcXODLL780Ums0Xj2QvUd472s+Bf77emmkXt3rxyf6jjAnJydsbG4SCoWq6vzqtUqRTCYZHb3A0tIie3sH9PT0MDQ8TDgcMdcqzc7OLg8fPOTkJMvw8BB379wlEo1wfHzM9PQ0Ta1pWlpb2NzY5pNPP6GzvZubN29iWYIHDx/w5ZdfEggEuHxljOGRYY6OzEERDAa5desWiWiC6elpHjx8SCAYZHh4kMuXL7O2ukU+n6Ozs4sPPvwQrR2yuRzz8/O0NDdX1+PbUH/NaX8LIYykv7+3x+TkJOvr6/T29vPee++RTCZxXYcnT54xPz/P8PCAGUch2Nre4ejwCKUU4VCAkZFzntZAsra2xvT0NLYtGR0drUo01UlFYts2Q8PDpFMpVrd2WV5ZJplMcuPGdXZ390ilUtV2a62Rrovy1ZtKIRtslBohJVopXMelvb2docEh1te3yOdyKGWcSI+Pj5mammLu5QIdnR3cvXOH9vZ2vvj8Pvfu3+f5zAwXzp/nytUrLK+ssLN9QFtbG++++y6WZfNydoHp6Wla2pL83oe/x82bN3n48CGWtLh06RKWbXHv3j0+//xzpCUZHOz3zp0J9vb2uHTpEvl8ntnZWWOqC43T2tr61vnzFiKuK9jZ2eHJkycIIUik4sRiUc/xSzQQZ9Nnc4BLjNlMerZQWc8UmQE13596ZDaT4YsvviAUCjA2NkYiETeHdj2/ICXt7e2kUimikRjPX7wgGotx6dIlgiEjoRuth/GDcdwK0nqzql5rzdbWJnNzc7S3tzM+fplsNsvOzg7FQhFXKY6Oj5mbm6NQyDM6NsbY2HkePHzIF5+bObx67TzRaIztnR2ePXvG2toW586f4/3vvE8kEq36AGjPyXl/b4++/j6uXL7MwMAAc3MLTE5O8vDBQ4aHhojH29jb2+PZxDOmZ6YZHhpGaV3VfoYCV+np7UVKYZgdDMMq/IE6RS+U63JycsLM8xn2dncJXL1CU1PazKPPoGI0AJYl60yq3mjpOodZpaqmJX8/+M5r9T5MQJWBkVbtOyEMMy6tr3Fo/a2bcl6FbZ7j0ujhp9Aa9vd2Gb98kYAd4OnEU+7ff0hLSwvf+/53sSyLzz79iomnE1jSoae7l1AoRFNTE5lMjuOjY5aW1tnZOUBIl1QqRSweMvaXasdeL5kr5R0+HrPrasHRSZb5+XkePXrESSaPkBaukTko5BzmF5b565/+kmQyQSKe4uTkBCmNXU9I6O7uIBSK0NScrj5XSl213/heuvVOXrXJMlKnxkEpz1YkjXOa8ehURGMxBgb7qDglUqk0R0cnzMy8YH//gEzGcJ5KCRod0ryFYhk7vSWMI5VtC0ZGhiiVSrS0NFEsl1AYW44Wgp39Pe4/eMCzJ1MIIVEotMDzbpSgPLupUkhtHiO8Q0roWr8kCkvUbJRmTKTxgNdGhbO5tc0nn35JxYHW1lav/YYr1MIzgygH0cB11qQDpRyePplifn6ZsbERrl27QjQeQOsKLS1p+vt7aGpKcXCwx6effkmx4HDnnRsMj/Rj2xJpKZYX1/nZzz6ms6udwYEkUtQ2kmVZ3HnnJoVihntfPUIKi+GRfm8NuwipvbYZf4Riocjo6AjhcNhr46mT9TUIBm1aW5tJJ+MI5SJwkLgEQzZt7c3EIhHmX84xMzVLb28vd25fJZ2OgVY0peL09nbR2tpMIGAZe7GyeTYxxdOn0yjXJd2UoH9ghFBYoNAk0mlcNH/5n39OIJigv6+NUCRaJ0kogkGb27dvUCgWWd/aQygTPZCMJ+jv6/TGXpPP5dndO6oSIrPHNZYliUQipNNNBITxuzg8Oubk5ARLBNnd3adUKpl1oQ3zsLi4zNTkDPFEgjt37tLR2Q5AKp2kt7ebeCJEICQRwlMA4HrzUPEiCdzqn5DaO7PNXpIWnL8wgOsW+Pf//q/4xc8+5U/+yR/wdGKChYUFrly5wo9//CM2t7f48//wU6amZojFQ7S1tgNfb2PUIoBTqbC1tcf9ew+Ynn5Of38/6xu75PMVbAnppiYS8Ti5XJ7j4+OqituSEsc72MPhMC0tLYZx2z8km82SSCQIRyPs7u6itZH4W1qTJJNJ7JBNR3c7f/3zv6HiCi5dGiWVStc5VymsgM3FS+dxKhUWFpbQuoyULtF4iOHhQdN+JSgWyuzvH+A4lVf6FwoFaGpuIhwO4Ttj+Q6D6XSay1fGqnZegFDYoqeng1Q6RiwWNO2QYMmadkMIyeSzWaan5hgY7OGDD94hEg0CjjeH5syMRKL80Y//wBtou8HWL6SLkArHdVlaXubx42d0dHTwwx/9AK0Vv/zFJ7x8+ZJAEHr6B09JrqIqqfoMt082jo8zPHnyjCdPJggGg2x1H6KtNYR0SSQSpNNpXNdlb/eIUqlUI8pCVQWY1tZWotEwh4eH5E5ySMuira2N/b296rqPRmM0NzdVFT4tra0kk0kztloCFYTQNLemSKXj4DrGp+VUFNO394pvhJYeHaqTxqHRtm+DId6+i34+n2dvb49CocCvfvUp3/3ud+nq7KpJ2XXczWlP90Qiwa1btxHC5uXLWV7MzmFbFj29HVy/cYPeni4jkb+l4b5zRv29l5aWePnyped8Z+N4dphsLsvq0hr37n1FPB7je9//PpPPnjE9M2Pu5Tlaffe730Urq2qfdh2Hra19XMchkUiYDRkOk06lcRyHw8NDtDYHod8O46zU6MFcLBbZPzhga3ubleU1WlqauXzlMlII+noH2NnZ4eNPPmdzY9Nri0c46tU9mMO1VCqxu7uHfXLM559/zrlzFxgaHGRhecnY4F0zR48ePWJtbY1YLE4ul63dww8JkVajqlBjTlZHNbTdx2kvUz80xXeq293b5cGDB4yMjJAv5F+ZL39s6u9dL+2KOsm/pg2wuHXrNteuXcMKWqyvrzdocurxtV7TUniS0ht+ozT5fI7t7S329w948eI5t+/coL9/AN8R722qLV/S1cocXMb50ag/+/sH6O/vY3V1taFdvm378uXLXBgbx7IsgkHPu15KEokErS0taK1JpWP4jnAA5y+cJxgM8Iuf/4q/+qv/zA9/8CEDAwNEE7FGSVDIKnH2US9Zuo7LwsICP//lJwQCgaozp9/O1pZWbt2+RWtrmuPjY+7ff8Tm5gaxWJp8LkcumyUcDnsHoXplXnyMXjDrVEi3QXNjtHol9vb2CAQCVCoO6XSaWDTqzVGjV7FS5hzy1/npM8CfTzCMR73G7esghCBfKLCwsMD6xjoAe/v7TEw8NU6SluDWzZtEh4dZW1vj888/J5PJkEwmKZVK2F44biqV4s7du/T19TEzM8PLly9pb2+nb6CfF7OzVEoOB4eHjF8e5caN67S0tPAnf/wn/Pmf/2cePnxAxSkZVXMyXjcP5uB/RZupGiMGDg4P+cUvfs7JyQnhcLghs1c8HuXqtWsM9PeitOb4+BilXCrlMvt7ewRDkkQi7mmDJJ0dHTR/73tGGxQ2fj+ZbAYpLdLp9Ct+HOVyhb29PbJZ45iWTCWIRCINAoDWmpPjIwqFAicnJwghaGlpxrZ9j3dD/H1Hu2rUi39WKG006kKA44Jl8TrHXa00q6urzM/PUywWqZTLTE5NsrCwAMLhwoULXLx4kUwmw9/8zSfs7u4SjUXNmhI1r/u7d+5yYfQcq6urPHsyidaK9957n5nnM5ycnJDP5WhtbeU73/kOHZ1tANy9c4dgMEg+f4yQAiEFHZ2djIwMce7cuZrp61T00FtV0G+R2MVbKaZHyC1pVePEt7d2+eKL+zgVh+OjHK5zOgzJ4uQ4i5TSeIdrMN7fFpYNqXSMkZERDg8OmJ9fpq2tjfPnR+hob615J1fnxlu0r5i4dJU701pTKVYoqRLpRJKxCxd4/GiS4+MjpJYsL6zw+PFTSsUK773/DrFY2EiuQKlS4ShzQmtLgmgsgm9LKpdgZ2efjz/+GCEsbt64yMWxEQJ2gI9+730e3H/C7PPnFMsOR0dHhEIB4vEoQmhvTowkZ6E5Otjn8aNnKOVSLOZpaWkmEDDq1kDQJnRiEZA2QoPyJBSFkXoRxonBURqkxd7+MQ8ePUVJxeb2LudHzyOD1CRrJCcnWbInJwwPDhIMhLl3/z6ONtoBKaTpuPJsgrpuPJWxGQkvhtKo6yzQNrgCqSUWFkKZeH+hwcLCtgIEgprD/X0m85WalGZm3fRLgItCWJbhGaRPxM2acnFAau86fzO7hCMBtLbQop5zVVjK/EklsZRnFtaSgCWqNiEhBJbQCOWa2RCghPRCtYyU5yIoOS4bWzt89sVXVIoVMplMVVVcDUN8y0aTliAej3Hz1mWEkATDYdLNkhs3xwmHI8iANHZmS6AsgcBogrSUBMIRglrV2bc1uGUuj48yMjwAmMM4GPBtp5pQMMBAXw+//6Pv8rOf/Ywv792nUKpw8dJ5QqGQWQvCaIJcVfPYNWMAWEYyUkJScTWFQol4LMHI8CDZjDmwpSV5ObeAZQcZvXCOxaVFFhbXGRgc4Ma1Uba2t3n0aMbzVsZjNDQK19NC1WKw7aAm4EWHmHGtoLWLcjW7u/s8ePAIgEIhz5WrV+nr6QVVYyh8LU+NYMvanzZar1Kpwv5+hkymSNlRaGkhhY2rdDUvQr33tS+Baq0QyiUejXDhwgiHh3ucnMzQ1tbCzevjpNNNKAGpVArLAtetkC24uAS5NH6FpeVlkkljslpaWuXLe/dJNyW5eHGUg6MT5hcXyVdKXL9xg1gkwk9+8hOePX1OwIrywXdukUzE+dGPfsQnn3zK7PN5tLK4ffsK8UTCV2dV179WAikDKGW8kf0cBAgzpoV8BUGQ3t5eXNclk8nQ0dHB7IslJp68AC0pV8osLq5QqSgOj46YePaM1bUkly9fprevC9uWWLYkGoiiXOMz8/TJDCtLW3R0NXHj+jWikViD5nBv74h79x4TCEiy2Rzj4+NcOH+eaDyIEJYJswUWFpZZWlwkm8179vFbJBNp76SwzfpRDicnJyilPIdeME66AqNS9/w5lAbp+XcIT/gzy46BoQEOjg7I5gsEAgFuXL1Cd08PWjskEjGioSi5kxylQpncSY6Lo2OUy2UqZYeW1lamZqb54ov7RENRBnqHKGQd7n31FZ999jl37twllY7x6NEj5udWQX/F/+yf/Ri0JhKGy5eGqTgOqAohW/D+O3dIJhMEA37ooeAVCfw31ay/Psy+iqqzWz0X2NTcxIXzF8gX8mQyuVfiqvN548ChtWZvf6/6OzC2hXw+x87ONvlCgVgsbpxLtrdpam4mFAoQCIZ4W9yer57xpbf5+XkCgQDt7a00NTUTCtUSo1QqJnTKsm22t7Y5ODhkZ2cHx3U4PDpkamqKDz+4Wxe+VGFtbYuHDx9wcpLh5s2bXLx43mxo5XLu/DkCdoRcPs+TiWfksjl6enu4ceNGNZTN91DXWpOIxxkcGMBVit29bexAoGqP19pPrOG+RgKuSR1+8oRYPM7A4CB20KKQL2DZtbArIQXKVTx48IBc5pi+vj4ikbghyJ52AultBJ8wamX+7dmNtKMaOFzfd0Gesn1Lq7aJO9rb6e1rZ3Fpkd29YxzHqdro5Cl7sevNmzrFYUovTM/vZ20t5XAcB8vz+re80BjLkg0mDt+r9rSkZr47FTvvcfj+dZa0SKVSjI6OkjnOsrK8XJV0vqnHshASy4JUKl3VNEQiUU8934h6jZUQxndDOWVsy8YOBEyIjRBEI1FCoVAtEVG9cxWaUDhCb28v773/Hg8ePmZ6Zhqly4yPjxMJhhqecXpM/HGRdarKQCBAc1MzylWEI+GqlHp0eEg2l+X4+JhsLksymaS7p4dKpUIwGKTiVKptPK2B81Eul3GcCkLIqtTnE9REIsHQ0DCWJVlf22Zrc5PDvg46u7sBI1nL6hkoqr4Z9c9wHIednR0ePnxILp8jn89hWa8mF/Gf+YpTmBBYlpE2k8kkQhg1eWtbGx2dXUaLq7WRH7xn27ZNc0sLu7u7pJvSKFfhOAvs7e3jVBxaW1tIJBIUC0VyuRzt7e0kYjECwSAnJ9vGJwazxzo7u7h79w4PHzzm5ewsmhJ379whEg41JreRjefC6xLVCClIpdJGAHAcz8lricPDI8qVMh3t7bS1tXFwsE80EmFwYIC29haSyaSX6MucW65boVioMDHxjJcv50mlUlwav0Bvby+BYO18BYjHYpw7d45QKMBnn33Ko0ePCARsLl26gMJFYCT49vZ2bNtiZ3uPjc1NFhYW6OrqJhmMV9ufLxSYmJhAac3h4WFVS6m1NsRa+46Dnq1bygZHQiGEUZ83pU2oYiBIS6vnRK0rVdNCPZLJJJVKhUKhRFtbG/KFZHd3l0KxSDQaI5VKUalU2NraJpVK0dVpVOiFQoH9/f2axCwliWSyYV21trc1StSnNK1/W6juBqUV0lakm+KMXTyH4zieJBquHtAIhWUJEgkTTrG/f4jxTxC4SlEslJiafMHz5y9JJOJcujTG4eEBS4sbOBWJuBqgp6cHcSpT26swdjl/gvf29+np7qZ/sJNYPIAvuWnt0tnZxjt3blbjHAG2QgEsoQkHgiTjiYY7b21u8uD+IzY2t3j/O3e5PD5OPBYFDRJJJBhibHSYw8MjFhaWOAoe0tnewvlzg6bdyiRMEEhcLYgmkpwfHSBgB9jbazWHezUxQSNhebWbvu3D+AIkU1FGR4eJx8NEIxYtTc1YWuNqjQIc12F1dZXxSxfo6eni8DCL1tpk8lKusY0LE5UsPKcoAOEKk4XMKoM0iWwsoXG9/7TUKKFMYhntojy1nZKKeCrOxfELJFJRnj2bZWt7q0pQlTbOc8bVQCNRSKGrjIvULigXyxYmpNF1ccuVqglgfm6FnZ0d2jvbsQM2tsfV5soVSo7CsgX5SgWBQzgosYRAIk0iHu2r6hRupYJyHAKWJBwKmDnSxqtTCk1rcxOXxi5QKORobo6RiMXRrkJ6GdPeGp51KhMY1JwI/WkMWDYhK4BQmkK5jGsEChaXl9hc2yadbmJ0dJhoLIbWipcLi2yu76C0JhYJ8O677xo1pLCqtvBgKMD4+CUQgqcTE0xPvUSKMOMXz3lMpcd4nXKyqaqqtQtC4Si3pg0RGIbPY/y0FFhIo4ERGB8AZUR7gUJq5UldYNshAnYIy1I4TsEjCorN9QOWlpcJh4NcuXyZaCwISM83Jsbo6DnsQIAvv3jE2toGw0M9XKw/7JSL0Aq3DJWSQqIIBWwsAlgEkMImGAjTlEpgCU3QMrZgozWS3j5TKFfguMaPRUoLKZXRAipvMwpzZmgBwpI4CMqui1spYVs2gYaMlnVqY+XtJS3RCk8LYtae8rRhJjmP9ObC9cbeJz4VBvu7cJXDs4kJZqbnEYS4fuMisWgMO+D5KWk/Z4D0kuv4jqp4iVrqmeb6jHQKhIl86OjooKenk/mFl8QTCQaHhujpbauuCz8u/+Q4w8z0S6amZmhqSXJp/AJd3Z2eH5DlrXWjQUyl44yNjRCNxXj69BELC0tsbW4xNjaMJW3KlSJKuXR2ttDVZc7AL7/6nIWFRW7duk0yFfWEN4nAIp6IobWuMgxS20hloS2FkJbJTeG4lJyKp3mT2JaFZdveGDRqblwFxVIFlGvyOUjH9EN72TilCcHU2qEWviWR0gXhoLxzECmM3480+1ADTr1qv8FcqRtfq2u5LnrhbxENbK1JJmEWRzAYZGx0jMWlRfKFPMo1IS+hUIir164ihCCTKbC1uQWYwySXy7K0vEwum+XixTHeeecui0tLLC2ts7y8TF9/Lz09PW9t1Gkpq7uri6vXrnH+vImnrkdnZxeDA4PeAJqNtbt3xNraGul0miuXL2NZNU53a3ububk50ukmrl+77iW0ccyZKC1cR+G6LktLS+SyWdraWk0oCDRwW76NxJfuorEY/bG42VzaP/wbJUjfXq+1rDskVJVw+tKctCzGxsZM6letPU7dJCM5f/48N2/epLOjg+OjF954+Z7wjRJvVYLyudpT8FXMruO+/nde35o8SabiSBzXaQyJqU/oIURjYgshkJZFT3cPGxsbZDIZ1tbWSCQjhMMR5ubmmJl5zpXrl7l8+TLnzp3j5OSEpcUlo+qUFstLy1hScvHixSo3XE9EtdYsLCyyu2tCnYYGBxvXUp10F4kaKXdnewvXcWhr7/xGm64hyYOoZ9JUdb47Ojro7Ookn8uzurpKUzpNOBZldXWViceTDAwMMnJuoLoOV1dXePpkGsep0Nqc4tbtWx4h9w4qTzqXts3FixfRWvPkySQPHz7AlsqEZwW8zG2nbJXKdataFe2lzay13+SIkHYt+5xbpwEz0Q2vt1G3tDTT09PN3t4OCwsLJFNRkskU6+vrPHr0iObmFKOjF4joUJUJr64T3ehUiW8n9faQ41TY2dlmZWWZRCJh7uPZYe2ATVtbG7dv32ZnZ4e5+Q3y+ZqvRjVhR7HA6uoqR8fGv6WlJcXA4CAhO/TKgauUIp/LM3swSz57wsDgAK1NLdW2VtdPnTey335LmnkSVZW4ru4lpU22ydO+CwjB4MAAAdvGdR7z4P59hKxw7dpVkskE0rIanuu3o+abIxr2mT+3/vrWqubD4EeoaF3HVHvJs7RW1YigJ4+naGlp5trVq4TDYWZnX2BZNmNjo4RCoQam1c+RcVobUyqVeDYxScWpMDI8Qmtr6yv9qJ17mmg0wo0bN0x+jcM8u7u7devMaC/LZYetzU02tg1tSSdT9PT0kEqlzN6XsqEdlUqFpeUlDvf26OzsoKu7vWH+fNiW3dA2t27MLMvCcZyqtrUhE179+elrzV4zv39XRBw8Qr44v0KlYDjxzHGW5YU1lFIUiwUeP37M+QvDWF5GNik02q1g2RLLCxOQWiG08vgto96VGqRQSC/dqhDCXPcaD76aBtAbdOUQCtq0t7ZwdLBPa0uKcFCyubbN/v4+lVKZ7s4umlIJYzcVxo6CkGxtrJPNGUk1m82xtLzMufOD+FnTGg4XHBCB2sQoF8ep8HJuja/uPSFfyHHn9m3GL10AHFCaSqXC4cEJh/sZpIZCNs/uzj6RSIxIJGqegQlzOjrMsL29TbGUR2uH/f1DlpdWSTfFSTc1YUnJ9s4OmUwO16Ua4xyJhj0GAxCQjMbp7uxkdW2Tvr4+ioUyS0urbO/tYgVs+rvbCNs1AiBOpfQ0CwwQgkA4RE9fLwcHB2zvHoPc4OBwj2g0TE9PF+FIsHpYmMxiLmiHZDzKpbFzHOxtc7C7Z+ZSuZRLBXZ39slmTQa+k5MTDg+OiUTiRqqyLMYvjaLcIo8eTjI5OQ0YdVc2nyfd3ERnSwudrS10NLdSzB4zOzuPLWy0tJidfcngcA/f+/53iEUj7O/vsre376k6NYuLKzx69ATXcbh18yq3b17FVS5b27vkcgWUFhwcHzO/uIzQikw2w8LcIkPDw7R21Db81+HrQtS0VggJQyMDlJ2KiSaYmCQYCJFububw4Jh4LG4cfyyrepi2trQyNDRIuVyhOR0nYAdq6kR/PXqMo2VLLo1fxLKCfPbZp3z55ZeMjIwgZJDDgyOOjg7QuBQLRTY3twiGOolGYzVioh2ElwinqTmNbVtks1ksNJbQhCJBWtqa2dzd4/DkmMWVZbLZLPF4hGIxz+bWFm1tbfT0dKD1VR7cn2Bq8gWBQIDOzi72D/YIhQK0t7cjhGBjY5fMSQHlmljqpZUNY2ao5GluS5NIpzjJ5VhZ20ALwzzvbO+xML/E4tIKly5d4LsfvWdsqKKMUo6xk0oAhWVpEE51XqSnmz85OeHp06fMvphDSMGVK5fpaO8jlDLjYAtBS1OatpYWysUSsy/n2NrcQuKQSqVoa2kMZZNS09LSRDKZqDpwCSEN4+NJ4sZ+X2J5ZZlYOEqxUKalpYnmliajXVGu2XtaI6Smp7eTUOhdcvljJp5O0dM9QCIa5/j4mJ2tbSTglMoc7u+Ta0+STDcBYAmBwEFohS0hnk4StAS2iY3DFhLtKo4ODtnd2UK5ZcqFAod7B7S1JojGYp42UXB0cMjzqWlymWOujF/EQjL1bJLnM7NEY1EGevuIhCJ0tLaw0ZSiVCizvLBMJBIln8nT1tJMa3OTseQ5FVaWVllaWiJ/UmJoaJCdzV2ClslTEQlZaNfBQiCFiyVcpFZooUG7xsfF8+2QnvnNqbi8eDHHl/ceIoSgv7eb730vSTIZN1tClYlHQ7S3NpPJZlldXmN7a4t81phK21vb0I6hTUIZ/6CmVAo3UiFoS6Op8xxdrTrThlImoVOxmOfo+IhoLExXVwe4r4mKeJ06/e+IiINHyB/cv08wGKS7p4diocCDB/erFwTsAPFYDGlZdHV3k0wmCQQsbMsmnU7T3d1NU7NZbMYO1wRI48wBhEIh2traEEIQjoS9Tp9qxSsDIEgkkrz3/nsEg0H2D3aZfPas6v2cTqd555136B/wEgko16iUlcvLly+pVBy6uroJBoPMvnjB8HCfx/EqYtFotR/1Md1ojdKGmM7NvSQcDpNKJbyEEbU2litlNjY2yRcKdHZ2YVkm7re5paUaOy2E5GB/n6nJF2RzWYKBAN3d3ZycnDDx7Bm9fZ1cDIUIBoPMzc1RLle8MYLVlVW6utur9niA3t5ehBRU3C9ZWFhg2ZMGK65mZGSE3//+h0Rj0TcvprrPWlqa+eijj7h37x7r6+vsbG9TURVGR0d59927JBIJSqUSiUSC7u5u0um04UqFNHbGpjTt7e00t7Rg2Rb5fIHNrS0CAZvOzi5KpRKbW1s0t7QQCsSNbV6bDHXoILMvZpmbm6umirx+/ToXL44SDBjHme9///vYwRCHB4e4CM6dO8eH37lTtUevra2yt7dHd08PlmUS+gQDAS5du8aV8VGU1hSKBebn5wkGg7S1teFUHB48fIAFuK5DKBip3u+bxpJ/LbxxHxwawrJtJp6auHEWFymVSoxdvMi1a1eJRCNVKf7K1auMjl5Ga00w0Cg51Cdr8edOSsnQ0CAA8y9NroJKpcza2hqZTIbOzi4CAZvl5SVa21JEo8b8FY/F6e7qpq2tjXRTmtaWVlzXYX5+no7ODlpbW2lra6OjoxNphVlZXeHp06e0tbUxNjrGanSVjfV1WltaicaG6ezq4tatAJZlIg02NjYol10unD/PtevXvT33BMd16ewy0S4TzybQSpNIJLh95zbnhwfY299jbm6Ozo5OpBDs7e3huC5XLl/mvffvVGPq0+k0Pd09XoIg74xpaSYai5LwzhifOQ8Gg6TTTXR59nfjwFbb45ZtMz4+jhYhZmdfcHhwSDKZ5Mr4KINDQ0ghiEQitLa1YlkmvfOVK1eQlsXS4iIdHR3ecwLVebGkJJvNMjU5he2leb5x4xqjoxc8G69nKhHC8/VwaG5u5vd///e5d+9hdZ/v7e+xvr5u5kFKtre3aW1LkkylTb+DQdrb21FK0dSUpqe3F4Cd7R3a2ozq3LYslpeWOD4+prWlFcu22NzapL0zRTQex2f0g8EgrW1tWFaQjc0NdnY2KVcqNDU3kUwkq57m4+PjCCGZmXnB5NQUUphU1Veu3ubcuXNYlvE1+MM//EN+/rOfsbu7y/HxMZWKy8DAAN///ndNPgMU0ViE7q5uWlqaEVJgYdHc1ExXdxfJRLI6R2iNZVmk0im6u7pRWtHW2lbdr/5cDwwMoFWIZ16OAWlZ3Lp1i4sXLxKJRCgWi3R0mDDMWCzKyMgIAWlxeHRkbPmBAJFTPi6O4zAzM0MkGqJUKnHp0iXefffdv1MC/U0htNZ6be2F4d6FxnVVnQrCqDBi8ShSCI6OjwgGgzSlUwgpOTnOUS6XCQYkzU1NOK5LJnNCqVghkUgQi0cpFYscZTIIIYnHo0QikVdSUr7aKsNNua7m6OiIcqXUoJaTUtKUThMMhowU4ztH4LJ/cEDZy0muUcYZor3VO7Ahk8l4nrvSEE8pqg5ISmlcx2X/aB/HcbFtQSQaJZVIe/czZeMyx8cUiyVcbVRodkAaz8VgqJoGtJAvkM1lTJk5r3qX0grLkoSCYWLxOFKa5AxOWXnfCyIeA2HZNgLPzqagXCpxeGQSiNSPmznYmmpJKoTAcxtpTHkojN8BWqG0w/7+HhXXG1PPZJJOJ5GWhVNxKeTzZHM5wuEQqVQaKQSOVpycHFMqVgiHwyTiMbRSZPJZ8vmikRqEIBgImUPUll77NWiTyvHk5ISKb4NXilQq1ZD1Cq052N9vSFWZSicNw6Y1mZMTMl5IoO8PpwUk4nHiUcN0ua5ib3+vqoI3TLlxIpNSEJAWsXisSux+U+hqOySFQoHCSdbkufbiP6PhMMlk6vXOdfXOMf6rsGqHh65LsSo0uWyWYq5EU3MTQgiymRNyhRKuMmrWQDBIMhk3qWtdTaFQIHuSIRQKkYxHsUIhcM38Hmdy2LZNMhXDsixOMnkKhQJoE5YUDocoFksUS2Vi8TjxWMwwlBXjeVyp+F7HgnA4RCKRRCvFyUnWRDdIqrZsAFdrmpubiIZjlIoFDjwVuH8PgFAoSFNTM2DWx/HxEZWKSzAQpCkdx3FcDo8zuK5DIhYjFk+gPOnKqVTI5rLV+gyRSIR4PI5te0ybH2KbK5DJZnCVwrItEom4dy4JCvkcJznTr1QyWnXey+dzZDIm1LMl3Uw2l+Wzz+7xbHKSZDLJzZs36esxGS6TqSixaIyqLVdQ238AwsWpVMgcZYgn4gSCQbK5bDUaCMCyJLF41KxRYVEplTg+PjLCiL92haBcLJLJ5HBch3g8gus65HLFGnMTCJrQs3C4utYKhTz5fKExxtpbyLZt0dzS7O03QS6brUZ6+HJPKpUkGokapwqtQZvkYPV5B6r3sSzjWFcscnxs1mEqZfZCNpMlny8QjARoamo2CkQhcbVDJnNCIVdACEHADpJKpUwWyTpUymWOj0+qkRXxWMIk3RHmvDw5yVCulEkmUkRjUaQUOI7DwdER5XKZ5lQTrusyOT3Lp59+gusq7ty5zeBQH5Fw2KzF5qa66pZ/x5BR6jO77e3tIaXkX/2rf2UIudZmgfrJ240aWiF8E3pdAgPzvW8b8jxERX14DVTdUP0EFp70VWVs/M+/jpB7XqRm9ZwiSKax1Q7VJHzXk2b8+6pTj3mNF6inUm/4vnqZMlmvtOf17TmvSU8FqrREWhZKlavj5tuJDUH3czo3loWthu5IfwN5C9RPjINj7GK64iV2aWyzUrrmR6C9kKY6VawfzvLa3MVCgC4bDYbvpatrX1eH7TXqIo1/6HrzqRXIunhx5V9/KhHCadOJf7AptxbzDq86kvif+evldf3TtepSsnpQnnq+bBz/t2VM/LaoJ+TCC8mrJ8DVOFBfyvb78jrUH/jee6W9qATfOdLvsHcP11UNkQa+k5S/zmSdyQrbBtdnDPz17o2jNvH9qFOqRPmq/da7YZXBrme0T693ofEYTK+CnbAbGRRe1YzU31d6VfoErlnvMmD2mJ+PQdR7e8taNS2MD0o106Gu7T/w+Fov06QQ0qhQhUAJ2zDdQlXttkCtHRqePnnCzIs59vcPCAYDDA8P88F77xoJW9ate/ma88ov8lSdx+pAU4008ca3+rm/D7SuaWyqP7M9YabuHPPXmn/taYax7ryofec/v649vn3Y/7z+t3if+7nEq7bkuvb61/nruiGVrVlrWnrjr/x14tbWjdZU47L9+9XvoYYz6lT7q22tM3H47fSGd3FhgWdTL6p5IHp7e7l56yrdXV1eoi6NfNt58bclsX8NIbcBCvli1f4DoLWfgs+kBwwEZUOt3FKx0rDp/Co2SptCGEKVse0AlmUC/stlwzEFq+FUb+m4Fp6EZhZKxXGNY4LyCKkljHoL44TheGFV9eUP/XZprQl7qrBKpYLjOtUqO9qLMzXVwzzLstYoxySMcTEHhNQay7ax/bKRwmQrKldqdZSFEAQC2vOsNIepco0jkXIr1bELBALYAeXZeox0o1yn0XYvLcBF4mBbJre70hqn4phav1iAqcJTc5DCi70UCJ+h8odZ1LyYpbCq1XiEn/atyqfVzUuD44Z/IPthIU4trlNVDKMjRN0Bo2qbTUrvOuOM2MCkSYFyKzVJ1R+C+s2pjDNXQ5jOKU2DrDKR/u/qHFOkNF7R9eur2obXHIq/Bvz4b6Hc2iEnThHw6uH19aYPr9O1f2q87HynxtPvgzJanuohq7V5bl11ODjVV99r3fs9WKC9Yql+zHv99354o9+XuvkS0gLXrYUOeeMvPE0SWuMFaJtmgycY6NpB7bVL1M2/sCzPpuvNn5R+kDzUMdNmuOo8uutTe1b9RRoZWqVMuWPhX6n9gTb3lLhIvDXqee3XO5gJaRFLJjh/YZhzehALzylOesTUy6qIf4/T8+ozytKsW+VVrKtSjDqPd/z5q6U5a1xPWoNbwdfcVa+vGw+8sTzNmL+iCaKOCJoDqsrcNHzesIdr/tLKMeNqfJb8ZvsCGY33UAq0A8KUgfZLUKNOlW319m9tX4lG57N6LZdyG7+r9tN4pKONI5v01pxSLuFIiIH+Drq7WqrRNNFwyOQmUJ5u82+LUP8GEFpr/Yuf/6fqB4YDtqpqyUAgwOBQP729PWityedyTE69IJ/LAWDZNi0tTVwcGyOXz7O4sEDm+ITBwQF6+/s42N9n5oXxhhwZHKCtvf3Vg/P0QAk/l7GZmLn5BdbX1zE+JgppCa5cvkwqnWRzc4vlpWXKlTICu9puw5k7RCJR7t6+hWXbTM88Z3t724TYCIGL8QE4d36Izq6uqqRTKhaZnp7m8OQE7SWcSKVSjF8cJxiOUC4XWN/YYHFptcqxJxIJBocGPHuVWUh7ewcsLy9xclzLvtbd3c3AYC/hcJhSqcLU1BTHRydViUQIaSQ7IdCqxNDgEH09vRQKBSaeTVApl/El947Odi5cuFDLxX2aHvkHfjV5f82T2bx6HqB+3OUrkrB/eLzhAKhe9xou+U3z+5sQzdfdux71xK7+s9Pr600H2m+Cb9K238aB8Nu6z69zz3oG6Ouuf9tY/DptOk28vu75v+kY1UupQtQlLHo9qozl6X6/aRy+bny+6di9TbPzTX5fT5R/nTZ8U3yb+9Uziv77+n//Ov09LcX/HXqX/0Z4m0R+cpxncWmJXDZPa2srXT3GRlUumYT44XCY7q5eMpk809MvePjwAel0E9FIhKPjYxbmLEKBBKGwzdTkC7Z3dhBWkO7efg4OMzx9Mo0UgkQ06oX8vMW5SPs1qwWri8s8vD/ByckJ6aYUruuws72HciyuXLvE2uom9756hus6DAx2mzrYwmZ311RfSqebuHvnHWZn5/nq3hMKhQI9XcZb2XVgbW2NbDbPDYJ0trWbMqhTszx9Oo0MWCSTSQ6PM+SyC1gBk1VpZ/+Ip08mONzbp6Ozg2KhzOLiGtlslitXr9LWlubgYJ/JZzMsLS0SCISJxaLs7OyYkqXaZXh4mHLZYWbmBYvza7S1tdHckiIYDFB2lKnolS0giREIRFleXuLLL5/Q09NNKGyxu7vL8uo20opx7lxn1aZlOE+fe9WGo/ZTX3kLWGjjHCjwYmxflwv4NdWcXgvlAgGq7Lau/u/19/p1cPoAP92Wt6nmX4d6aeTrz+m347TK8HX4LUj+Dfd5XV9/03u+DX4f33b9b+OgPP2M0xqBr3v+bzrWp8b4raaY1zEYPsPzOrxpHcM3G7v6739doisaz4Rv3YZvg29zv9fN+9uYlrcxmKeZgd/WXvx7BBvg+z/4AX/27/4duWye7u4ePvreuwCUii7T09MkEib8YmpqhsePH9PZ2cXtW7eIxqJMTU3x1VcPePzkMePjF9/4IBMv+s1PTKdSYWNji6/ufUUmW+HC6CgXL46SyWT42V//nIcPH9LUkqRcKaO1JhaL88EH3yGeSCCxuHf/HjvbB4DRMjx48IDNjU2uXL3Ch995B9d1WV7eYGt7m9lZU+c4Fony/Plznj6ZIJFMcv3mDVpbWnnxcp6f/+LnTE5OIoRgeXWTtbU1xs5f4P3vvM/21i6fff45L1++pKm5mda2FJlMhnK5TGdnJxcuXKS5uYl79+4zPW3KMba1tRGwg9XYzN7eXm7evEoymeQok+WnP/0p+Yxx6tre3mZqagqlXG7fuUNbWxP379/jwf1nPHz4kHPnfmwGTQpDuKXtLdR6FZsLGBWbUVUr8GyVb1T9+p97UQGvPTR8G/7XEZbf9FCoPwi+yf1Pt/PrNm1Vdfkb4PTBehq+ivrrDqLT159+/zYJ+Ot+f/rzb3r9m57zddqX09d/3Xy97bn1auT6deqP5Zukya/7/pv07dsSsvq2fRPNwZvGr565PL0fT6vBv24Mv6m0/qb2fdv9eprYvm5Ovqk25/TcKfX1TF396+nr3jQO/1Al8q+BDZBIRBDSZPWybZO5zXVd8rlDLlwYIRINsba2xsTEM4SQXL9xme7eDpRyaW1N097eSjQSIhQKkEzFOTg8NOUvN3Y5PDjBkjaJeIKoVyzhFWeo1yCbyzHxdIrVlU0uX73K2Nh5WlqSWJaivaMZyzZVqRKJGF1drZ43pBcvianwYyR/84xsNovjKoKBMMFgkLW1NZ4+meDkOIuwoVBy2T084quHj1BOmTuX7tDf125SNSYT9HZ0EI0mESJIpehSKSqsYIBoPE4kegTCoVxSKNdE07e2tnH9RhQpLRKJJLZlEQwGKZVKFItFnEqFaCRGa2srpVKJ9o40yVSUaCyISwRpeW0XxoafSMQIh4OmYlE0TigYQWmHbPYE5WqT9EYIsOyaz4stPQc1Y6IQWmBMgcYminY8NdbXqM2BWsrXNx0a6jekhW9h8L7tntN1P6r/9xvx9dWz3v48cep5pyG+vglvC397nRmg4cA6ffM3MQxf/5hvjTeNrXjL9/r0ha/p/9cdyG8jYr+OtuKbaHG+Dq+bo7cxbl9ngnpdu77ut2+7z29y3dvwTZjmb8pcfBNm8W3POH2vNz3jHxGqngp+9qByuczB/gGlcolHD59y/cYNkwggl+PgYJ+mpmaam5oIBoO4jkNvby/JZDOhUKiautVxFOvrG+zvH+E6puLR2NhYNd7xrRDGMe3g8NCLaY6TSCQQUhBPJLh9+w6OU6GltRnXcWhpbkdKqxprmMtmKeQLhIIhksmEd0szedKS7Ozs8Pnnn5PPe05m2oS6+Ll1m9NJ0uk0kVgM5fXx+z/4PlYgYOLGI1vEYlFKpRJHR0ecnJzgOp6DoJfhKRo1ISJKKXK5Ake5HIVCnmAwSDwWww4ECIfD3Lhxg0uXLpFImIpCruOSyWaolCvE4nHC4TCdXV2mfJ7WJOIJ8oUCuXyeUDBUja99HfyiCwLjMewXqjAL2SPg/8hUTGc4wxnO8LuGKiH3HaB2dnb46qsHVCoOy8srXLxoklaYi0xOYR+WLWlqTtPsxX2Cor+3k3LZIZt9xNLiMk1NzVy+OsrgcA+xeJSvk8Jrklnteab6kYtfeSwYtOnp7aA+vCaVTpr32qZcLvP8+Rzr69u0tad5551bVSIupEu5kieTyXBwcMj7H3zIgwcPyGaK5llKYwmBEtLzHLcQliSeVMSTJslEqVjk3PlBCsUTDnf3ePDFV5xkC5wcF4nGQkirFm6mtUs2m+XFzIJJ+LC2TUtzO/0DA8SiUaSl6exqQ3hV0FzHZX9/n2dPZygWHM6fG6a/r4emZIK2lubqNc+nnrOzuUNPdxs3rl9uCD0yw2g8VE2VLA0uXjId32scQNTCAn/ThCjfFqeNjn/bz/+t4++6/X/Xz//HjrPxPcPfbzRI5FqbrD+pVMrU4bVN/KVVl9vWz+3cgLrYR8d1KBQK1RJ1Shli5kus3whav1JZqx5SWriuU80f7MezauUy+WySx48fE4lEuXnrOiMjI9WYa600a2tr5LMmMcHY2BjPnj0jl6sltvDhFwapwrO9hUIhUyEoYLO1vsnu7i5ra2sEg0GGhgbp6urEL+bhpzqNxmIkSiXC4RMcp0KxWMBxjbRsYlRNYZWDw10ePXrEy/lVRkZGuHntqslCFDQhFa7j8vjxY548MX4LN29eY2RkBMsyY6arYWKvUS/60njd3FXLJJ7hDGc4wxn+waJGyL3iBR0dHbzz7m3K5TKRaJh0Oobrgq6zw0lhgTbpBre2t9lY2yYWj9Pe0crqyipTkzPYVoB33r3BwcEBcy9X0CrA5UvnaK0Lz3rFNloz7hq6I7zYYy+nscAil8mwsLRKIV9gaLCHltZWpIBiscD082W+uv+IVDrC9etXuTAy5CWrMX9S2+xu7uOWHa5fv2Hy7opagQEtTPYpHIktTGUe5brs7R2wuLREIhGjt7eXeCxGX38XPT0dzM3NsbKyQigUZGigl66OFtDKEFME8WiMi6MjKDWEW6nw4OFDVpciDPQMQDyB1KbizubGBk+fzLC2usOF833cvn2NtuZmjP1WcJLNMD01y717D2lvb+bqtXFGzg+b1J5+worqOJ5y9KlOXSNjJH379tvwpsQ9vy5+2/f7TfH3rT1nOMMZzvAt4OVAUdXKW35lmWAwyKVLlzg5OeHk5ISmpmb6+vool8ssLi6Sy2Upl8tsrK/zyaefMjU1xcH+PvML8xwdHdE/MMDdu+8wPn6ZUqnE4sICB4fGi7zqvajV69WqWhMJh+nr6yOZTLK7u8v21jZOuUw+n+Pp0wk++fRTNje3TOUuIchl89x/cJ/9/X36+/sZGBjAturqeXuSZ3NzC1evXuHa1WsNVdaklMTiMYaGhhBCmCpKR4dUvFrIn3/2OU+fPCGXzZq87UpzfHzM2toalm3y0KdSqapm4uj4iLmXL1leXqZYLNZpD0zd9nqthnJdNjY3WFxawrJtLl26RDqVrF5zfHzM85kZnjx+TEdHBzdv3iQWjfJidpaFhQVz3a8bhnKGM5zhDGf4Bw0bYGVljZKXn/zk5ITVlTW01pTLDi9fvmRgoI/h4WFu3LzCo0ePmJ6aRYggsWiY3Z1DhBBeERJNqVTAcSsEgyYGOxKNAMp8XvHU62+M7a15sUZjUS5dGqNSLrKxtcfMzAvKlSK5XJ7jzAnxVAI7FEYJCZ5NupDLI5QmEowQDoRrIVNoOjs6ODkukkjGSCbj7O3vUKk4OJUKbU0J2pqSdLU28Z13bnP/4RPm5p+D5dDe3s7Ozh6uq4gnUth2CKdS4ej4mMlnz5mZeUk8EmNkZISWFiONIwX5fIGFhRWy2SyDAyM0N7dwfHxENBKluSVNMGjjpx6VlnHuq5SLRMJBwuEwdiBQzT28s33A1OQLTk6ynDt3Aa0t5ueXmZ9/SXNzMwN9va/P432GM5zhDGf4Rw8b8MLKBE3NzRQLhWq8tKsgm8kAEI3FGB4exrJsHj9+xtLiInbAolDIMzw8xOXLl5HSJZlM4lQ0kYgJNQvYNmnPs9qkVf2GDbO9GsR37vDg0QSHBwdMT0+jtSYcDnP9+nV6e3uxLZNH17YDXiGVYEPlMBOOArdu3UKpAMfHx6ysrHj9M8Uhxs5fZHBokFAoRH9/P44SPH06wcrqCru7uxSyBXq6exgfHyeVTuEql/29PbY2NwnYAZqam0in0wRDIU/LoEkmE7S1tpHNZllaWmZra5tsNsfg0CCjF0aJ+1XVPA1IOBwi3ZQmEU8QCNSViRdemljLVJTL5fO8nH1pilY4DkrX6kef4QxnOMMZfvcgtNZ6bu7pK45lfv5wKQRNzU2kUmlct4Lrumxv71AuVxBCe7lpo155RBMyViyUSDelSaebyOdy7B3uo5WmpanZK2/6DQiPHyKlNQcHe5ycnABGDS1si46ODqLhoJG6talqs762geu6tLa2kEwmTe5irTCZx2B3e5dsLofWLpZlVYvHd7Q1E43HQAZBmzzru7u7lPIFhDQV1IPBIO1d7cYB0FUcHBxydHSEEIJQ2KalpZlQMOLZp43KPp874fDgyBsrgVKKdDrdUM3LzzR0dHjA0dGxKb3Z2kogGMRPjXqSOeFgfx/Xrc2RH0kQCoXo6+l+/fi9TdX+tuQMZzjDGc5whr8f+KbVz6Dmue0TCj//t198wYSp1RK6aK29Ih4YwqNUlZD58KsMyfoqNt+s5bXr6wmOV3FL+JnL1Knrq2+9L/zHCV/SPZXZx0vej1/8w4eqcxYTtSpU1dzk4F3v1DoqBH650IYqQg14Q27m059Vi534lZ1qGg1/Xsxlr2GMzgj5Gc5whjP848HXEPKqs5sPE8YlvPjtGrHQWnsSrAn38umElDaGMNURJ5RHrGuf+1WMvl3KRAVCmyplQnrxz7WygqY2jaS+c+aL+rJ5/iBYXrucxtAsrdFC1JJN1bdPWjU7u3KRQiKUKb+ocM3ttQvaMn/C+/OrCL2JSFarR/kE26JaetD7XCnlVY+q9VFr5c2VP/7+GJ/hDGc4wxl+V2EDPHnyFKiLK66ri21ZNl2dnUjLqtZs9csUCmHR2tpKX3cXCEE+l2VzY5N8IU9bWzudHR1kMhlW1jfQWtPd0UlzS8vbW+VxCa7rsrS4yHHWVFoTnoQsA4KhoWHPzqzIHJ+wvLKC67h1MdySdFOKvr4+7EAItGZ5aYnDw8OqtsGP8+4f6iOdbgKtyOcLLC4umNKr3jgIaezyIyNDBIJBnEqF3b09Nje3jflB48XgB+jo6KS1rQWE4OjwgJ2dHXLZQkP30k0pOjs7iMTi4LqsrS5zcHCI65U79Uuj9vb20tLairAk+XyO+blFypUy0qtx3NzcTH9/f61s4xnOcIYznOF3DjbAxvom2zs75LMl0k1NNDebtKaua7zYtRI0NaWZn1tlZ3uHQMAmnTY283TTDgHPMS1XKPFseprD/RxXrkg6uro5ymR5+OAJATtA8JZNc2trlUA2SvFQr7IvFYusbRzw4OEUWmuisRi2kLiuy97BIaWCxfkLA2itefFykZmZGVpbEtiWhRABjg6PPK/2MEMDPaytrfHgyQyZTIb21jRaaVwE+/v7nBRKjF4YJRS2ePHiBc8mZkilUoTCAZSryBeKlEolZDBCe3s7h4fHTE8/Z3dvu5rVrlKpUCq5dO7luHI1iJSS+fl15ufnsSyTPlYITTaXJWAHGBtz6evrIZPN8PDpDLlcjlgsgpQmZn5zc5P94yJXLkcIBmBlZYUHD57Q0tJMwA5xeHREIrGJwKavt+vMa/0MZzjDGX5HYYPx6P6Lv/hLTk5OvCpcNwEolx2ePp0gELBpaW2lv7+fl7OzxONxOru6yOczrK9voHWFd999l2KxSD6X5/DoiFKphNaKcrlMPmeqeLnOG2zjVXV2zSady+d5+uQJKysrXL12jQvnz2MLydb2NovLK9y7d59YPEihkGdi4hmVcoVLH75DNBIhn6/w7NkEs3MLlMtl+nv/KQ8ePGB+YY1z585x/dp1lNbsHRyyvLTMxNMJpJB0dLZw//59KmXN9evX6exqJ5PJMPtijpXlFZ4+fcr4+Dirq+vMzc3R19/DzZs30Vqzvr7O1OQLpqamCEdskskkk5OTVCoVbty4QXd3N4VCjpmZGVZWVlBKEQ4HmZqa4uXsIsMjw4yPjxMMBtnbO2B1dZXJyUkSiQTxaIhHjx5xeHjIO++8Q2tLG48fP2Z6xpRv7e358f+ki+QMZzjDGc7w9xc2QFdXL+FwFI1LOBKko7MVgFKpzDvv3iQSiRKNhEgm42hcpAXd3Z1EogOAYmryBYIQ584PYlkBhNBUnDLlkovrmLKZ1ZCqb2gjr1QqnJycUC6XicXCtLW1sLO1zcLiHPl8AcepUCgUyeWKZE4yxBNx2ts7iYTD3L//iPX1DUqlEgf7BwgsDg6OKRbzJBIx2jtaOTg4ZPLZNLlcASE12WyeVL6Jg/0syWSS5uZW4rE0K8sbrK5sUi4rjo6OKBaLZLNZCoUCsWiEtraWKuHdP9g3RU8yGeyATS6bIxgK0tycpKUlxcTEKhsbGxwf5YiECxQKJY6PM+QLeeLxOM0tzeRzeRYXF8lkMpRKJfL5PJZwyecLBAIWbW3NtLU1E4kGKRU1B/s5lGu88M9whjOc4Qy/e7DBc3Dzws1857ZCIc8Xn3/F5cuXvdjwSvVHWpuws+YmE5ZWLBbZ3d3l6vVxxscv4zqa5zMz7O5tk8/liITDXLx0ib6+PuPodTruuapa953QVLVNvj17aXmZqWfPWFlZwXV1tR31bdJK8+mnnzE1NcPR0SH1DnC+Q5/Wmq3tbT7++GOWl7dwHIdAwKp66/shaYVCgYmJCSYmJjg4PPKa2Rj+pbVme3ubL7+8x+LiIqWSi23ZXhd01ds8l8/x4OEDnj55xuHRIVpZXs56hfJysgNsbmwyNTXF4uIylUrNXt7b20sqlUYp10u8I6vfaW+sznCGM5zhDL+b8LzWHUChlWBleZVf/Pxv+ORXXzL3coVC3tQp19qtFjKRUiBlLTzNJ2qhUIChoX6uXr1BLJ5k7uUShXyFi5cuMTp6gXg89ioRNzdp/KORaAIcHR2ilMPohXNEozFDxPzwsKrXus3W5i5dnZ0MDg5hyUC1Epm5p4UQFicnJ+zv7fHOu3dIpRNYtlcFTArPRq1RrpHAE/EEF86f88agjnFQGiltcjlTIGZ4eLihTKuQJm5cConruOzu7tLc3MzI8AgBO2CYIY8gK6VQSlWl8EuXLtGUbqravZPJOEND/YyMjBAKhZh8NsPK8jqtbQlu3rpCMBj8TdfBGc5whjOc4R8oJNTykANYto1l2dXMZ8qX1qU0711lymm6NUnS9/6WQiAtEx6mXPNXL1nyTStt1RFxIQTr6+usr68TDocZGBwkGo00EFUpJYV8gYmnTzk4PKS7p4fu7q5TtzQEemtzi8WFBSzLZnx8nEikdi+fMSiVSiwuLXJyckJHZwf9A/2vSOMA29vbVWe2np6ehtrghtBLcvkcKysrHB4e0tXVRXd3t+f4JlDaEHohBLu7u9WMc8PDw0Rj0SqDpJTCss2cPH/xgidPTZTB9evXGRsb/WZjeoYznOEMZ/hHiYbqZ1prOtrbuXv3VrUMaSwWNJIs9VKyrKu5raufF4pl9vcPeTH7nIpT5tz5QUqlEnNzcwQCAUbPD3mZ3d6CUyrzhflVmprSXBo7TywaRwhTtUvImjq8UCzw1Vdf0draSmtrM9vb5ervpWW0DoIAqyub5DJhRkbOEYkEkLLGkCAcNBVKJc2L5y/o6u6gvb3VMyVQx7hYOK5iZXmN46MM584Pk0gkagyNlNXxzGQyLCys0NTURGtrK5lMpvocPw5cCMHqyirppiRDQ0PEYrGqNK6VGd9SqcTSwiqff/YlgYBhQi5ePE80FqlWPzvDGc5whjP87qEhIYxPhMLhMKlUinfffZdAIEAhn6+ppz3i6boOuXyeQqFAIBCgqbmZQt7kad/c3GBoaJA/+IM/4Pr165ycnPDs2QQbmxvfvGF19chNrW/j1R1PJJCeY1e9lGxJi2gsxrvvvktPT3dV4vVTo/oSubQk3T09vP/+dxpzslPTLAghSCQTjI+PMzw8XLVn19vsASzborunm6tXr5JOpzFjqasqdSEElrRIxBPcuHGD4ZFhQqFQw3P8+9oBm97eXq5evUoikaj5LEiPiC8u8qtPfkWpVOLKlav09fWRzWU5PDj4VhN+hjOc4Qxn+McFCZ6N1nWrxMW3OQthcf/+I2bn51ACFNrL1SbJ5os8fTbJ9ItZBgZ7+OCDd4hEYuTzJRxHEwpGSKXSxOJxQJLPlyg7Dgpl6o6LOilS+0lovExw0sLVJhGLkJpLV0a5fusKsXQcV5q2GqLqmlrjtiKejvJf/PhH9A52EwyEAYktBXadJG3pMpcuDPLhh+8TjYZwXYFSEqnBFtJoHZQmFU/w/jvvcuHcOYK2Xc10F7AsbGHuGw7YXLhwgQ8++ICW5jSW0AjlYkvMM7XCEtCcTnL39k0unBsmZFsIrRBKYGFhIbGlhVAuF84Nc/P6DVqbW8y9tItEIdGsrmzyySdfkDkp8tF3f8jIyAgrKyv8hz/7z/zsZ59UzRcNaHCA83wIhDZ/ksbXt/35eNPnpzPrvXaZfc33b7zv31N843H5tpCn/r7t92c4wxl+F2ED/Nt/+2/Z2dlBa83c3BwnmQPP4QsOj45INsWYm5vjs8+/MOVCCwXu37+PUg5dnV18+J33SKVSFAu7yDq7OVB9b3lVvqS0TJrUr4HWmnRTE9/5zgd88qtfsby8zP7+PtIy9utcPs9HH33E8PAwAEpaPHz4kM8+/Qw7YCOU4OjwiK7OTj748EMsy+b3f/9HfPLx56yurPKTn/wErTWOkhQKBW7cuMHVa9eIRGx+8IMfcu+rh9y7f5+p6WcoV3GSy9OUbuK9996jo6ODZDJNuVxmdXWVn/3sZwhdoVwuUyw4XL58mavXrhGwbcplh6mpKR49esTzF89RyiGbzdLS2sq1q1fpH+glmUxgWwG2t7f55S9/STAYoFJx2N8/4MaNG4yNjbK1uUWhUKBYLPDgwX2eTVrs7x9wdHjsSe1nh/oZznCGM/yuQmit9ePHn1bDrl6XIayrvYNAIMDq6mpDelPLtmhpbqGzqxMpBPlCzkvRWqS9vZ2Ojnay2QzLXmrX7u4umppaXvFc1+KVR6K9KmTLKyvksiahjNLaMAZKMzQ0SDKZRGlNNnPM0vIyrm4s+JJOJOnv78cOmEpnK8urHB0dVT3T8cwEvd09NDU3AZDL5lhaXsJ1ahoKRyuikQgjwwMEAjalYoW9vX22drermdiAaoa79o52AI6Pjk2K1ny+IbwtnU7T0d5uHNqUZmNzk4P9fVSdFK2Uoq+vj+amJo6Pj1lbW8Nx3VrbvX5GIhFGz5+rxZF/k2IpEi9C4O9LatdTmf7+3uNvqb2+dK/9HAGnn/cPbdzOcIYz/Np4W/WzUukAy3euqiMCvud6wLJQrmpwbPNtz5ZtGSkbAIXruijXeGxbtjRqe0zNbGlZxhHsFJ05TU+EkF7ed4HruqBFNXZdKYXQYNs+4ZIo5eA6jlcYpa7fCCxLVsPTldLVfpgLPAJsWTWPeq1wTmWg08IwOJaFV29corRG4Xu71z1TSizb9jQaboNdvaqlsPw4cPPqx+j7jIr/anl91Ep7dv4ao+LnYwewvLA576ZnhPx/cpwR8jOc4Qx/y/gaQm4DhELBOoc32VANzcIQXimkSebil770QqJMqJjwPKe1F77mEwhDvNEKYXmx2kI2Uj5eY1bUCs9ijS2tWtlSbZza8KVp7XmvWzaWNLZutAJpv7aMqJQKadmmPKnwbfL+M71SqVJgB6waQawnjBpTClUopNZIAiAE2qoVaoEaMySt2gHcyAT5leWMo6EdsOp+qxr+bRz0rCpzUB2z0+VWtTJ90pj5qG+3X87Vf6+8UEDhVYmrn47TjID/vnov2fi91mgpGpiV+r7641Hfd59Jq46TP/avMCGy+qL1m4lVbTwl9Qlyqs/UvH4+/f68LrfBa+EzS3XjUX9fpbz76VrVvOraUV8TfvmaBElaGwIuZaMpqqH9fpW/b9j8M5zhDP8oYQPs7+0hLYFyNUKC6+oqMXZdTTwaASCfN1W86g9r5SoikSixeBzXrZDPZKhUXCLRCJFImEqpRLZgqpeFwxETQ32aUJyGdzAq1yWfz1EqV6p01z+kU6kUtmUIbrlcJpvJIL0DWXse6sGgTSKRABQnJydUHC+mHb+6W03KDYdD2JZNNpd7TXPMMwO2RTQW9wi9JJ/NUSqVcDwiY1sWoVCIcCRMsVCkWCziKuUL/lUorbFtSSQSpVQqUS5XsCxRPetd10jkQpoxCwXD1YQx5n5GU2JJiZSSplTqNYSjnrjXxtupVMhkTP35WCyKbduUSmUKhSJCQCqVRmtNPpej4jgEgwEikWh1zgu5LKVSmWAgQCweR2tNLpfHcSrVx1mWTTwex7Jsj8CaASgWixSLheo6A4hEogTtQFUjBJDNZqhUKmglsG2LeCpRfX4+l6NUKjeMpz9Ofny+1pqTk2OUq81YS4FSjcQ9Fo0SikS+ERF3XZdCIU+l7BIMBglHQijvM1cp4rE4gYBh6pxKhXwu36DVCYfDhCNhsw5exygpXdsH3veVcplMxqzFRCJGIGjqCvjzlEymjDnlLKvfGc7wOw8b4L/77/6FF6/sZUETngSgbcLhMLffuUkwGOTnP/8b871fvUwobMvm/LlB/uiP/pDDwywff/wxO9t73Lp9i3ffvc3K+go//+uPCQQCvPPeTS5evAjSO+R81W7d/cxbI8kWChV+9vNPePFyvqFdsVCCP/mTP6G3txvLtllZWeev/uqvyOUz3kFu7jt6foQ//MM/IhgK8z/+h/8fu1vbntraZHHTytjA7VCQa1ev0dXdwX/8j/+xmkJVyEYVe1dHB9/73vfo6+ulVCoxMf2CX33yK3AdE7IWb+LuO+9w/fo4i4srfPrpZxwfHaO08Aizlx1O23R1d3PjxjWmp6dZWlxseI6oo/zvvfceN29e5/j4mD/7s/9ENpOpu4+ko7OD/+Z/8c8IhEJGK9LAGBmNBdgeYXfZ3d3nf/jX/4FwOMz3fvAeQ4NDTM8s8Itf/JzWllb+8I/+kEgkyv17T3j06BFjFy/yg+99SCyR4HD/kC+++ILJyUkuX77M7/3eB5ycnPDJp/dYXl5GeNn+Llw4z/vfeZ/W1mbDk3npCl7OLnDv3n0O9g+r/Xz//fe5eWOcSCTqaTwkf/3Tv2F5aRnHUQwM9PMn/+UfmbA9JF9++YDHj59W1yuAlBYffvgBt+9eBSTZbJZ/8z/8jxwd5qtmCrMuXIQUpNNJ3nnnHa5cvQxCIL5G2gc4ODrms88+5eWLZW7fucPdu9fY2dnhV7/6nEwmy0ff+4CLY2MIAUsrq3zyN5+zt79XXV83rl/ivffeIxbzVWP+RDcS7xpsVpaX+LM/+3MCgQD//H/+T2hvb2dq8iUff/wxLc0t/PN//s+JJ8/y65/hDGfwCPl//V//1/z0pz9le2uX0bEx3n33NlorSkXF/fv3kJZkeGSYQqHCxx9/TDQS57333qO5Jc3Lly95MfOMv/5rm+Ghc5TLZcqVMn5dcCkEjuviuI0pTqt4g2rw8OCATz/9irm5OS5fvmLSk4YtDg8O+eKze/z0pz/lgw+/Q6lU4uHjJwgh+NM//VPC4TCWDDDxbILZ5zP8xX/6T/zJP/0vcSoO5XKZ8fFxbt2+gRCSctnhr3/6U44yJziuQ29vLz/84Q/565/+kkAgwK3bt+nv72d+fp4vv/ySSsUwErlclufPn/PVva9obWnlnTu3KVfKTD57zv1793DdIufPn+fmzZs8evSIYqHMtevXGRrqBWBleYPd3V3C4TAfffQRn0jJ/Pw8HZ0d3Lp1m2QygRCSL774AoCFhUWePH1CIV/gD/7gD0g3xRFCMD+/xMOHD/hX//pf80//9J+QTKYaB9EnFJ6Gw3UVrmPGwfc3ACiXy5RKJSpOxYuDN/NVrpRrOfZ1Lfd9pWK89LXWtLa2cuv2bYrFIqtry1wcu8j169dIp1I1c40UPH1iGAPbtvjDP/pDEokEn3/2OU+ePEWrEndu38Z1NX/5l3/JyvI64+PjCGEzPT3Nv/+zP+OPfvxj4rEEt27dAi358qsvicWS/OD73+fhw4fcf/AARJnbd24Ti0b5wQ9/yC9+9gn7BwcMDQ/zzt27CAnHx8fMzs7gOG6DGeNtqFQco2FxzBpwlansZzQMZm2/eD7Lgwf3KVcqZp5SzTx8+JCXL1+itea9995rTIik3Ner2715K5VKKKWqSYFcx6VSLuN6jGNt/5xJ5Wc4w+8ybICeni5CoQAIRSIRo6e7A600jgY7cIdELEI6HqU53QSuImBrujpaaO9oZW9ng3xRsbN3Qn+/59wFOMpFWlbN0xwToy18Gy54xkt9SooEoVwq5RL7hycUSi6pWJT+7i6OTg7Z2tggV8ibkqnZEwqFAsdHGSKRCD0dLcRicZ5NL7G1uUc+W2Fz8wCtKyActHaJxiL09Bqv8mLZxQ5JyBiVayxs0dmaJhCwkJagvTnJYG8XiUQM25asba1xlDtie3ubiYlJWlqauHvnLn29XRwdHvF89iVHW0dkjk+IhiOk003YdgAlyrS0ttLX34NWmmQ8wclJF20tKaLRmBdrD/FohN7uTpKpuEl3+94d7IDN+tYe2zt7uMKlpb2FzvZW5ubmWF3boFR22dreQ2G/Mo5V2y3KG2aTG8ARGkcYiV5rgZBBtAhU4+WrHvbYrG5s8+DRBFevXgFh4WqBK2xcYVLGBoMB0s0pwrEwrhaEY3GaUgkClgBhoVyHZ5OTPHr4BGnZXL16jZFz/QSDQeLRMGurx5xk8qxt7jDzfJa5pVVuXLvKlSuXjeNgEB4+nuInP/kVP/joXdJNadLNrWhhIYWmt7ebUFhw/8EDJiZe4Lo2771zjZYm0yaONIlkiJ7eNoQUtLQkSSTCRGMxJPK1TORpaOVpb6TRcNRs8L4vg2BuboFHDyeplCW3bl7l/LlBQqEQsy+CzOVLHB7nUKri2dcFE0+fsr6xh1KKRDzM+++/j21Tmy+h0LiAZfaLNhoFVzkoP3+CsDxm4Bvv9zOc4Qz/CGEDXm51iVY1KbrsOjx/MUt/fz9NTUlcx6lLGGNQn6FMa00sGuXcuXOUHZeVlRU++VWFw6Mj7ECAvr4+WlpbajZBwBxYr5FIPHtpvaf89tY2M7PTTE9PUyw6r0j3QprKbc+fz/DgwRSbm5vIOhX1tevXGBkaob9/oBrCZclaQRVLWp76u+YZ7nvjV5wKlm0xeuEC4UiY+efz7O7ucv3mNQaHBgnaFuVyhYtjF+nq7KKvs7MaDiaFqFZEA9jZ2aGYL9HR0UE0Hn7tpLiOy8zsC1paWmlra2Nr7xApJY7jVGP9Hz16xPKKCQcUjq5K197ENP77dLifaqwsp1SjM57pv/nNyckJExMmt3tPT0/DuKu61LBKK6SUSCFrUQxa4zouq6urbG1vc+nSJfr7+ohGY7iuw/kLF0g3NdHe2YFTqTC/ME+5XGZgoJ/29nYsy6ZYLHLv/gQzz2e4e2uc5paW6vyAiQAYHh5maXmZB/eeEo1EeO/d617X6xzqLItCPs/S8jJdnZ00NTfXbNNvIebRaISRkRFOTrLVwjpCCOLxGF2dnXR2djI9PcPW5iY9PT0MDgwSicZAa4aGhghHEySTSUKhcHVO1tbWmJicxalUaGlOcufOHWw74EnXmqYmwyROPJto6G97ezs3btwwNnn9GqfNM5zhDL9z8ChMLVvUyXGW2dl5isUiX351j1gsSVM60XDIV8qK5ZU1crkie3vHxKMh+ro7aGtL0t6eouI6PH7ymKX5BaKxGJcuXeD69XE62luMd7gP7UlEb4gjt4RAelFSaxvrbGxskk434R6eGLWjJXDQoARSSQQBHj96hqZCc0uc/f1jXBwsrbh782bNPV4pnEqFpYUNVAU6W1N0tCbq4rgllYrD6uYOrrBZW9tgbW2N/+qf/TGVioOrBUoLz6av0NpUKLt25bL5uXA86VejcKmUi2xtrBEKWszPzwOKSCxKNGZSxGokWDYHuQKzS6uEghaff36Pu7dv0dTahtQKS2gsL3xvZuYFmUyO9o5mdnZ2MFn43qBq1XUaj1PEusqISS9LXh2El2JWa83JcZ6Jp1PkskUyJwUjuSNraunqOHilW4XyCsL4Png+c+QYSdPTDoyODXPx8gW0slleXgJtAzZ+Ln2tFa5SZm3qxoxmfvpaw4BYSGHhZyOsMTISrQTHh3nm51bZ29thdvYFH374Hql0ystP/OraO414PMKli+dMpj0pCViSeDTCyFA//QP9tHe0MTtrEv6YoArXrHOtGRkZYujcsBlP3xavNZ2dHeSKJbTSJOIRbFvWee4rmlua+ODDdylX8kSiYaQlSDcluXr1Mnfu3vauc8+81s9whjPUiqaAiYFeWVlhZ3sdAEfVH8JGRW4yu+WNvdOycFyXzo52bt68SSQSQQjB6OgomWyGx/cf09zUxKVLF2lubjYPOa3+fYONrz5evVgw3t9dXZ0MDQ/zyadfsr29Xf1ea0XFcTg6OsRxXW7cuEE2m+WzT79quJcfpuUoxdr6On/+5/+JRCLBe++9z+jYWJXJ0FpTLBSZmDCSYKXkkm5K18bBK4pyutSqcaDT1TAopUzp12KxyMSzZ7yYnaVQyDM8PNjwOz/f+s72Dp9//hnadSgUCg3XaK1xXZdMNkO5XGZs7CLxZIyf/vSndRoOXk/E6z47HZoFVG2w9SFi/rXBQBBbSrLZHI8fP8Yv91otIVunURFC1DQRp8LUqpXcfAlZWoYmKxewqS/rWt+O05kC/X/79ef9f/te6doLlfM1DK5yWV5eZm9/n3K5SDQa8frqhUHWMzpvgtZEwhGuXb9m2iOgo7OTjs5u0LW689Ly8/nXJeepG8/6iILrN25w49Zd8301jMytaU+EIBqL8cd/8ifVdTk2NupFISiPeH+Dtp/hDGf4Rw8bqOY017iMX77ID7//XfKFPP/m3/47T7rwQs20i7QgHovxRz/+MR2dLTx+/JhPP73PX/7kp/zhH3wPKSWff3mPiYmnSGmxsr7Brz75hA8/+ICBAePs9U0OTjDhzo5SfHHvPgCj588hsZDC5D8XSiC0kQyPDg/5F//q31BxKoxfcbGlUTlKgTEzSqMKlpbF7MwS//7f/3tsCX/4Rz+it6eTakyueTKJZIzv/+ADRkZGeDH9gsnJSU8yrrP1uwKp/bz0JpELAoSrENJCWAFcLUgmk/ze733IpbFRnjx5wt7hDkJ6h7EU3j1dzg0M8dFHHxEKB4z3vFA4qgJIlBLkiw7/9n/8jyinSEdXF2jbeNirUpWA1aS6un/7w+rWCI6Pesm2ljGuVkRnYHCAS6PnuHf/Httbu96N7KrHeOO0aS+Bjy85u2ilEMJcb4rISK95LkLboCRYymgvtIMQr7bDtxn7ufhfMav4zCYVhJfD3yfwgUCAK1cu8sMf/pCtrW3DKHmOmALpmZ+/XjXtx6E3hBFqDZhnSWlVnyeEwHGchutMmKOs81KXSCk8zbgfM14j4PhzaWEIe722RdXH3J/6/gxnOMPvJGzwbKbeH0AwFEJKyZ/+6T8lkTCOWL4N1pfIpJTYloUlJY7rUKlU2N3dZfblS1ZXt7l9+w7XLl9jY3ODxw+/4PPPP8cp32Dk3LnGFrxBIq9KXNJI3JcuXeKdO7ep1vH2iJE8dYj98Y//mJHhfqampl6x+QopmZh4yi//5kti8Rj/9E/+mM6uLqy6cqha6eq9LWkRDocZHx9nYHCQeCLJ8fERgYCJe/aJn9aKg/1DHjx6wvrGOlfGxrhx40aV4LiOg5QWdjDIxYsXqaghgsGQJ33VEVUpjRNYLMaP/+jH2GGJbdtVydTy2vXRRx8xPj7O8vKqRwhOhTT5hOAU6u3/5tLGRC7Vcdc16da2TFW2cCTMl1/cY9VLt+trJk7PmRSNbRFSYnl/Wuuqt7jWml99/DHLy8uMXBimqanZJPvx7mNU6rUse7ZlG58HUasY519bqVRQysW2A2buXjEfSALBIJ2dHfzwhz8kFAqYtS6hMXHQr4eqn4XlZfRTNUn//oMHzLx4QUdHJx9+5z2ikSgI+OzTT3g5t4DjuDQ3JfjxH5kQO69ervm9T6TrJPnXvj/DGc7wOw0JeGpJY18UWFXHtmgkxuTkNEvLy2ilvORtxl6pXHAcgVa+pGXhOJqTkyxOsUA6HqW3u5m2piiuKzk+ylEsloynrQ/hxzmLxj//8LdNatjxCxe4cfkyHW0tSBRau0gBUgoULlYQYqkI3/vwfc4N9hKOBFGqgpBemlOljRStLArZEsdHOWwZpr2tiVCgLmOdtqoeyiYNqxmiSDhAW3MKKSXxWJyLoxcYHhxgeXmFe/cekD3KUsyXODrMsrtzSCaTMzTaxagVLBtHaVxXEQpHOTku8nxmgd2jQxztolyBUhZCOWjlIFCkknHmXiyyvLBKpWL6ErDgO+/d4eLYBeKxCNLV2FrU0tXWq7NPO7zVqah9Auy6boPDmrSMvVxU58V4TofCgv6BLm7eukpvX2dVOlbKAe2iXDy7OTiug+M6noQpEUgujp/j/IUB9vYOmJyc4ujwmErF5fDwmJ2dPU5OTmhKp3n3vbvE41Hu33/C4vwK83PLPLj/mFDY4qPvfUBLazPKrVQlX6UF5ZLDw4ePWV1dZ2ion3feuQNKe+3xJXhFxQu5k1LyYnbWMCReBptvWvztzVCcv3CO0QsXyGQyPH40wf7+MU5ZcHSQY2f7gJPjPK7j27QVuWyO3Z1DdncP2dvdN2vNs/O/Yh45Xe3Mn1tpn9nHz3CGMxiJ/Kuv7pHJZLBsm52dHb786kukEJQqsLiwwPj4eYLBIPML84CJO37x4jnrG6tsb2/R2trK6NgokWgE27Kw6/Kv++rUKk5Liq+TKLQmFo8xemGUQqGA4zpsbGywtb1BPp/HqThcvHSRtrZW0k1pjo5zrCyvUCqVmJqaQktYW1sjnU578ciNz7Ck1aBe9tt0cHDA1NSUIUTAysoKqVSKwd7uajsDwSB9fX1orfji3j2mpqYo5nMopcgX8vT39zPQP8Dh4SHLy8sU8nkcx2FhYYFc5hghJLu7uxSLBeKJINvbW+zuGpX18fExT548IRIOGg/8ly8ZGR6ht7eX0dExpmamKZfLzL54gRCSve19wuEwl69dIhwONxLx06p1z8chkUhw7do1FhYWmJ+fZ29vj82dI5qbmrl06RKxWBzXLWNZsmo3V1oTj0Tp7u5mZWWF9Y396vhlMhkWFxc5Pj4mYAfY29tjfW2NSDhMKBTCso1EXymXefp0iuWlZVy3RDQW5WD/gO6ubnp7emlqbibd3E6lUuHpo8c8nXiKVoLDoyNu3LjBlStXiIYtFhYWWFpcMvZvx+HZs2csLM6RiCe4fv06/f39lMslXrx4wcnJCa7rsre3z71794zvQ7HI3t4OcmyMwYHB35qzmO9NLi3JxuoKjx49Ih5LsL29RXt7O8PDwwSDQXOxtBgYGCAYNtEg8ViAgB2oMj/VOfTXZn16V63rGM8zKn6GM5zBI+S7u7t0dXXS1dWOlBa7ewcAKOXQ2d1KS1M75ZKLpsjlqxewsFFOkcPDHJFokNsD49y6Pk4+n2Wgr5vmdIq2liQITSQaZnik36QSbfIc3vzDquq048Gnt0IQjcW5fWOcgHRY39zk4PgAF0Nghwd6eOedd2hpSYGURENBgpbL4fGul8VLEg0HGewb4M7d2whLGud4pWhtTjM+PkAikSRoWaBdtLRwlaJUKlEqlTh/YQCAkIRyPoMWnsOSJ70GwzYjw/1oy2FmZoZMLosQkv6eVoYGBxk6N8jy8jKuKNE31IV2NAKH3d1dlKuQtqKzq41YOMH+9jLJVJhUegipIZs5Jpsx45NKJWhrb6Gvr4NUKoKjKxQKOQr5Y2N2sAJcvDbG771/FysQROGFzPkOU8ojAEKawRWQSMT58L3bRAJwfHzEweEBoZDg1q3L3LhxlWAwQLGg6eru5Mrl83R3dRCyg4AkFLDpaG/l6vgIXd0tBIMhk7bXKdHV3kxXu5nfQrFIuVwxqmKtwIWh4RGCdoCXL2c5OTmhmC/Q1t7EhQsXGB4eJhAOg1K8d/cWUlXY2dnBVS7Xro7y3nvvVhnDXL5ANCS4Nn4epTWF/BE9Xe2Mjl7g3PnzxpnRMeVieztb6etqR2vF/q7J6mdJi/a2NppT6Tqb82+2iXwTe3d3OwH7KlMhy/SxmCeeNKFroxdGCfrMlnIZHRtj9JKf573eRn8qL351X5yyofvXnmnWz3CG33kIrbXWqohfxANqttRqsQ8scF205dlSlZ8wxPEIR93Bor14MiFrXuAiYO7rF5uoOjGdiuN95VCy/avMq1f8QyrvAJS+DdGXXuolF4UpcCJqJ63rtUfWEWbloi3fazoIrovy7e9esQq/ypms2p+thvYIEUC5LtJPMesRfo1AoxHKl/59acvxuuuNq6exqHbfP8v9y3FACBwtkEIaL2fA1aaYjVSOKSLjefCLark3bT5XGiy75kToOjXfAiFfWwStofjJacHvm0iCb/B9eOM1byoqUv95dfy/rgDJG/BtipZ8a7yl3W/FWRz4Gc5whrfgbdXPBGVDxOvDtLxDU+D9TpgsU+Zw9wmqrnnRau3Z+Dz7qnbNeyHQ2qkRTiHqDjhfyjj1vnr++0VOvMt8c64wBmjteUJXr5fePRz/EC15nuFelJ0nqQrX8zj2Hb20Ms+wyiAU0rHqngMS5ZVI9cfHEE5R8VTXooysI1rGQ1kjlDKxw9UO+Kpvj6gKIw0K7TaGkGFCjKr01ZZoFBbCTJFrxsV2AUtSC4gWCHRtAP3P/dCmauhXndqWRoc70/6aPd0wcr+G2Pem9KNvusavaufDJ4T19/CvP33tabzC0Hn3+XUYgF8Xp59/hjOc4Qz/E8EGKBTyNemrDr43bigUxrKsap5uUSdBBALBahUy5To4FQdXVZBCegKhwPU83YO27dnLT0nkb4JWVIpFdKUxWYmSglAo5EmyqlrNzD/c3VIJ13FRFoRjMVCaYj6H9DygtTIe7Bae17YUJqtWxGTLcrKmOpjraSRkOEAwHAHPI1kUi1QcB6n80C0vGQoaISWBYMjYcCsVXFch8WKohakEpjEMSCAcpFwpI5xTEpknIotIkEAwVG2zF3iNEBK3XMYtlEzmuGT07dKs7wFdLwW/Mt9+O2rJYGphWt9Awj793NNETKtGIvymPOMmLqv2G//aejtxlUC/pl0NnvOvIain19xv29Rc37Z6M9JpBuS3pNo/wxnO8LsNG+CXv/zSK9AAth0gEKwd6FppRscu0Nffx+raBk+fPiUcNHm2FZKuri4uXTxHKBTiJJvh+fMXbG3u4joudiBAIGCjlSYYDDIyNExfXx+BkP94X717SrfuukblPDEFf/Mr5MKWSVEasHFdF7tSRn/0XeQffBfCEbSf+TJbROcLiP/Xf4/1/CU7H36Hnh//GFCs/Mv/LyMPp8GWFLo7AYjkS4hCERW0UDeuIf70D2B1FfHf/WvQGts2Nk19+Rz6u99FjHTDSQb9b/6czIsXpLe2IRik3NaFlIJAsYJSmvJHtwm2tiD+4hdYh0fglBGBICLZQqVcIZjdQ7S1wR//iNzCIqlffgWOA9EQBINgW7j5ItYf/wh95TLifL+XF9wQCP1yA3HvPtZf/QTR0oz7f/8/YYVCrzq7IevGuN55qjGMqaowqErmRsshEI3x4vX3+DpUCaZ89fM3/bY+pOp193rTM14XgvW6Z/xtSsWnE8AIQTVa45XwsXrG9gxnOMMZvj0kQCKRYGNzkxcvZjk8PCCRSBCLxwmHw+zs7HBwsM/O9g73H9xnfmEey7IJBoPs7u4yMTHB/PwCWpmYY9u22NnZYXp6mu3tLaLRGI7rsryywuTkM7a2Nl9thU9clK7adQuZDPqzz/nlxx+zt7cPiQR2KoXWmsdPnlL46V+zubwClbJ3Cw2lEpOff87+L3/Fwy++Ynp6xhBISzI5OcnsV/fRO7tEm5uIptOIVIqZqWm++uoeLC7DxgZ/8xd/wfNHj0EpRDTK/u4ev/zFL9GffQ6FIsK2wbbY3tpm9qtH5BaWCAaDBJuaEPEEB/t7rK2tQcAGx+H5zAyzj55CqYhsaqJQLDA/Mcnxs0l0oUA8kaCyuc3s/UesLC8hImFEJMLLl7P86uc/Rz9/TqlUqpokVLmMfviQX/zi50x+cY/DJxPGy74ujKwqsfqZy+r/oCaZn0oY88p8vOnv7xu+bfv+tvvz9338znCGM/yDhg3wnQ/vsLw6x+HhHp1dbXzw4XtorSkVHeLxKOl0ms3NDV7OztPc1MydO7exLItS8Ssmnj1jZuYFoxfGiCcSDA8Ns7ayx97uMZ2dXbzzzl2vdvMnzM8v0NHRSd9AT0Mj/MxaVZJSdijs7xH8N3/O1bkVCv/nP0b88Eewt034/gNu/dXPKP3Hv6b4o++gW5sRloZMBvUv/y1t/+4/kphb57JWPKqUwHVABZHCYi8Co9dGkf/H/4ORbF+ssL30goHHU+jMMdx/TOBf/RknfZ2I/+IjxJVxDv/iL7n2//hv0ZsbFP70h0Ta2uB776FzB8S+uE+sKUHpf/+/ItrVid45pPD0CaVoAHH7Onp9B2dtEbUnEb/3PvJ//b+kODlF6v/pkK2UqXT10H7pIu7PPiGwuszhpXMM/jf/FYSDHB9s0vKTX0I4QuDD98Cy0csb8HQC/d/+vxlfXENWKqTzRaOKr/NY0wIQEuGe8nSuJ9oNBOVMIvzNcDZ+ZzjDGf7uUM21XquE5Xqviv2DA8bHx7EDAQ4eP65eJ4TAtm1aWlsZHBigs6PjFQcpH7W83bW0n6dRqwn9qu22mj1sfw/16Wf85Cd/zfeOcw2/1ycnTD98QOD/8y9p72gjEA9TzhQQUlY91c+NnKM3n4PuTrCMt/gr9sq6caAuzrwhJaivjj6tPs3lIZthYOwiovf/z96fBdeVZne+2O/bw5kBnIN5nkgCJEESHJPJzMqUsjJVUmm4bqll3e5ohe1wP9wb4WuHw/abw69+8LPtlxvuiBt9277dKrW6SyWpsqbMypkzQIITCGKep4MzT3t/nx++vfc5AMnMlFq3W6XCimCAONhn72/a3/rWWv/1X12v/i7Q09ONunQRDg4oxKKH2hCMjeuz6OmfUimMcgU1M8MP/vW/5p9WqrQmm8jspo8OpP4BKFRDDJmXlfjXxMq/kS3sH5pV+W1c6/8p1/+nyn/u5x3LsRzLr5Vo1LpfrAKTSrnG1voOlUqFjz/5lHffeZfe/i7isQjJ5gTSqbK/s08ymeL0mRHOnx/DtgSW6YKrEEiE4YJwKJfLbG1tcrCXBqlobo4TiYaoo9W9Dc1LZ/ONSiEVBgIMhYtkKJtFffE56R9/xtm8i2EKaq4kVSzBzg7qL39J+4/+munxYU7+6Z+i/r9/xvrNe4Rd7VoWvS2M/Z//G5TjIkIhqNag5qAePWVkL8uLsVFGx07BYC+b509xcf0AFtZQRZeTsyusGiaEwh7jmwBXIJQg5ioo5Il8cQdZqVCZeUZ4eBjxf/hfNSh8QUc6CwuLyI9uwtQUq6UCA+98h/iJPrA1A5lhCobWdlAPn4BlMbi6zdxgDwz0Yi4sIxeXOPh//D/5nmEg/rv/hv25OcL//b8BITCdMkgTZAA+QCg9rIJXYKkaubtfJb9qiuZv297/3P37VRvPYzmWY/mVkkPVz5RSrG9s8OWXX+LUamSzWY9Ew2BwaIgbNxzu3bvH3Xv3sC2boRMDnDl9mlDYVyAiqEIlpcvW1ia3bt3GrdUIhUKcmzjDiRMnGhSJ9zW/chWHP8ZDmVeLBWo1h1RHO61vXkf9x7/A2T0AIHt/GvHzj3Bdlw++9z1Ec1NgBZeKRdjdg5N9hDz0OgCFIqtLS9j/5t9gmAbvf/AB4vp1aInwR//LPyH9P/6A8mdfkK7V2NneoScSgmQLIdvy0McNbuydNAs//RnVahVZqHK2r0/Hq406SKxcqaLuTrF1kGN7e4vQ6BDYIQzbZ/PSsrqyRugnP8dAsbuzx+S712F8HLW8zM//6keczOQY+oPvQ0cHava5HsZqlb3dXdr6I/4kNsS+jxXIsRzLsRzLP3bxGFc0fzpAKplkfPwU1WqVQrmEaepqWZFIhL6+HuAiAsnss1mePZlHEObM6RGikYjOrRYEXOXJZIoTJ04Qi1jYtk1HRzvxRKyuvALNrRVj3Zktvdxtnatu//hT7JDN7LtvMn7pLPz0rygKiLsGtWqNTdNFNUcIzyxiz64Rf7FMoiLpeL6E+g9/BdfPIUxLu6yLJeRf/Jjmv/4xn1WK/M7v/w6ZP/49Up2dIFzyvSmMjhY20mmG/1//I2prh2fv3aDjj/8YWuLaghYSJRSOIRBNTdjv3sCSkoNnL5DtLRph7rqAVvqFRARxZoymD36T9WfPcE0DWhI6nxyl76dcaoPdxG5cgZBJMb9H6fEcLaNj0BTDyhfZ7WihK5sm8qMf48wvEHJcyOVZ+Hd/Teuf/AniZEKnmSlASYT5nxGpfSzHcizHciz/RcQ6+kEymeT0mdM6fSwUIRaLU63W2N7e4snjWSLRCBcmzmKZFg8fPWd6agpT1Dh37hymqOcfG6ZJS0sLp0+PE4t6HNPqW4KCPI5vrQcF6xvb9I6fYHxiApqaDl3adGKUpu//DlSrENGV2lQ0imkamiK0s6OBqQ4WX7wg+Vd/w+LiIr/9p/8M8dZbpLq6AvdnU0sSdeUKya0tZKqF8MYWA4MDiPPnMXyubHT8WioFqWYGr12FSITB3gFEJIpbrWJ61yqliEbCcOoEibfe4kp/P5SK0NJyJD5u0Nbejrh8GaI2zZ9+xuLdR3SvrcN33+E3fuu3IJ3Vhx5HEd/aDsaqs7NT82/LhvEVxiu5AY7lWI7lWI7lH5dYAK7raGCVkAhDM4PZtsmpsVMszM9TKhXZ3t7h1s37tLa2MTE+wejIKZZXN3n06BHz83EmJs4HiskHqCnlerSsbt3Vq1ytdBrFd637VKVCURWKWDhKzjQpXD9H3wcfIN66Bnt7KGVRNUyyLRFGL4whfvs97c72ip249++SWdkgf6IX8bvfDZjdVKZAefoR7me3Od+Rgv/NP0ck4ugTgwHY+h4badTndygWS8RPDrP13g1Ed9JDh0so1mivKmoC7WY3LESqFUYVamkRcXsKNTYGNUm8JqkpE4SFaI1DahxMTVlLVafOUZPYjqLqp327StPcCLS1fuMq5vd+M3Dpq40dcnED64ub0NLE4D/5XYhGAw+HT+1qfFsw9TeV+JLfcBg4Piscy7Ecy7H8FxMLYH5+nnK5jBCCTCbD4sICUkpKFYepqWlOnjxJKpWku7ubfL7A6uoqpmVSLBZoaWmho6MDIQTVaoWtrS2y2SwAhUKera0t+no6sW1PeX0bhjBD6Gpeg/2kdvZo6e0F26I4+4zd3V36HYfu4T4OUsl6JSgPsLcyO0fvvkZz57JZ1LNZxNmTr8yZPoooR7qUiyVC9+7z4Y9/zMmtLU58/3uce+vt4LuVchl7dZXN7S3aANJZlp48oXltjej2Nnfv3sUe6OONZBLWdbU2VavC8goHmxskOzrA8shdHJf1xUW6dvdRSpHeT6NmHkHIJp/P09fbDV2dmKbPCOb1YXGJzY1Nkgqo1Hg+M8OpixchEvaU/XFs/FiO5ViO5ddFLIBHjx7S1BQnGo2hlKtLSCpQyiYSidHa1szgYD9CCG7fucOLF7qcqWkZXL16ifPnziIMRTFfZGdnFzskGBjoQQjB6uoq7W0tWpG/zs0bfOyZkFaIeF8/6v/2f+Hphx8SefSctfv3MaZNpHR58pvX+e3f+12ar19BxKL6e0pCsczyzVsU+tsotl0hHI6yPvWA/n/yfUAgEmHkUDfz3/sObW0pBmxLp6I1cKiXsxlWHj0m1dbO+vAAA5fOEQnZ+sDguMhCidz6OrlaDeeDt9izLcxf/JKiaYILSSlJ9PZQ2tlmI5elNDpMyK3yvJIjMrtIMtoCqShgoA4yrHx1k73uFpyOK9hmmGczM4BBtKOH4v/u97SrPe7hCoT2luQezSJLNea++yamZbH78Wec7BtCNCcI+PGhQfn//S6aYzmWYzmWY/mHI0IppdbXZr1Yqlf1yyNocV1dt7upOUwsFqdcqnFwcIAIfLeKWDxOcyIOgONUyWQyVGsyiM2GQiGam2IBH7t+6qvzaoP0M5+ZLJNHbW/D+t5hKz4ehe5uRF+ntsRNocFl+RJqcxu1tKTvY4bAthFvX9HXVSuogzTMvADLQrx1BWybQNM5FahUUHee6OfFLGhpQYx7SPtqDRwX9fQ55AtQLXt98bwNrtD550Od+oCwtOmBz2r6fuNjiOYmaPJi+ftp2NmBtTWv47bH/uV5Gc6PIJqaIJYIxhtA3X2q89YrZR0Hb09BXy+iq/XwOAVlTL9xFXz9349d68dyLMdyLP9l5WuqnwmllELqIiH4ZUYbi2T4lbMA1cBXrcFojUQpr6rypAt1qMPlyXRFsEPiB3e1RpBCg7QEnkLHPHK9X5BC54mrxvOBUl4s27NG/dsLA4RXOMT1q241pGoJERCx6Ec09M8rEVoHkx1+PkqBYQT9VD4xi1I6Rz9gWAsGL/iOlK7OmVcKZTRUc1MKiXu4vrjQ46GErkJnKFFPhVMqQKsHGIRX8ZAfy7Ecy7Ecy6+efFMZ00q55F2pkEpiNBTKkEoRCmmLs+pUUFIFKHBDabS1EAI7FAIlqVZrDVW0vJxyoRW/bYUwLYuXTLgjsepGpHW1WkPJ2pEeCUzTwrIMT2n5xDL6wOE4CtdxsE0Tw7LBMKmVy0g8PnLpeQwMjeyWShIKhXXbpAIpqVVrGEI/B2EE1cOklLiOg5QuUrkYPpmOEEih4+6GZWKYJrLm6CIvwTlFYBiGHiu/drivuF2HUrmix1Yq/eyQBukZjeNlmKA0855TqWKaJsKyMPw4+tcVEzmWYzmWYzmWf3RiAXzyxS0AXZKzwcpWSmHbNsOD/ViWzbO5Of251OlhQmmLsb29jTOnz1AulZibm2NvX4Pd/HKnCoN4IsHwcA/dPb0vg918feMzhkpAGFQcxZNni+zs7ATANCEEtmlw4cJ5WlsS9esBRAiUYnbuGVubW7SlUkxMTCBMxf2HD8nkSiilsPwDhmF6fRT09fVxanQEhKBQqfDkyRNKpRL9/f2MDA95FrpLtVRibnGdra3NwDIGGYydaZoM9w0QCtksra9RLBYRwkRKiYWit6eX0ZF+QtEYwjtYKCxWNtZZXF6nWq1iKD32p8ZG6OvrC1zqHok6QlgsLS2ztLBKIpHg8pVzoJQ+VCiv3KkA6ZU8fdkDcizHcizHciz/WMQCyOVzLMwvkMvl6OjooKe3B0MYVCoV9vb2iEZCtLe1s7q6yvLSMrYdpr+/n3gkTPrggPn5eUKhEK0tzWSzWR4/fkwmkyHV0kRvXx+lcpXi4iK53C6mZdHR1vr1rRIGlXKJ5wsr3L59G9D57bZtUygU2N3exHFqXLpwjtZUCmGagSt84cUL7t27x8L8PKdOnOTMmTNYlsX09DTbOwekWlP0d3UilaKmYGFhAUWNK1eucGpkiEKhyJNns9y8eYtCIc+pU6cIWSZ9/f2AtoTz+TwLC4usb27R1NREV1cHANvb2xQKBdRVh5HhEdbX11laWsJxJJ2dnchKmc2NTUzDZXBwkHAsAkKwtrbG/ftTbGztkkqmsAyDpeVl8oUMhmnS09Wu67h7CP3l5SWm7t/n6ZM5Ojo6mLx01vMmNChsJRsOSA0hhKO88cdW+7Ecy7Ecy6+0WADfe/83+UF6l1IhR39vD7/53ruYhkGpXOXRzCNakwkG+7u5MDHB6tIisXCIK5cu0tWRYmZmhi+/mmbq/gwfvP8OY2NjbGzvk83n6R3o5d1332Fne4+vbn7Fs2fztLZ21RW5aLQ0aVA8klwuz4MHj9nZTvP2mxc5d+4cjuuwML/Azs4O96Yf0NHRRnMqhS2gWi6zvr7L51/cZH1zF0EYaRvUDBA4SCFxpVag3/3ONQCqSvFnf7bJ3r4EZZEtVnk6O8f9u/dJJJqIJ5PsHGT47PZ9rosQPZ1JIk1NjI4Oc3Cwz+bGDu2pDt59520MIXj48DFzc3M4uHT2d3G2eoaD/X2KhSrnz57HMhSPHs0wNfOUmjLpH+glm81y6/Z99vcPODk8wMWLF3Fkjezf7PLs6Szt7R20JhPEYnFqElZX17j11T1WVtYCwhch3QY8AQHBuiE9Zf66OuLHSvxYjuVYjuVXXiyARFMTpmUhhCAcDtPc3IzrOGSzec6cOU1zUxTTsojFosEXo5EIiUScUMjGdR1KJe22DofDWLaFK13vOzGisaKXZ16lVqu9zLV+FDQtDFzpUiwUcVwHy7aQ0mV9bZ2nT59SKpWoVquUymUc16FWLbOyssJXX95DupJIJEKlUgkUnWEY9Pb2ErITdHR0EItrlL3huAiPAU0pxfb2Nje/uglS8ub1N0mkWnj8+DGPHz/FNAx+54PfIBQKEYtFsSyNI7Ask1g0SiQSYWBgANd1SKaS2JZNOBwOMASxWJyhgR7y+TwPHz9iZmaGUMji8ZPHzM29YOzUGGfPniWVSlGplenp7cWyokSjMWzLplqpsLK5zVdffUW5pMdED5Vuf72S2TEt67Ecy7Ecy6+TWODHvE2UNCkVq+zv7VEql7l39wFXr1whGk2AkkhpgrJwJWSzeUK2SaFQxgwJEi0xTFMgDIUQJkKYlIpF9vb3A4KYeDxEOGLWlc5rsp6U0CA7UygMJZHSZnV9j6dzS2QKVZyaASqEaViUS1U2tnaYmnpMuVrh8uXLzM7Nkc7uadCYAsOVXLlwEdd1iMcTGrSmFHvpA1wFiXhCK/9SmUw6TUtzita2DlKpBIshm3Kpyv5+BuU6COniSgeQSCEp18rsZvchq13rqVQrp4aHsQ3NbGea6GtljXhznFhTjErNIVcoUqpU2T/IUC3nScRDNDcnMC2DsLC5eOE8pWKZZDJJ1VFsbm1x685dspk8586fY2dnh5mHj3EDK1y8zJgnjnPIj+VYjuVY/rHLS1zrOzs73Lx5E8d1WVnZYGJiApTEbUjNch2Hp0+fkoiH2dnZIZlMMj4+TjweJ5/PB8C0vf197t27R6VcwzBMxsbH6fdizd8kjfXNHdclk8kAMD4+zpPHz8nlcgCsra0z/XCG3b1drl66zPDwCOubmxhewZByuUw4Eae3r89LIXNxXIdsNsud23eQUnL6zGmGBofI5/QzpJSUikXCYRPHcQOUvvJSu4THBW8aJplMhocPHuC4LuVsmXPnztPa1hag0l1XetcbCEME35WuRDbUaHddqWvBK4lpmnR3d+OnGSyvrDJ1/z4rKytcvnyZE6MnqFQqWKaFUopqtap55Y9d5cdyLMdyLL92YoBWUIaXPmVHwrSl2mlJtAQKWRlGQ662/k9TUxPNyRYisShOTZLLFnAciWFYwTXhUJRUS6uOr587zfmzE3S0dxzO3X6F8hEKL4fbQEpYWlxmcWGJSMhisL+PeDSMKbTln94/YHNjm0q5RjqT4f70FBsbOyhpsrOdZmpqBlc5KCGD8qK7ewd8+tlXzD5+xtjIKS6cH6O3pxUMEyVMStUKDx7NcOf2fdbXthAKhI/mV0r/XyqkgpAdoS2epC2eJGxbCOkE15kYmA39U1K78IVUWIahvQUKXCUQpuWxq0oUFlIZQcw7nSmwvLqJU3PIHGR4+PARy0uruK4gnyvzxc1bFMsVz8NhePnkf5/L5FiO5ViO5Vj+oYoFOhfct7g7Ozu5du0atWoVOxwl2dKCvkZoZS91DHpsfJzOrlaEEMzOfcbs81nGTw5rXnDAEAbt7e1cvnyZaLTB8FffTsv4VrDwUN2dnZ309PQSi0UxvLQx6Uq6e3q4dOkSNafmFQCrew5M77ogL10YbKytcff+FHNzc1ycvMjly5dpaU0ESrYxza3eZP8zj/nO0Na1dCUtyRYuTE5imSYbm5vEY7GX+hAciBoscHkEeKYaYtzVWpW553PkMmn6+/toaWnh0qVLVColDMNAqfp9/XkRhtDx8eNUs2M5lmM5ll8rOeRaN5AI5aIEWOEQExMT7O7ugnBoaWlBNihF0zCwLQvDMAPL0leEStVAOAhDYZhg+MxoXs71txFDCIRQKOXS3dPNuXNnGR8/Sblc9hLHde52V1cXvd3tWhEaWkGWihX2dndItaa4cOGCVpxSYgqDjY11njx+Tiye4MrVSZqaohgYuNJBeP2IhmwmTo+TSiZ5MP2A1Y1NrbyFJmNRSoAyPDyAwjAl8aYEI9Ghw2VDlf6Or6R3ttNsbe4SiYbo7++lpUUj4HOFEvv7B6xubDMcjlOtOjx69IS1tTXeUAYXJ8/Q2Tah67wDihA3ucnW+i6JaIwrly4Ttr0Sq4YZEOMcc60fy7Ecy7H84xcLYGlpkXK5hBCCfL7AysoKAJVKjadPnzEyouPaOzs7ANQch82tLWpOif39PaLRGB0dHSgpOcjlKBaLSCUpFgpsb2/T291Rr352FJAFr0yLsiyb1rY2dnd3aWpKEAqF2E+nOUgfUK1W6erqIh5PEA6HCYf0PSWSrc0tSuUSrnQpl8scHByQbOnSpVUVOI5LpVIhGo0Rj8ewvHYJQ1u2AKZlEY1FicfihEKhQBFL6eK6kkwmQzabRSlFuVxmd2eXWDRGKBT2mNcUhXye3d1dKpUKrpRsb2+xsbHOzs4Og4NDnDlzmo6ONpqamqi5gsXFRZ49m/XGwyCd3iccDgeo9VA4HFDNbm2lKZVKuI6D47ocHBzQ0tKiAyW+Ej+WYzmWYzmWXwuxAKamprAsi/b2diqVCjMzM7iuRCkoFUu4UpLNZtnaWqOjM4VhWCwvL7C1ZVMulxk/Pczlq+cwhGBzcw3pVOloTeFUqmysrtPW2qxpSX2pV0fRsXDjiMmoXJqaE1y6PIFUJaoVTYIiVnTt9EQizOTkJP0D3ViWlz9tmChXsbC4SK1WoaOjDcOA58+fMTzU5d1YEomG6OhM0dzcDMLVRbtdHb+2w4b3twShkIFpCeKJKF0dKVpTCUzTolQqsbW5SalUoruzFQOH9fV12trbCEUiAS/9wUGand0twmEbwxLs7m1RqdTo6u7k3PnTdHS0EwqFiETDXL1whpgFy0trzD56hmGYRK0QY+dPahY4K6QdGaYG662uLZEvHNDZ2YJtGTx58oTOzk4STU3eQcJX5sfW+LEcy7Ecyz92EUoptTD/SMdslR8DVsHvhhC0JOMYpsHe3gGGELrmiBAgNEguEgnR1d2FU6mRPkiTL5b1zaUiGo3S2tqsUdXggdsM/+lakR9VNh7jmCt1bnex6HGte1yspmHQ2dmplaRpIvwbCFhdXaVcqVullm0x2K8VuYEgmzlgZz+LbVn09XZgmgZgI6VLqVxlY2MT2zbo6u4mZIbIZDLsH2QJh8P093ZQrdZIpzMUi0UwNNo8Gra0Yo5EAu9CPp8jvZfVXPGG8ChcBc3NzbS2NmHZdj327kqymQyZgwKO4+pQBJBqbybR1KS575UMhm17J00un8OQ3nyZkv7+fkzbPhy+OGZuO5ZjOZZj+cch31T9TCmPG93zcDtC83YLL+btV+dCHK1C5smhSmmeInkVLWhwDSAMlOGipMQIqpv5bvfDVdNeqrLpVQ4LLHvles/y72/W76NUULVNSPdQlbLgvl676tXdPFCahxyXShcxqR84/IOItpBfWfXNv66xSlrjWB0du1eK6VVF8y7172Pouuw+BfuheWmgZpV4zG/HCPZjOZZjOZZfbfkaRf5ywNorvqErgipdRhMa2NjEYWS08kt5ysMK25dG/m8/Pu4rVgTCMF5OR1Pq8PcarUr/Gq8a2UufN7bhVdc0INO/ToTw22XoMRBGw729th1V4koeHptXUaM2HnCOyqss6IZ8et0n7W0I5sV/rj8vx8xux3Isx3Isv1ZiAdy9M6V/U5pgxBSudq0bAtOy6O/poqOjg71MjoWFBa8MqCZG6ezspL+vQ8e5laRaqbC+vk16P43yTMlEc5j+vn5icZ/i1a+KdkTxCy8HW5hUyiUW5lfJF/L16l8YXgqY/v7wYD+p1hTCFB5aXFvby0ur7O3t09ycYGhoENvylTxeO6FULPP8ma7m1t/fT1trK0pAsVhkfn6RWs0JnuNIQSKR4MTIMEq5bG5ssru3iwrKuXr9UQLDMOnsaiUcDrO16YHdlEcgI3QKWjLZQm9vD7FoRAPwvHHI7BfJZrP09qQ8ghettAUmxVye2YUFKpUKhtTJBqYQRKMxxsZHdb66qI/tYfHry7uHPCeuq0MXKxu73v3wQiEt1GoOW9v7pFpTDPZ3Y4dClIpF1jc2SO9lSbW20tQUZ2dnh1KlrMvfBk4Hg0QiTl9PJ4nm5oaY/deLOnTmqpeOPeTNaFwviiOYgG8vjuOwvbPL+sY6Eot4LM5gbxfRaJT1zS22t7dpTiZJJpPs7+yTL+SR3rnXwPGaIQjZIQb6eymXy2zuppGuBOUE61QpSUdHB729vTiOw4sX85QrBQYHh2htTWIYBpWyw5MnT3FdydDQMK5bZW1tDSXNIITVKNFohNHREZaWlsjn80gsTMOkKW4xOjKKGdKHPOm4pPfTLK2sa7IhDqdVJpMpBgYHCPvXuy47OzusrW/T1NTEQE8XkVgccIOCPa+UI/OivL1hfXWLre1tlOONl2EwMjxMMhnHMC2kcrzxfE34Jzj0+myQPovhYWbIg0yBpaUlqtVqsA8YhomUNZqbm+nv6yIWjR1u69f1odFogcNGhf/5IY+jnyVy+N75XInZZ89QhoGUrs56Qa9tKV3CtsHIyAhNLU2gFFJKKpUyL+bXkNKlt7uD9q4uUDVQklKpwvraOvsHOS8FV5JMpujtaScWT9THR/ptNw6/P97fc9miDkHWygwNDpJsacYwTQ4OCqyurlGtlhkbO0UiFvEMg79lSus3hfReeo/19YVihZWVFarVKp2dnXR3dYIQZHJF1tbWcDyQc1dnyrvRYQ/qr7NYoNHoq6urlIo1Wlpa6GhPAuAoyUE6jcl5TNPi0dPnPHr0iN7uHoQQFPJ5NtbXMY1zdHXpOLTjOuzv7fHk6VMO9nNEYzHGxodpa21rUOTfIB56fmZmhq2tTVLtKY3KVgaO67K5uUat5hCy36a5uRnTMNGbJqyvbzA1Nc3q6irDwwMMDw/VF7OSgEmpWOLZ7Cx3bt7BNAyi0SipVIpiqcSTJ0+YefiYZCpJyKsHns2XqVQqhCyTlpYW9vb3ePr0GXvpfRKJBJ0dbbiOw0E6S6VS4fzkGbq7e1hdXWV1dZWqozfzpniUTCaDbZtUa1WGB/oD3vdMJsPs8wX29/Zobr5IOBJBSo1ByOeyvHjxgtv37tPW3kbYjOrxz+WoVCqYlmJ0dBTL4lBWgK6X4hHESNc7xNQ3IFmrkclkmJubY2dnh2jYZmR4BNs2WVtbY+bRMzq7OkFdoKOjg82NDWZmZlhf2+HkqZOcPDnKxvo6C8tLlMtl2pIpkqkkhUIRgHJxmLHxMaLRyLeadj8vfmNjg1gsSrKp5egFh0M4/gZ/VNF/m2dJSS6XY35+ge2dNB0dHTTHQli2xcLiIg+mpxk+Mcrp8dNsbm2xMD9PtlAklUyRTMYxDYNq1aFULBEJ25iGwfz8PFtbW1gGdHV1EQ7bmvkwlUIpRSQS4d69u2QyaUJ2iFSyGcOyKZVy3L59i1pNczTE4lEWFhfZXN9BCIPe3i4i3hiWiiVKlSK9vT3s7u7y4sULsrky8UScifFRqn1VoqFoMJ6VSoWlpUU2NjaxLJPWtjZi0SjpgwPC4TBSugwN9GJaFru7uzx88IAXC8ukUilqZ04zOjpKJBH7mvAPL4WNlJJsb+/wcOYR29vbtLYkEYZgdX2NUqnI6bETtHd01A8Vr7u193fpOhTyBbLZjK7MaPrf8wiT0mkePHhIKGRTLBYpFitepotFIpEg1ZLQivyo1+5VffD/L+psji+tqsYDpno9xqdWq7G5tcXy6gqO49LW2k5LsoVyqczq2iqxiEVLSwtNzbocs2EYlMtl7t+/j1OrIa5O0t7epg9ywsB1XfbTaTa2dskcZMhkMgwPD9HW+gaxWLzejkMpsOolT91BOs309DSZ3AHxWIyW5iaQkvR+mvv375PLZ0ilkkT7+zBt0yPn+hp5jRfx6Fi+NNZH5iGfz/PkyRP29va5fPky3d1doBSZTIaZmRkK2RxXrl5pUOTH4osBcPnyZQzTJJvN0tLSwuUrk1y+MsmF8xO0taUAg7W1De7fn6ZcrnL69AnOTowRCoWYm5vj8ePH2g1vmoTDEfr6+2lpaSGby2IYBn19fRolDkdeGPHSKdYXx3XIF/Jks1k62tq5MHGOK9cucOLkAK5rcJDOUa5UcJQ+6bqOZGc7za2v7vJibon0fpZ8Po8rpXeCd8GwKBVLzM4u8OUXt9nZzZPOVKhUSyAkW1u73Lx5h2wxz9DICJcvX+XUKU09u7GxwdTUFJVKhd7eblqSTWSzeUzT5uyZs5w9e5bWtjaqtSqlYomOjg66urq9U3aJvr4eLl68QHd3F1tbu8w8fEw6nSF7kGVvO83skxfMPHrCzn4ax7NgDMtCGYKNrT2mHjwis59j/ORZrly+yJnxMeJNLaxvbvPpF59TKJUawhL6n5CA+wp3vzcHtm3R1dVFe3s7mUwGx3EZHBqkubmJSqXCfnqf+fl57t6Z5unj5zyYecrs3CL7mTSFUpFUqpne/h4Mw6JQKNHV3cH58+fo6+tjf3+Px49n2ds5+OZV6M2PdBX7e2lu37rP8tI6jiPhaPTH8GJEPgAQ9P9fh994jRimSXdPD/39/eRyBXK5AqVKjYNMzjuQ1bCEQVM8Tn9/P3YoxMHBAc3NzVw4f54rV65w9uxZkqkkQgi6e3poa2ujWq3iOC6nTo1x8eJFmpqaWF5c5/GjWUrFCrlckcxBhfR+mXy+jOsoXBcyBzkODtJUqzW6u7oYHhoik8mRzeY5eWqYS5fOc+nSeUZODBIOW5gWDA0PEg7bHGQOCIVCjJ8eD0Cl/qEo1ZrkxAlN6VurOfT19nHp0iXa29pZWV7hyZOn7KWz7OymuT/1iPnFNYSCTPqAh8/mWFjbpOKvrddJw2FKehkuD6YfsLy8QEuyicmLZ7l48Ry1muTe3SmWl5e8uTMa+KGM+r0afrquSzZX4NnzOe7dm8Z1aNg3DKS3f7QkW+jv7w8MjNZUKydOnCAaPWI8eJiZxn/1uKP+p4T2FqrXkSsFY+F9R/pt8sbB+7ipOcbk5DkK+SoH6RydXa1cunSesfFTWLZJsVjBqXlr3B8HZWCZJnYohGkIffj2lHA4FObkyRNMTJwhlWrm4CBNsVjCqflskg1WeON8GR5Ox5Oqq8jmC2QyOfb2DiiXKkgFNadCLp8hc5DD9Z1c0kUZ5mv+Ce2VFMp7h416XzD0ZwYalyR0C4KhEgT3wQCEolaTZLN5stk8lUrN8yC6VKtVcrkc2WyWYrH0mkX46y0WQEdHR7ABhMNhj+cbiqUysXgc27CZm5sjk8nQmmqlvb0dy7aJxWPUnBqFfC6IO5umSTweJxaLIaUiFArR3Oyln/kusYa472tfFsC2bEzTorm5mfaODsIx2/vcr/zln9j1SfXjjz9hfX2DUqmiPz8UnzeRjsvc3By3bt0ml8uhpHaFG0KgpLZeDg7SNCVbSKVSxOMJlpaWWVhYoFqtkslkUEqSaGohHoshhNB12FtTxBMJQnYEpSSGaQRV5CzLBko0NzfT3d3D+voGlUqFXC5HLpfj2bNnbG7tkD444CBT8GrBH7YaSqUiB+kDANpaW2lLJZlZn2F5eZlqtcrW5haOU3vZ2mg8ifusb40WrWGSSCRIxBOYholt67GORKLBfFarVRYXFtje2qZQLlKtVoO5syybpkQTIS+1sKmpiZ6ebnK5Aq4rOUgfUKlUv3kVCoF0Fdlsjo8//pjFxRVaW1NUq1XvgCh0PXav3VJKXMf15tjFNDUtsGm+BnvwiueZpq5a15RIaI4BCDgUFhcWGBgYYGJigra2NoTQ1qthGMQTcTo6OohEIjQlWmhtbSMeDROLRol5a8I0DNrb2+js7CCRSFAuL5HNZvWh0hu7hw8fYocUFy9OBvwFyrN8YrE4yaS2OgzDINXaSld3F67jEovH6e3tJhbTwJdINIJpmEQiEc3CaFooz2VtmiaxWJyWlhYsqz6/be3tNDUlcJwa2WyW3d1d1tc3eP78OQMDA1y8cF57X57NcufOHZqib9I/MPB6a7bBOpVS8sXnX/D8+XNGRk9y9coVujraA0bIvd1dvRkLA+m6VGtVbMNCyhogMUwTy3u/pZQ4tRpPnjzl3r17RMNhKpUKYCIMA8PQWTVdXV3EYjEqFe2aFYYgnkhw5swZKpUKTfGIXmPe+Fed2qHm24aJ6T3TdRxqshZ4C5TShZeE0GFGf64c1wUlMEwDpSTSdYM2W7YOiVimSUdHO7ZtUSpBPJGgu6eHZLIVpSR3b9/BtPSB1HFcpJSEQiHeevstpCtpa40fGmM7HCYVCmHaYZbiMa990vO61d9rx3FQ0j8o6ffHX5c09KtWqzE9PUU0bHPq1CmUUrh+GCQ4SEldsbJBQiGPE8RzpdSqFe9X81CbDFP/3QpCNxJXSpTywzz687AtvPVqcJhQSwXvgBDiENfHsRyWgKJVU5QKhLCQrqBSqfDJp18yOXmBVGsMfZby6UENYtE4ly5NcuLECE2JKJZpfnNs5Kj7CkMjw4N0KT82JUklW/iN33yLYqlER3sXtm3riVciWGRKClAG65vbfPb5ZywurvLWW2+xsrzG/MI8mIaO9Xsxo1t37jJ1/z52KMQHH7zHT376CY6qIamfziV6LCrVCvenp3j48CHZbPbwAvPOlv5YAJSKRTa3tuju7mH0xCCmV17UEALDsEAZwaHFECZgEApZjI+fom9gkOezzyk9ncNQuvKbD+gTgImJUAauKFOTFW7fu8/DBw/Y3dUEPRgCzAaLxjC8/PzGGJnU75338kjpYph1hjxXuiilvHXgx/y1VVetlalmyijhU96aeq34FLTePEjvZyPNrVKvsKpfsS52dvb44ss7zM4u4DqSRzPPWFtZ1QyCkSgfvP8B8aYQQhjMv1ji3r17XtxRYJiCC+fPc2psVCvl4AD39TE0vTn4VoSBU3PJHOQolCrEm1roaG/FtvXc+ZuilBIlBTs7e6ysrDAwMEA0kdRDGxxQTQ+TaCAwcVEI0wwsERfFfibNvalpKjWHM2MTCGFjGK5ui5AgZMM46vvNzy+zv5/mxltXg3H12f6EB8zEderd9taCxP9n4SpDR1oEuMrEVYZ3SD0gny/R0pyiv79fb95P59nby1AslalbWq96v+ug0lqtyvbWAblshZbmFG1tnZiGgWnA++9/h2q1SluqFZQkmy3y4Ycf6pkyTISh6O/r580bb4CAaqXCnbv3mJ5+yv5ehkg0xH/44Y+wTUE0EmH89Bjjp08Ti5rEohE2NrcOrbtELEwiEQ32lZoDT5884dmsxsa4OMRjca5ePE9vXx8Syer6GjMPZ8nn87pEsJQo9Dprb2/l+vXrxOIRbt25y+rKJsNDQ/T09nL37h3K5TJCCC5evMCJEycQpoELuFJ6YFW9t2azeV68WODNN9+gs7Md14X5+UWmp6Y0e6YZJhKJMHHmBM0trXrMFfiKs67MDL1fe2vKEDpuPje3zNNnT6nVHFzXIRIKc+H8BYZP9nvbgX6vlbTZ3cnyxVf3qNZ0CWvTjKBUGcOwkCgWFhaYefgUx3W9dejyxhtXGRoewjAV+VyOv/nwo8CL6IshDOyQzdtvvU1XZxNOtcra2jY3b94EoRV9yA5z8uQpzk2Maqtd+kBkT88Ylheq8ff74/Sb14lW5IbwTlGC1dVVPv74Y2rVKotLK5w6dQqjXb/c586d4/nz53z55Ze0tLQwODjIyMgIdqNXU8rAwjEaqn0Brz/Rv0JC4TA9Pb3ebwambbO9s8nDhw8plUpcvnyZ/v5+Njc3mX74kP29fW7cuMHZs2fJHOQCnnXDA+nc/OomM4+eEo8nuHbtKqlUCsu2gs25UbQl4JDL5Whubqarq4fHjx/jVzFrRL3v7u7yxRdf4LraLXT69DitqVRQ310qRalUYubRDFubK2xvb9PS0sLY+LiujR6LobDY308TCi3r3r4CeBNQ41om21tbJJNJ2tvbefLkSb0P33SQahDDaHBNHxHlxTmFEDpE0N5G+uCAWKKJQqHA+vrmkXvp+N3s7DMymQwHB2nC4TCnRk/Q1t7+rdoTi0bp6ellbm4O15G0trUx2NeNYRqYdjhg4Hv69An37jxkP53mjWvXqDk1Hj16yN27d0G4er3+LVlwlFQcHBzwbHaWSqXCyOgI42PjWKbeSPya7/778elnOnxSrVXp6Oh46X75fIFbt28Tj0VYXFqis7OT02dOY4fs+iaqFPv7+zx6pEMmvvcB6nNtGAaOU+PO7dtEozH299JEopHA4lFSeQrQO9z6ACdk/Z1rWNu5XI7Hjx+zubnK+sY6ra2tnJs4R3NTBL+OQOO7IL/GW/a146nqdQukdMG0wXWDyoeWYbC5ucWtO1MsLCxy/fobRKMxlpcXePjwAXbI4OLkRc+i7aClZYP0/j6xWJzh4SEiIRvT0HiVb9cgSaFQ5NnzBaanpjBNm5GREfKlPOvr63z11Vdcv36dzu4u8oUCix5w7vT4OFtbWwG2Z2FhEYDr16/R0dHB6somj588JpPJ0NXVjWkYTE1PcffuXWo1h7MT43oevfl+/vw5+VyOXD7H2to6737nhp5Pqb1ZwyMjlEol7k/NYBgGg/2dr+yO9A7cjcaFYRhUKpUgFCaly8DAAEopVpaWuXnrJtKoMjAwEMyRL/t7ezx4+JBIJEIhnz+0/pqbmxkYHPCUqMHU1BRfffUVlUqFEyeHqNVqLC3q8Ro/PY5Tc0gfpBkfH2d6ehrLspg8P4HjuNy5fZetrS0mL15AKcX62gb3p+4jKDIxcS6oP6GrQ7qsraywt7eHsCNBe4/WqDgWLYGppNOtHBAOpmlimCaOrKCoYZoGHR0dXL16kQsXzmIYFgsLSzx+NMvm5t5LMZk6pak69PtrlXgQY6F+nVKYloFpGQjTYHt7m4fTT1la2mR4tI9LlyfoaGtnb2eXpaU1yiWHWq3G89nn7O7t4kqXbCbPo0dPkAqeP3/O1vY+NRf29tI8eTKLU5NIF1aW11hf30Tosms4juTFiwUymQydnZ0MDg42uNpe3txM0zxUotRX4r5FLjAxhBW4gJVyUcpBKQfTNjFtQDhIIXHxMgaU0jEkHzUqJE4VHs08Y3dvj46ODgYGBrBsG+kp3UOQg0YPldA55a5SZPM57ty7w/SDaQ6yB8jXgni18komk1y4OMG1axc5P3GWtlRLwK3vi/Tqs1umhWWZtLWlmDh3hjNnT9DcEqUeHXvdP+12HB0d9dD6kq6uDibOjTM5OcGZMyd1HXsM1tc3WF1dJxKJce7COOfOjxOJJVheXWdtbV17P46up28hhmFgWCZ4SlHzJ/j4AonP+6//D8JQ3jy6r33c/PwiOzt7tLY20z/QTTgc9taRZGCgj57uPnK5ArOzs4c21kOFfry5sKx6oaD65yZSqrol4ynzcrnMysoKm5tHDlzCwDRNTMv0AKLgSjfwHrg4bO1u8dX9u8wuzVMtlb15/ob5O/Je+wd5f6yK+Tz37t3j3t0H3L//kI2NXdL7OZ49nUO6gmq1RrVapVKpsbub5vnsC5Tntu7r6wsOS/F4jLNnzjJx4Synz43T3tF2aOClOPyvoePUnArra2tsbm1RqtYoVWpUqw7FQpn5xRW2dtL6Hq6LkgLbCjM0OkSyLUlnZyednZ0UiyXm5uYplcsMDAyQSrayu7PPzu4WY2MnOHf+LJFIiNWVdVZWVoPDVn2+hLdPKJTyalEIME3o6Gjj3PmznDw5iumVJ1ZSHMZ+eAvNEALDrLuxg/67irXVdVZWViiXy7iOji8Xy2UWl5fZ2tzFdQj2KWEKhk8M093Tw/7eHssra5RrDhgKifYOSQm1mkOlUtE4C8dhZWWFjc3NYJ4dR1KrufT2dtPZ1U48HmVs7CROTbKwsMTO9h57u/ssLa3gutrTUqlUKBRKbG5ssbyyBsIMDjz+e7W9tcvS0koQzjuW14sFh10W3V1dXL16lUqlghSSRDyOVCoAnvX29dKRauPRo0esrW1QrdWwzPN0dXUFi6tRGiuKNXxIA8rl1dKAMN3d3WNm5iGLS6t0dHTwxrVJHac3TJqbmxkaHKLm1CiVSpRKJcolzSxXLpd10rwQdHf3YIabsG2bvb19vdC9uFY2myWbzQWbeLlc5vnsc3p6u+jq6sJ1Xl8Zrb29ncnJSQBWV9aD2KZv1UqlCIfDnDhxgjOnR5iefsCdO3dZWFhkeLCX5uYWhGkF3wF0jPAVBwfHdbh37x7trW20t7fjuK6HbDdeHuNDQ2kghAcgzOX4/LPPiUajRGMRBgcHX3F93UNjWRadnZ2EQiEyB3levHjx8vWG0Ax6Q4OcP38ByxKYpoVtEVTD+yYxDINQSGMilFRYlo772ratDzTeOFSrNWq1WpBtoAv3aPdwtVr7hqe8ZnwMQTwRZ3h4mNXVVZaWVmhtbWWotxXTDuFXmFNK0dvby5UrlygWCmxsbhKJvIzIj8ainD1zlmQyyZPHjwPO/0jYj2sqxsfGCYVCPJx5yNryWjDuvvjrzbJsJiYm6OzqZGV5jUwmc+gan09Au24l1UqN5eVlnj17RndnF93d3cHaiEQijI6MMnpyEEMY3Lkzxfz8POOnTgbpablcju3tLXK5vM7UaKRWfu0AvtzuQGkZAtd12dreZm5ep0++89Z3aG5uplKpIIQgm83i1Go0NTVx4sQoHR1tgffLsnVGgBACw9CYgGg0rJ8RcFd8swdGSkXNqeG6jva25XNYlkFXdxdCSZqbm70wjRnMQygUwjA03sUfw0qlgus4hEK2PkRLHUP26yJYlhUAC/215cvw8BCXLl5ib38Hy7LqbJeAZdtYoRClYkl/R+pD1uuMH6XkS3ur8uLjUmoFns1msWyb7q4u2tpaaWlJ1jFBSmHZFqfHT4OUTD94wNb2rjdW+t5bW1s8fvyYJW/fNYSJU6tRrVWpVqtIKYP+GaYR1KWwbItQKIRUknK5jOO6uI5DtVrFMAyy2Sx2KERra6v+54VaIpEIPT29VCoV9vb3MESrxlXs7SGlpK29nba2tm9ej7+Gol3rXgQNtOs2GgsTjYW5ceNtatUquXyJpeVVPv7oM1rb2vjd332f8xfOkC/kmZubJWTBb/1WN4ZQcEQp+WCLII7mLzzhoR2V4nXIdf/aZ8/nefT4Oe1tzVy5Okl7eyuWbaKAkRPD9PZ16I1ImQhh8POPvyCd3qOzNcUbly8hBdx4+y2k4wYKYX8/zdyiLg4zenKE4eEBlpc3MJSBEJKW5jgXzp1maHiQ53OLuv2GrtkuldBoS89SC4dtmpubSSUT2HbDxicslDAwDZdI2CSaiBKK2EgMKjVHuzGFiSPdQ0PgyBrKUAgXBAYuKnApxaIxLl87z+ipQZ7PLmjTWHmAEP+dDl5u/6cB0tXZZ65LsezgqirS1fFuv+qbEAph+ACTelU7y4BIyKZgGd7fNWDFRHiAU4mQLqGQQTwewvKr3aE3hbqF9hqRErz67NJxdJuERb5YoVYrYACpVAphGiipPQDCUAjXAGliKAMTU8fnpfaAeDd+9fOE8FDJ3sFMuliGIBKySTY3sWJANnvAfjZHVyyGUi4SF0tY2IZNNBIhlUySSnVSq1YplopEopH6eFmCRFOUq32T5PNpZufmmXn4mAsT54La9pFwmPHxYaJRg8/LFba3twMPFsoI+mAYglDYpKkpzomTQ5SKRfb30iSTSW+qNY5CSAVCb5LTD2ZZX9+gra0d/HkELFMSjVjEwlHCtg2uQ61SQsoaQigMaTDYN8i165dZX1vjq/wtD1xWZ5MCqNQcCvk81Yo+7MUTJpFoVAM7DYNUa5K9/V0K+SLZTJ7WVJw3rl9hYWmNSjlPqVoiIRKBwr9+7QqpZJJCsUixUCQSDek1JQwMVQ8TaEXlsre7i1RKAwzj8WCeBSZKisAwcVFoRICBQq8LgUl3V5Ib1y8RDofJ5TRCu729PfCiSVXxrOkqlhFgrZEYmIaJ5Y2pjzVQhsBVykNi6/CGUv5h2MBVAikMrLBFKBaiJ9xBa+t3CIcj/nTrZygLDBMllQZGGkJjL3A1X4Lr4SCUpePtGAjD9hQ6wRihDNrbOrn6xiRNTQnyuSqVSlVTQ1tCV3oUClMoImGbkZFBhCG5d3ea7e1tDGVjEuLpkzmePH5OW3sL165dJhIJsbu3Tr6Q1SWtPRe/oQxwfJC6QEjljbSlsThCoUztiWhqivPG9WvE4zEKhSqVSoVEwsZViuZklIlzY+S9tNBIJExvbw+3vryFACYunmJooOfr95JfU7FAIzV9C0y6GhHsvzy3b9+hs7MT13XI5/NYtk2tVsO2tfWkXWIVL0Zngut496ufFH0k5LeNjx+VSqVCqVzCMJJEI5EgXgr6JGvbTfoXKXAcF9MyNUGJYRCN6PhfLB4PFJ3mVddWuyE0yCMcDmN4bvF4LML169c5cWJYt1+6GA2ISqlkcGr14+CmZWJbMU9JaBed4zpBLMs/JftxR8MwkFLHEKWnVHy3qeu6OLUaNoDwkPWmtkDfe+89Boe7sSwrUJLBydwDyL1koXgMdAYKYQhMS1sd2qJ3D83VYVCfF497RXzKLw0rvXtIpTcfV0qsBta5b1TiXh9RCiEMbMv2gDiS+fkF7t69Qywc4Q//6I+IJRIYHsLY3+yCVD3T9Hjzv1l8a0YqFaCNAZqaEvT29lAol5l9NkskbPL2W2/hevOo/D66+vuFfJ7pBw8YGelldHT00OFVCEE0GiUUCmn3ZqkYlAH25ywUCnHy5Eki4Wb+/Z//eWChKiV1FgIErnPXcRBCsLOzw/2p+/zB7//BoWcB1KpVHEe/p7470nWcQ7FH19Xvuh8Lty27fh9DW1WJeJxIJFLHuvjeMc9qT+/v8+lnn7G9tQ/ApctnmZw8j2mahMNh3n33HZSSvHjxAsMwefedN4hGI4cQx0opTFNv9LFolEg0ytNnz7h//z59fT18//vfPxTfF15b9nZ3uXnrc8rlMpMXL3Lx4kUvDCQPjb//U48Phz63LJtoNEoul2Nqaord3TQ3btxgfHxU99fwD1EeA6UhUK53ODhSXdB/hiv1+y5diWlZ2N4arVarGN66lK5EupKQra15oQ7fw3Gq1Go1jQuRhsbqODUMIb1jnaZmrjk1PX6G6YVG9J7tg+oM08SybcLhMLWao0sxr65y5eok5y9cCJ4pXX19KBTizJnTCGHz2aefUiiUUUpRc7RL3fC8X4lEjIi3n0of/+DPTwMWyh+/xncLCDy2cQ9x//TJExYXFzk1PkxHRwemaRKNRDAtM3gXLNumUqkQDoeJxWKHClMdS10sgH/3Z3/B5vY+EoPn8wtk//2BXpzKJHOQIdXeyslTJ7lRKHHz5k3+5ic/RQhBqVjh1PgY19+84hniknwhx/SDhzx//hww2NjY4s7de1y+fJmurs6XAVnfwjNmCjTu1j/xqSMbtvRPqvDJJ79kcWERpRRrW9v81U9/yj/5/e9jmBY+Q9bayjq/+OgjZKUMpsm9e/dQUnHi5Ajfff873PzqFrfv3OLx48c4jkuhkKct2cp33nqTiG3xcGqG2SfPMYVifXWF27duce2NN+joaA8YnBaXlngwdY/03g6uhJtf3ebho0dks1naUs1cunSRRHMTH3/ySza39tnf36dYKuK4Dh/+5BPC4TBXLk1y4sQJhgd7ufHmVT7+9Etu3vqSB1PaJZct5InH47z/3XdpSXipKj5iXUmkIfRQCz03CEGqrZXvvfceN2/e5PMvb3F/aoZSIUdPXyfvvvsdkqkWbYUJiTBcDMMNDgmGHyf2UNWrq6s8n51le2sXp+byYPoRlhlm8vxZnaLybTFnHvNVJG7z/d//Hj/72S95+HAaFx2WuPbGVSKREALJlUuT4Coezszwgx/8ACklm1tbTE6e5dLkBc1H/w1MT0IZVMslZufmuHnrJpVKCUNoTEY8ESMei2vlWyixubnD8vIKq6vrKKV4Pvuc7e11TNOgWpEUSyV6+juZefKUBw8fUigWCUc0CEvXK8BLmzGCsVNojIQQgpBtk2xp8sZbj+/TZ8/44vMv0HiNCr/4+SdEIhrwUyxpC7pQLHP3zl0WlxaoOjUWl5f5wZ//R2pOje3tTSzLolqTPJ9f4MtPv6RQKFIowK1bd3nw4BH5XI6u7i4mL14kFgszNzeH72kJxskHwHn5vP58Oq5LNpslvb+PEIJyqYrr+gBXg2Sqibfevs4Xn+ORDW1hmkZQ+hchGRzq54PfeY8PP/yQv/nxT7Btm2z2gGg0ysWLk9pl6ymZsxNjOG6Fhw9n+MVHH1GrlTlz9ixDg4P46P3d3X1u37zJ5voGbq3G00dPSMTCXDh/nmgsQjwR48rVS0jpsLy8wl/+5V9RrWpX+9jYKXp7NaGVajigG8LkypVrhEMGC/MLIJwA4yKVJmsSCna20/zVjz7EErCztcvFixNcunSe3d19fv7zn1PI5xBCMfPgAbZpcu3qJX/h6/F1Hebm5piaekC5XCabPUBKyb1791hYWGBwaIDLly9TLGS4P3Wf1bVtL53RZX1tnZ/85Be0t7UzdvoEl69cRCnF4tISP/6bn3qu7AInTowyPDKCZTaCI/35dohEbe1NCwlUoQbCYXLyLFJWmJub5y//8q+xLMHY2GkcRzA7+4xQyOLSpYt6XAy9tsfHT9I/0IvCDcbLMA1GRkcpFkrcu3ePH/3or3UIs6SZ2sZOnToUggCJToLyDQi3/k4rRaN36Fi0CKWUmr5/E1dKpAcw0e4knZ4ihKCnp4O29jYO0lmWlpbQ+Z7a/dfW1sZAT3tgVem85l0OMhncmj6BNbXYdHV1kWhOHLbKheCV1c+OyOraDun0Pk3xGD3d3YRj9Spj9Xvon4tLS+xnC9oSNrQiODM2WkdpK0kuX2Z+fh7Xy3s0TekBWtopFIssLS7juG5QzEUqRTQSYXhkCICtrW3299PBSbolGaenu5tYPKpPq1LnUG9s7HpoZJ3DKb2UolRLE11dXdi2ydLyMtlcqQ5uQQOphBD09/bQ1taKQFIqlphbWsF1tEtbeq68SCTCidFBQqEQohF9HyjyulvS36AqRR1HzZe9U6+h7zM4NIBtWTiuy/b2Njvbe6RSSQb6e3Tsr+awtbXJ7k6GVDJJUyLG3t4ehZK2Hk1DcxJ0dqS018QvZvMNooT/0mq36Pz8CsVCASl0vPnk0EDghXEdh/29DGtr6xos5JFNdHV10dHe6lkD34S2NnAdh72DdECFmkjE6e3tJBKJsLG1x/b2NsmWJpqbmzlIZ8nlcvgbiGlKz7rV5B09A11Uq1X2tzNUa1UikRAjI8NEQzYbm5ts7u7R3NxMR3sry0vLVCo1BgYGaGtrRhiCStll9tksrpQe0thlbV23Sy9x5T3X0NX2oiEGBgZYW1sjny8gvffUMnSqkxIam9DR2UYoFGJ9eT3IYdf303PS3NxMT083Ujpsbm6Rzebp6Oigp6eTfD7P+voWUkr6+9o19sN75/LFivdsvX46OlJ0d3dhWv69dY74xsaudoPjYhoGjqPXY1dXkp7eXvKFCs+ePSPsgbtA0tTUxOBgv87rNgDXpebC/v4+a2ubngVp0d3dRaq1xeuPQbFQYHV1k3y+oGfYMGhtbaK3txc7pKsbujWDre1t9nZ3vdi9ztvu6ekklWpF4XCQPmBzU8dkBwb6iMdjWCak0/usbuh0z7HRIcLhMB9/couvvvqKppZmrl69SjRsa9Kdvm7a2tqoVCq8ePECxzUQhsA2labF7e/29kuNa3CVYm9/n82NLT1/0gPKmtobkmptobenl2q1ytr6OvmC5wHFQLoSQyji8RgdHZoBc2dnj52dHe0xUwrbCtPR0U6Hx4iWyxbZ3NR8FgMDAzS3xLXCzxRZWVmhVnMZHR0lHo+wv59m00vrc6UTEBVlDjLEEzH6+/t5/HgWgIHBHk117emB57MLGlfS10OypYVsNs/S8nKwnm0rTFtbK51dSc9a1zH1zY0dDjIZOjo6SMTjbKytA9Dd3UmqtfUV7/OvCUXrN1U/q1X3dIWvIKTqKRTqrhJdvlQeUgh+epdpm8FLrt2tvjvZR2p6Lh/DOtwwpV2y3+R+dT23ZmDdeHF4pFNXFEKA66Icl6r3meWdPC3D0Ba71y/XqXp9MD3Pg9TIc8895LsjDWFqt7k3DpZVR/qqxti+x0kvFPjVx6SUKMcJOJGVUii/n4YmJBFS4bguyouBmz55i8fNjnAxTQMlbA9NqxWmq4wgTx3AMEXdDSgMpOMECg7qoCi/HX6uuj9PyktX8t2+PjWszh0VCM816K8PzbgGmB4wzj38IlmmWQcr+ge1RnzEq7wyvgJWCtf1ctrR7l5LeEVrqIceGoGH0vXWoU8I44UYlOEje71+KIINVEo3iKUqZEAu4h+QpOtifNsCNA3ERPo/QhMgIXFd10vpNzAFnuvUDAB0oGO5R4GU+mDnxX69fGbDsDwXuJea5hF1BGV8vQkXnrWvDDN4T8E7xza8u6al+9yo5I+2Qf+uWRt9PgbXX88N7dOkHfXx1uPh9Uu6Xh/w3KXo+ZR4zz6c9++TswTiKzzvvauvVQ+P4+fcSz9EpZ+HUV/Tjf3x32/TNFFSYnr7G3jvheeibiRQkVLiSt9Sh/kXL7hz5wFLi0tEEzEmJy9y5co5zciG6bnTvbRQfz/1lr9p1d9zr2FB+ONVoNVg/JUO6/icBkfnzG+v677sevb5Fg7Ni/e5CFz/R9ahOApU9gmNDgNYHccJkPT+3ChvHF3XDQh+guk80vbGUBwcToH0f9f9O7wP/NrJ1yhyCwisHa2IVFAMRPiWLpoVzLTtIN6qL/DiZg0TYwiBEdLXBS+kcQRd2mBN+3nerxRvgfuKOwBz+W3wlUPw00BYEAqurxNVaNpS/XvQLuUr/MMxNsu2vbibjqcaR1w5pkn9RA3IxoUlNDWhIQR4wDehvBwT7/m+BeqjwpXw3JgBh7Ov5OrjYlpW8KslvPSUANGuGuKEHrhMCKDx0FVnFQMv3SpwZzUAEZW/aSi9LqREHbGqLUu/UP4G+hIyvVGJN8ylr2Bf+swwvTlt7KtqGBcOeV4aN1g9H/5a8Nai93d/Qzka99f9N3XMBg7F3AwhNPCuETz4DeLPpx0Ko5Q8FPoxLaue1y5d7HD4pfVuNqDy/Xn0OtZwkU6/826kD6heTft63rxx5GdDvxvXVXCo0u+lefQgfXS8/PLA/vyYlm7jazISGjkPAIT07m96ITDhegdeUz/beFmxHbkjCKP+uCMHQb9AjTD1XuKvx3p3jUNFY/xx04cdQ4+fNyZGg+JvFMM0MSyPT0Dq0EIkoovXSAGlkkab27bdUJZZHjpQ19fTkf6Jb2As879oeGmDPh3sK8YCXpEpElzjA1kP9y+w30y9DoWor7PD7TgyT574mQ3+93y8lWmaASvb18qR4Tjavvrvxy7114kumrKbDTYE5W2gAEidGxyJ6hScfF7z3PoUkEIYxGJREgkvjUKZuK5DIZOhWquhpN4wTVuRiCfqILVgI/HZoo7MpNKWai6XxXUk0rdElIEPHNMVtsKEQiHqellvdtlciWKpSMI2aWpuBsvwUOAChAnSwZWSvYMCSimSiQjhaAyBolatks3mPevKQggDlyq2bdPS0oSUklK5SrlUDuI6jrfDmVJimgZh2yKR0EUMHMchl9fpKLGmKJFIBKumdMqZ8BnUJOVyiWKh7Hk99OeJRIJIJIIpJNKpsZcveqdfb0FLDVZqTcVB1tG9CMCzSkTAClUf1/SBB/QzXKLRqFc8Q5JOH2DbFpFIBNfVgEAlG+q5q7rlFArpdJlyuYwMKC89yx2JZVk0NcUxLYt8IU+pXCYaiRAOh72DkiCTyVCtVomFY9i2TS5fPGId+uOjf2tNNlEulymXanpz9tqVagl7FMAiuF4Bmf0DryKWdm2aBrS0tGgOawDlUiqVKeZ9HIAew2g8QiQa8eijzQbF8mrGOOHbxFLiVKvk8lVqTg3DAyRGIyHisZiuUKfqG6p/H337l///OstDaQgEB5ksjuNq1DAgvfVkGQaJRAI7HNZr1K16ng5FsVikUqkQjUaJf9siRkoAgmKhSKlUCsY9kYgG1LVaUUovtKE9XcV8hWKpzo0tpUtLS5KQrUslI+Brq6rVv3n4V4/xq74+PG+A6xxR8J5Ck27d2+jNgfD2IP8o/o1tUAqUq683YPLiBS5cuAiA43lA7ACEe8TDEcz3Yc/Jy+IbSEeqqSn/oOG1o3G//Bahq2CMg+ceWb/B7XwGuqPrzlfgr/ncb6/vofEPDkI1nh/+HuXr349fR7EA/tW/+ldA3XXqkykYCuxQiBtvXccyTX72s488ZLC2CCKRCOfPX+A33n0Tw7IAQS6f4/PPvvQYx/SNBod6efP6mwwNDXouNffIBnlEDIPdrS1+9tOfsrG5iSs8V6TSBAvSOzl/8L33OHv2bOC68ZX8F198wcOZh4wNDvAHf/AHmJaXEtZQUzyTyfBv/s2/BeC33/9Nzp49A8D29jb/4S/+o96AlOe6Mxy6u7v5X/yT/wrXcfjii694/PixHiulkJ5rzlQS07S4cmmSGzduEApZ7O3t8dHHn7O6usqNt29w8dJFLDtct1q99sw8nOHmzTuUSlqZGULw/vsfcOHCeUxTsLOzy5/9x78kl8vVczelQXdPN//sT/5Qn4oPndKNhv+LwLuxvb3Nv/13P8Sp1QhHTK5de4OrV6+wvLLCX//VXxGLx7k4eZH9/T3u37+v+9igoPU4m5w5fYbuvl4ePHjA7rZHPOIpFIGO9b7zztt0dXXx5ZdfMj09zenTp3nrrbdIppI4NZdPP/mEp0+fcuHcJP19/Xz25Zfs76fr1olfvtO773/9J3/EwsI8t29P6Y8xsEMh/ugPv8/Q0FCwfJSSZA4y/PSnv2BxcSGYp67Odn7v93+fzrZWEDrDYWlpiZ98+EuNLhYaU3H97etcuXL1222S/hh7srq2xi8++pz9/T2dkqQUVy9f5K233tJo3UYLKpiuellg0K5f07I8B0ndo9B4iC2W8vz13/wNG+vrwQurvPFKNrfw9ltvcfb8eR0i8Cyag709vvjiC+bm5rhy5Qo3blx/pYfgUBsbvCjPnj3j5s2bZPMFYrE4v/P97zE6OhK0TQQUvgbS4zy4c/eul8KmvR2/9/u/z/jYsLdfHHnWtx3nRq9gMH7m4UNBg6ta+F4an/1QKaT0PH1Hrg/ey6OfNY6R7510AWFgGXZAF/wq1/i3lq8bh29z36Pt9sX39L10rXj1tY3j6B8g/iHI6/p3LFqR/+m/+Od8+OGHbKztMj5+mrffugRAsVzl1q2bmAacGjtJpezy0UcfEU8kmLxwgb30Ng8fPgAs3vnOdzBth0RzgsnLl6g6NR7NPKe7u4drV6/Q29vtncDRJ0PpBC61YFqCfAwd0645BpWq4tKlM5w9e5ZwOMzu7i6f/PImBwdpnJqrr/VOrDUHPvzwZyzMzlMrVKk4unJP3a2mN6TnS5v87Kc/JVcoE4lEqbkOjpQsrWzx4x9/iGPAe7/1Ad1dXbiOw/ziKl9+8SW/+PlHXHvjDSYvXkAql6npZ/T3D/DWm5dJNDWRz+V48uQJNQckFsvrO3z11U2WVlao1qrcuTmFckwuXTxNvKkJlE73++rWfe7fn6Yt1cLl99/DMkN8/PFHfPHFl4BBJBbl9p3bFEtlfud3fpdUaxOmafL82Qq379zmX///fsA//af/lKTvGTHNV25MhjDp6uzm+7/zPX7+i19QKJWpuXq8lRRUKjVCIZdYJMTghXM4rsHtO7fp7mzl+hvXaW1voVqtMvPwKa6UDA70ELLg7h2Tra1trlw9x9jYGKsrmzx69IhPPv2SN998E8eBWg0cB1xX15Q3LXBqBrWaQc11aO/q5P33P+CHP/wh2XyB69evc3psGNOyKBXL/NVf/zWgK/U5hPjiiy+IRUL83u/9Dj3d3YEr3pUulXKVn/z0J2xub3PxykVOnzrNwuIit766zy9+9jm/+Rs3aG1t5cnjOT7//HOaky1cvXoNIRTT01N8+fldqhXB1YtnCUX9OgON8grLRAgeP57l9u1buG6V3/7t3yLV1sGtW7d4+nQWlMGNt64RTyR0qOVV9/HWqXafQi5f5W/+5m/47rtveexmHvbBQ+bblsWFC5PUqpKpqSk6u9q5cGGSlaU5nSuMow99nvJylaDquJSrEscDVGksgU897GEovMpyUmhvgxI6BfLUqVNUKhW+ujNNpdqYtqiVOMrQShOTLz7/nPv3p+nq7OaNNy9hmSY/+quf8dHHn1Cr5Lh4+fLLSvclF3SDNKxnP+868Dj7IT7/OuHhLTzlqkMoCiW0xTz7/Dn7+2nGTw+TSrXWn/c6RfGS4vDxAt4cSp1Ng6KOVzj0/W97UPFDPN/y+pe+/xoF99IBQb5eOb90aDniATh6H3i5f8E4/h378To5Tjt7rVgAPd3dQUWxRCJOd4+uflatSSzLJBaPEo/FSKZSAJiGQW9vLwODvRhC8GjmEQBXrk4Qj8dpbm6mqakJpRSxWJSWZLLudnLdl6zRb1q3LS0tdHZ2ejmMglDIbgBVSFAGuWyWz2/eY3Z2llJW18OuA/M8cIhSvHjxgs9vTrG9vU1jIRPQTHD7+/s0t8RItaZoTaWYn19gYWFB11lPp5GuS2trknhM50KGw2G6urpobm6m1tZOoqkJA5PNzQ3uTU+RyWS4dOkSra2tzD9f4vHjx1hmjYmJCSwrxIMHD3gwPUN7WxuTF04zPDxEtepih0LkdvfJ5/M40uUgfYCSio6ODjo6U8zNzbG6ukqloslEdIUibek3WmHeQAT/FYbmTw+FbAqlMlJKFhYXuHnzFpFIlEsXL9HT20M4HCbRlEAIQSQSoa29nZ4ezSYXizZRq9VIJZOUyyUsy8YwBE3NzfT29pLLajan/XQ6yNdXSrG6usbDhw+4eu1SMH6+xGJRLNMOKiDF43G6ursI2SEcV/FbH/wW7e3txBMJUsmUF4OzvL7U3eqGlws9eWGS006N7u5u2pJtZLM5ajWH/f00pVJJ51sX8qQP0jSnknR0tGOYGqSWy+c5SKeDNfON+6oQvHj+XBdycSUXL17k5MmT2OEo8XiccrlM+uBA8wr41mNw77oSFQ3vxNbmBr/87CuWlpeoVq8BeIBUDQIMh8O88cYbmKbJwsIqoMMsgwMD9HS10dTUdMRDI2hqSnDlyhVOnhjTebseg6CPGA8Us5KaSMaL/Rte3YJEQr/btsdo5rOv+V4CoRSVUok796d4ODNDT28vly5dYnioB8fV/A47Ozuane6otfsqH+yhv32NHI0Xe+1HuZ41qn93nBrPns1y7959WlqSjJ7or9/jW7n4j+VY/mGKBRpFKfxTrqHZpKqVCo8ePWN0dIRkqkkXuvfyiIWhsGyTvv5Odna3ePL4BctLK5w7P0ZTk4Vp6DKAUrm40iOD+dqX8mgMRpJIxJi8eIHRkyMMDfQTCYcwDBvDsAJiAVdTmrGTzjM1Nc39+9OMj4+zvbXPzs4OPhObfrzg6fNl7tx5QDGb49rFy9yffghSebG0Bl5kZeHWBM9nXzA1PcXq6ob3d+1SkA1Vz4TnUq/k82zu7BKNRunp7uTBw4esLK95tJh9DA8Pk85kmVt+wcr6BsOjJ4jELJ7MzbG1u8PIyRN09/UQikYxzRoXL15geHiQwYEe0pmCBh56z3v+bImp6UcsL87rEhlBLES7Dw3z9WELI0By10lo9vfTLC4s0NXdwcBgH8lkC5VyWQPxlNJjaAgqFZeNjU3CNvT39WEYAsuos735LnG/3KAbeEINBDaZgyKPH2mSkIsXJ4P++OQshlmvgGQIA8MwyeVzzD2fZ2JigmhUpx0GaH3vMOdvwhqTZWCYcHrslFfSU+E6Hu7Ay38XhsSyoL+/m3feuUFLSwuJWJhi1UUYFobS1qz0rv8mkVKxurHJ6voag4ODjA4PEouGUMLl5IkBWuK6pG00FAIpmZ7RfAJ+yCAaizJ5YRLD0i7QtdV17t65w9Mn85imyd37D5lfWEEYita2Ns6On8SwbEaGByiVioEiF4YgFo+R7PWKbXjMiblciadPn1J1XBzHxTJtmpsb6GyVSaVS8/jZNwILNZZoZnR0hOaWqB7nBve/kspjUYO1tW021tcJhywGBgaYfTbP/l6Gs2dPMzDYE4BLr12ZJJ8vMDTYDxgUChXu3L2L6cVYhWnR3t7O+KkTgM5Xn5ubY3d3n87OTsZOjVIo5Hk2u0SlUmGwv5u+/n720wc8ezaLU9MN9xHgXV2tDA+PEAoblAoF5uZXuXf3HisrG3R01Lhz7yGJeIKQ4TI8MkJnZ+e3phQ+lmP5hySaa71h0z9Ip3n69AmVSoU7d+6STCVJppqCClBmQzxaf7eeuuR//tJGq/9Qf+pR980rJJ5IcOmSdvEL9GEg61UNKpfK9PX10ZpqJX2QZvbZHDMzMwwPD/P2W29z8+ZdrcghSNNaWVnh1s1bZLNZLk1OcubMGR4+fvJSXMtXIjWnxuLSEvl8gZ7uHtbX1xtcj/V+5XI5Xrx4geu4LK+tMzg4SE9fX3CfxrESh+J66qUx8/9uWSYXLpwP4oC5mSeHxubps6fk83m6urrY2qqXbnxpnL9mvP30kN29XWLhELF4nL6+Ps0dLgRSyYCVrlQssby8zNbGJi9evKCnq43evj59H6mCtK3NrS1mZ5+zubGDaZp0draTSMQbkKuKTOaA+/fvEw6HOTg4ODQOOrVKj+3u3q63ie8yPfWAEydOeIq8ke1LW4QvrSWvv7Vqlb29PXZ302x6vOh9fX3EPYaooaFBhkZGwGP629xcI1/I097epi1W49tt6kLoNC4fq6Ea6r6fOHGCkyfGQCkq5SLzL17w5ZdfYlk28ViCSrVC5iCDaVqMjw0Ri8YoFAqkDw4APBCirg0gDM2GFni0vNi1vx4PrYEGi79SqbCzs8NeOsP+3h6FYpk3rl2jv68N09QsWsvLy9y6dZtcPkdbMqW9FlJ7qSbOnaK5uflwnz2cxvb2Ng+mp1lZWWF0ZIi+vr7DjGjeAdQwDS5fvqwPmW6NXDbLk6dzfPLLXzI6MoBlW+ylM8RjMSIhm/7+firVCo8fP2ZuTh/kxk6OkM8XuHv3Dvl8AXH9Cj29Pezu7vLVza+oVTQfRDQaZW9/n6UlDcQbGOxFSUU2m6VYLKJJbMrs7+2Tz+UJmS5dXV3/afHtYzmW/4Li1SOv11xeWVljf28DpSRVR/Cq+tK+NddYbMXP/QtyVpUKqCi9D2i4uCHl5GteHuF4l+sSfc9nn/PVV19hmCbvf/BdenrauXP3LnduTxEOR3jzzTcwLUG1WsYwoFqBbKZMa2uCn/3456zv7DM5Ocmp06fYTe9qXm7DoFisUCjUXcCO65A5yCAMxdmzp2luaWNza12XjPSUlq+A9vf2+eVXX6GUImxFGBo5AW4NywDl5bXn8g57e0XKxWIAKBRCoByFiQUeZ7tffe0lhlUhkR5JTzabpeZUOHv2NPF4nJ/85Ccvj/FRcEvgcmwYWiFwHIfFxUUsQ9De3sbVq1eDDdtXYlJKDg4OuHXrFqZ34Ojtbg9oO31mLafmMvd8ntlnzymXqgwND/PGm9fo6uxkZmYGRU0XRbEsioUyP//Zx4cOUY1lGYUQPH36lJXlOaTr4nr5z7ofh3OClZK6lryS1Eo1KpUKzSntVq5Vqsw+fcaDmcfUnBqJeDOTFy7USSU8wGW16rK2ss79e9OUihXevn6NC5OTBDHArzt4CoFSDlK5nl41QJkgbLKZPE6thsQlZIcolYr85Ocfs7+b4Z133+XU+Ek2Nzf5yd/8nL/+qw9pb/1jIv0xxsZPYRiKpX/7I0zT5P333qF/YLDeDsMDvRk6fu2vx1e+a0rR3p7kd3/vt9na3uOTTz/l+eyLgFMfIUjvZ7h/f5qVlQ3euHaNd9+5wfr6OnfvTTE395zevvZgXfjERdLVa/HhwwesrOhyx2+9rV39vttdurqohlASoZSGsygXYdisLK/x059+hBA23/v+79CaSvHJJzf5/LPP+OUvP+Vf/It/QZAzqyzNHCeEV00wBKqiec71RKKkJk658dZ1Bod6uXvnLh9/9AWGcZ+mRJSenh6uXb5MpVjg5ld3Gezv5TvvvuEVAxH1d+ZbGBnHciz/0MSrfla3cs6fv8D7371BpVLhz//ih4G7VDUo6oB8ABqKwfNSLqRSDTmqjUCSb4tS9URKycOHD7l58yaxeJzf/t736evrQ1HFNAws2yKfz/NnP/gzACplDcRZXl7mz//8z/mX/9s/xQ6FsG2bx48fMzv7FNd1qdV0G7/88kvK5TJdPb0IIcjlcnz00Uc0JcKcP3/hpZN6QCSiFAMDA3zvt3+TSqXC00dPvb4aAW/63t4eH374IYDHh+w2uKA10UcjPaFPfFOr1VBKVxUzPJdmtVblB3/+AyzToq+3L1CE32hJHFLqMvheNBJl8uIk8WiEn//sZ/zwhz/kD/7gD+juam/AFwi6u7t5//33iYYjTN2/r3nelfIKrWjO+FAoxFtvvQXA7Vt3AM397bp1co1Tp04xMDjIvbv32draOsQVb5pGQDSjlOLGjRtcuTTB9vY2P/nJz7Ql6sc+8Q5CDeGGSqXGw4cPmZ+f57/+Z38MQhCJRnj77be5/tbbzD57xo9+9CE//vGP+f7332NocDDwOiwvLfHxxx/jCIt3vvMOZ0+PHB6/xnhu4+/B8BpBRSl/XquVCr/4xc958eIF1WqFU2OnuHTxUtDmL7/8kpt3vgpqiuuwkXnonr6VHXhyDh2STeDw4ee1qGkfP2CaQSWxly/R/Pb+fQYGBugfGNJ/NGrBffy/l8olfvqznyJdyeXLl7l27SqJRBOlUrHBw1SfI+l5SJRS2Ead3x04PHZ+qOUIKUgjYUt9WvS7I90GnvUjZUMP87vLQ+Plj73OovFTtI6V+LH86om2yA3lxQIlSjm6ApoR5fd//3eJRqMec5aFPh3r069UglpN4koQQhEKWUGs1C8OoZSox2+hrsQbLUalwDiSN3lEbt+dZmrqIam2Dt588026OlIakYvBxJmzDA8MU3McbQVLxSe3bvLkyRMG+4f44P0PMGzB7/3B94Myl4aryOVz/Plf/gQlFW+8cY1z586xtrGBtsIsYrEE165dYnx8jHkvBumPkd9P0C5Dy5SkOltpbrqkqShVjZpwUYYg2dbK9WtX6O3p5e79hzx69AiJroikKGOHPKtcCqQjMZSgUKrw8ccfs76+yeSFSUwzgnBthKs30e/85pucOTPGyvKW9qTIWj1P9lUbkb8pGnVSGSEErnQxDRPbtjAtC9dRSBevCld9wzOFwBIGqVSCN968AspCShMMqXEK3rgYQjB++jQoi+npKT777HPeevsthDB0QQdD0tfXSTL1Dj//2c/Y3tpHKQ3Mc93DhDWmVxylu6ebP/zDP8K2rQDspbtZ72fVcbl7b4p7d+7R3tYeMI/hIeQtU3mZh15VKSVAmDjVGouLi3z08WeEQlGuXbnA4GAPrnRwpaMVjmECblAkp1Hh+IdUoRS2aWEZAiFdqk4FwxK8+967GJbBkyfPcVyBVCYYGqh5/fp1To0NYQhBzYvtdnS0YjS+Ln5NaKFL0Pq4DMv051GDuRqV1SvJNzxwnXS1NX3IDa9Uw7rWa1ypmldVSxfBMfE8IYHBr8F2v/nOW6ysrPDixRJg8Z233sAwTCzbRAid4uU6EkKaLfCH//HHHKTTXL6iK49JjEMeLoWPexGH64n7/PkeW5uLgzJ0yp6SmspUe7SsYIzq4+fxiTdC4Q1dURDQ2J+GA9G3KvJzLMfyD0wsIKB6BBqsCl0V7MHDh7S3t3oFCuobWSGfZ29vk+ezz+nr6+PatTeIRmOBy913rymla+Qeyk9sfFlMvVF+neTzeXK5HC0tTbS0tBwi/4jFosTifvUzB5QK0O3hcJhUawqlJK1trQihU9EMV2Hu1q2fWCxONBoLXuZ4LM7ly5cZGzupNxy/YlmD5eBbDNKVOI7U5CtCML8wf8iysiyLttY2Ojs7icfjwRjramYx3rh+HcEUKysrNCd07WlHws7ODjs7uxRLJRLxUIDGvv7mm4yPnySRSABbuha4Ydeteh/85SvvRg+I13bHrbNcGabB8PAIb755nZmZGe7fv8/lS+dpaWkJKDEDBQjYlsWLF0uUy2XOnh07ZA3psYtpxDTa9VqpVIL0P6V0Zajenh7ee++7fPbpl2x6MX7QHgu/Xa7UNYzD4TDxeIxPPvmUq5cv0trWiuM6wVzVag61Wo2DzIEuSNPaRrVa5fPPP6dWdjl18iQDI4OatlMILM/1W6tWefFinps3byKE4MLkJG3tbTyaecT2zjoDAwNMnjmPaQOGfkeePH3C0uIiAB0dnZw+c5pUaxsIgxMnRkln8qyurnLv3j1u3LhBUzKlOfAbrEBfUTQlErSmUhwcHDA1Na0/+84btIbDgdfED284tZoGXa6s63ft8hUvxbB+OAnCXa84yEmvepvPvS2lrpbluA6Ge7hSnXQljuuwu7fH09lZajWH8+fP0NPbi3SdYC5NwySZStLf38+tW3dYWlzEMiRXr17lxo0bALx48YJoNMbkhXFAr+mDgwNyuVzwjmowooPjOrheuphvSTeOl+tVAqvVNCGS9gQettp9jwLU4/PBPRq8BL7bf3dvjydPn1LMZzl7doLBwYbwxbEcy6+QWABffHWHTLaIMhVbu1t8ftN3jdaYn5/nwsQ5YpE0z58/xTChWivz9NkTSqUi4XCUK5cmOHFCp6KVSiWWFxfZ3tzCMhTFwgHLy8tEI2Gakzp97WgM75W5lw1iCoVlCEyhMJCe4e5ZxR7aXr/UkidPHrG7c4BBiL3MAdOPZnjjyqROocFFCNhLp5l68ADfCllZWSKVaqYt1cLFyfMsLS6Sz+3y7JnUxTD20rQ0xRkbGyMcDrO4sMTGxhYGDvnsPlPTj4nGolRLZTY2Nunu7iCZTGJ5tYuFqOh/ONgWmMJFyBphy+LE0CDSNbh//z5P5xbJlx1sBMVcidHREQYGBojYIU6PneDh40eUSgWeP30BwNbmFk3xGGfPncGO2IcHzVfgDXE/iUs2l2Fm5gGlUoGwZWKbglSqmaHhQaanH7C6tsrgUD+ZXJ615SUsQ1AoFHn06BGrqzqPfGlpkebmZtrb2llaXiOXy2iWVR+sZrgoVcM0NPbCNC0sywxcu+FwmNHRER4/fsrOzhZCmORyBZaWFqlWa5gC1paXUK6D5ZU0fPz4KadPnyGTW2NlaREDieO6PHgwTcgOsbu1i2mGME0bgY1lRlhYnyNXKLG5s83Ozg6JRJix8RMkW9uoOi67+3usbayTbG1lZ2+TvfQu8/PzpNNpTCvG2GlJ3LIRsoYrXbY2MjyaeYEQBkNDkuER7YJXuLR3dXDu/BmUqrG2tsHt2/doampma2MLoWpYpiIRD3HxwgR3795naWmBQinLQfqAxYUlzp0/V7e0hUEymeTK5Qs8fPiAhw+fsr+/hxCKsfFxdK0fl0q1wvziIpvrq3qesjmePX7KxLlxmlpaAgs6k83z4sUL9vb2Sad3EUKxsbnGzVsaJZ5MJTlx4gTFYpHNrQ1u350mk8mws7NDX28fYSuKUBZbW5ssLa3iVvPYhsAyFN3dbXR1t7O8Ms/q+gqXucToiX4c5wK379zj6dNHVCqa3a1SqTA+NsbAYA+JRJzLl04zPf2AB/cfEYvH2Ntap6c9xYVzE5gGGCGT0ZEBcrk8u3vb3Lp5DyldBvq72diQrK6ss9yzihAWlmVr9ldDgbIQhLy1KMAwUQpCIYuh4UF2d/coFA54NPOUXC5PZ3tTcLA4VuLH8qsoFujKQv39/fT39yOErnnsx2W7u7tJppJefViD8+cvANoSaGpKMDg4xNmzJ4MbKqVwag7Nzc1MTCQ1aK5apea4h5C0fxvp7Ozi7NmztLUlCYfDL/29zoylyOUKtLW16VxjQyNVDeHllnp5sdVqlXK5zPjYOFJJLEsje4eGhvjO228TDoWpVDXSVxiam3ly8iKXLl2iVnOoVqskUylaWlpRSpIv5DUaVkEqmaS7u4d4PMbYqVNYtu1Zz7pC15kzp+noSBGJRnTjhY4dCyGYm39BLp/DVgb9/X2cn5xkYGAAyzCIxWM4Stc0T++ncVwHy7Y5d+4cb71zQ9eV9oqqBLn6enC85+j8cqUUpVKJoaEhwuEoHR0dCCFIxOOcPj1OJBIlkUiQy+WIJxKcO3cOpVSQrw7Q0qItMX+++/r6sG1dkQog2dLCqbFTwf8dp0atWqWntxvLtjFME+m69Pf3Y5kmvT29ABQLRU6erK+lAw+5LYTg5MmTxOMJ1tfWCIVCnDt3HkCjl0WRZDJFKtVOe3s74XCYq1evEA5H2draZD+dRgjB+fMXuHzlMol4nGq1Rlt7O+fOnUcJjc4Gg56eHnp6ery2WbjSxVK69nNPTw8TExMYhkl7e7tG0VPHjfT19RIK2cRisxwcpKlUaqRSrSSTzfT19dHS0sIbb1zDdSV7e/s6nxo4d/4c777zLralAgBea3t7UNe7VnNob2tneGSIM6fPEFBpAtVqlXgszsTEBADlcknXIg8Ajh4tbzqtcSBd3XR1aZ6IbC6LZZn09/dx5swZDMNkZWWFg7Qe99GRUSYmJmjraPfuXca2bUZHRwnZNnGvdG57ezvj46eJxcLB+zk2Po4rYXFhgUwmg1KS0dFRrly5Qk9PK8IQfOc77+A4LpVKhUqlQiKR4OTJk1y8OKmLmhgGZ89OYJgR5uaes7u3S1OiiXPnz9HW1sr29jaFQpGOjk7GxsYDb5BlWrS3t3HhwmTAmeCnJY6MDGOZNk+ePKVSqdGaamVi4hQ9PT2vxUAcy7H8QxehlFLIrP6tUck2xrIbNoXXKuFXvQT+dxrd6X+nl6QBMPeK7x9ihFJSE8P5xTbAU+JG8H3/ehev/Cb2IaCQT4Wp/28c4iI+3LcjKV8+85Dh9dMvbiC85yvNmKVM5ZG2eMUGAmBPA7pcSZSpgWCGEuDTSR7tvxBIt4JhCJQwdb/9amSCQ3PWWA3tMKWmByTyiD2OcoqLRipH38JvACP51KCHCn4cEp/wxAfH+XSW/vjqdK3XVsL7Noe/xrXhXx/QcqIBiD7Q8CV64Ib++mvl0Oe8jO049G11aP34leYCkJrrrz//XfDm0qveF3DZo46Ms1+ko6FNQhCUhw3eSxG05JAnJuhjQ79e9Q4dvR8EFfCCMXydkhO+xas9ZHVyG6Ph0jpnvvCLpkDQ7kPMaq867Dd+fvTZjf2DI+Ok6n9uKErjr7/gNsd6+1h+FeRrqp81Vmo4rGxfFWP15ahSb9xAG382fv/vaI0Hzwvu8bpCEjL4W6BQgkPJEd5xTwxhYAalF+sxNz+nWzRuCke/f7SK1+HGNGwsouH59e80lvzzGnP4XkdLaPo80Ufug3SDKmZBHxrGIhi74O+viKFKN1DijWMQKOVG5SA9tqzG+zdc3xirPQwOO5zG6H/WKPWqbQ3jqP9wZGxecbA4eghtvN6/v2kR8O2/DtRkmK/+vv+dxmc09KeRK70+hrJ+z8b7yQaF23CQOiRK1RWO36bG96jhn2ykJ22UhgOa7rdEHikscmi8Dg1DQ5uNI+9P4z///hxdAw35/t7cN2JHdDzbe8cax/tVe8TRuX7VeGm/ev26hnfwaGW516L7jy3xY/kVFZ/d5eUT8KvkqEJ71cYK3oFB6X+G919f/i4vSyPH7qveYSX1x4f230aikEalW7/FUc5rAa89KOgLjvQ5yDP2FWxj44yGfnuHBeMIN7HfryOWc4Asl541LI70ofF3Ub9/MOxHlZRvKTYOngK/blu9nrU3jsq/skFhB1aT97n/0xtPv8raq/EOnndDF2qvX+FbZn4ZyYa26o+PHm5eYaW9op8v/d7Q1kAOpTc1WOCN1wR1l4/Mm19Rzj+QeB6UxnGot+FV6+mope9V1cLwG+v9Jusc4o1y5MCiD3Kv4A7w7mcYHupbeGlcr+OsPvr9rxv/BjG8fh5aA6qhn8pbe34/lUBgHpmDV7Th6+TQdUfuc2StBha3qq+9l+bpb/PsYzmWf2BynGtxLP/w5ehBM0in+y+0fF9nFR7LsRzLsfwXEOvv5S5Hg0x/31VvXpLXWMKBAfY1VnXDdcr3xH2Tk+CVFnfD59Kz3IJ8eP/v/tfkK7/2Msf84e/9zy7qiMUZ9PM/0/P/tvKNOA2//Uf69Q0SzM9L61i+8uNv71XyF9gRnoSX1q1/3VHL0v/86H2P9uvogUa+5rq/q7wCM/DKz1/XDk+O9vvvOF9/f/K6fh3LsfxqybFFfiz/8KUxJgyvxikcy7Ecy7H8mooFGnUbgG4Co8cIQCE+qhh4RZyYly3Vo1bTN4DcAtRuI3rbv7/3Tykv1iVEHcyl8AAu3nnEaADLKNUQg9ZgoQBd7dFGieA5HuYPr/KWF7NVPruZdL3va0CPERTq0D+V4RVTcRUoUJZx6P5CigBspGlGfUvcPeIe9sFdon5/f/xeJa/zFHxr8UFXPqq+cc4aUMCiQZG+Clj2qvYdAjD58+jPm4+e/paW2EsWrF9Rz/eEELRJ4a3XoB+NbfU9KHjjruPKgSH8deMoBP78qCMui+D7r7KcD6HKG57TcL/DGI7G98zhJdBjY58a1/lLSPW/T3nd/Bz9/Js8Ya8Yh2/zvf/Z5PggeCz/OMQADqGnX8vb/TpA3Ndt4q/7/ZtEiEMIYfWqjdlHqTYitF9C7TYgWZU6xCn/+kd/DeiqsQ1HrqlXnqKO1vbb9qrN+FX39aURhfxNG/PXgfNe+53DfZPyVXN4eOyA+px83RgdRSAffWYjSvnvEmtW6nDbGiRAb38TcLNR4X0bxXfUI/BN8m361ZiF0MjL+m3KaB5V2sc84cdyLL/WornWAxSr6Vm9eApCII5a4kfRrEcssyD/1JdGC+41FoOgAb0N2lJT6DxbfIvYUwBSgmWCVGB6Ct1PhwpSTkz9ueVvcPr+BgpqDVaO3xRDajS1adctx8ZxqWnLWZiGhyL3vug0oN1BpwkZAuPogcGvyW6annfAGzs/b9hpRKBDkCLlY8dNr/2NBpwQKEv3/5tLZh9VeocJYzSPvmch+h4PXxrn+FX5xFLqPinq/RENedqHlGYwIN7v7jd6a/R1R9aT9NdTg4UtXd0P6bXNEPX14n/PH2B//D3LXHn3OZoHXy9W4urv+PcW9QOvYZh1T1DQPQmmicI7IPv9DNpB3SOAN88CtIfHb6eh17eU3t8bx72Bgld4SHfD0AfAQzwAx3Isx/LrIBZAoVD0Nqb6hqmkCvi7w6Ewtm3juC7lcim4RgiBbdmEQprYxHVdqtUKrsfl7d/DJ/mwLVvzpH8LkbUabiGP4zg6DQeQftq710y7KY4dsqHqUCgWMPx8VkwikQhGPOp3hnKxiCp7pUoDohPvWR6vvBXzsH+BB9ehWqsi82Usy0I0xbFsG5RLqVRGFEv43PKWZWImmnSVLuOwYqrm80jXxQyHscNhfRARAlyHUrGEUdLtkoGe8Qg2DAPbsjFTca+h+ketVNBVwyK2rvXNt6ubHYif/+tqPnOldPWywLLzlG+tWqXm1AJeedM0CYXCmKYZXCulpFYp4boS6bm8DWFhmgZ2KBQc6hzH1TW1vYOSUopIJIr1bSxQP5dZapbASqWiubS9nGD/gCOFwDRNopEYuC7FculQSU3LtgiHI5pTXEpcx6FSreB6YSW/rrqvpEOhEKFQCNM8fBByajVqjhNcY3lkPdVqFcd16jz8GEQjEWzz5fz4SrmM49YQQhCJxDzyFeHdp6ar3zXUIDhUs91b30G7pBswpEVj0YBX4FiO5Vh+PcQCuHnnIZVKBddV2LaNbXsbvbdBnhodoq+vj/2DDI8ePaJS1m7qWCJMf38/J06MAFDIF3jx4gXbWweauczUCsJ1HaLRKAODffT29OqNTz/B+9kQ4wYolakdHGD/v/8/GNs7iEQLWDbYIe0i31oHJTH+1/8MNTSIuveI6O27YHqHhFwOTp5A/bPfQ8TjqHSW3R/+JT13HoFtI9o79HXlMpRKEDHgzBn4l/+8HtN1HXjyAvvRY9THHyM62uH/9H+EWBQ1t0D48RO4NaXb5QqIRREfvIMaHUH0a0pLtZODrW2s/+kvUDu7iN/+DursGcTJUW1Rb6bZ+/JLen7+KbgOItIEkQhEo54izWOcO4f4w9+FaBiKZVSphPlnfwltbYg//l2Mb4NXFEcsRs+iKxXLrK6uopTi9OnxBstZUCmXWVneYHFxCTtkoqTEssP09fbRP9CJHQrhui7p/TTPF1bIZrOYlgjun4gnGBkZorWtFem4LC4ssrGxq2licZGu5OSpYXp6e7FtMzjsNTLN1dvvKW3DZH5xiYX5NQAi0Tojn+s61FxFa2srb1y7xEE6w7PZOQr5PIYpcB2HaLSJsbFxUqkErpSsrGzw/PksQliEQnawHms1cB2Hru52To2doqlJHwiFYVOpVNhY32FpaRnDFpw+fZqOZDOO67K2usPy8jIuDkIYuK7D4OAgA4O93oHARkqXSkUy+2yB7e1tWlpamDh3hmg0GlR229jYYm5ujkpVYpgmlikwLQshBK7rEA6bXHvjDUzTRlMOw+bmNhub60xeuEA04tMYH1vmx3Isvw6iwW5KMvt8lsxBjq6uLkZGBxBCUCnXWFtfI9kco7+/H6UkhXyeJ49f4ErJyEh/wJPtS6lU0gUadnfp7GpleHiEQiHP4uISBwf7GIZJf2/f4VYESsb7aVnkcjnEzTs8n5un98IF+gcHcNC1wvNf3iSXK9D03g36XAfnsy+4e/cuk5euEo1EmJ95RGJhkfTpXs6+cR2Azz//nPFP7zM6MkT0ehIAs1xm+qub7Mky323kcJcutUoF88FDfvmLnxP9xWeMnz5JpFIhIgTq4SM+++SXDKzuMjR+ivJuho2NDbbDijdtG9XXqkMMO7s8uHmT9p9/xM7OLnuiyHtAraeLUDwOSuE4Lrknz1hZXcfs7eP0+XM4loWSksePnzAZT1CplAlbJtRqPL55k9yHP+HaG1eRjoMRDn+LOLr+ez3sISmVyywuLjDz6BHJlpa6IheCaqXC6uoaU1MP2d3dZfTEMJVKhd2dZfb39giFJ+nr6yWTyfD48SNm51eIJ+K0taUA2N3ZZbG4SLGY58LkBXIHGe7fv0+pqPnNQTI3N0c6s8sb167RP9D3+rZ74iv3xaUl7t6dpqmpiXPnT2MYJtVqlZWVFbZ2dhkaGuLi5ARPnz3j8eOnhOwQnV3tHByk2dqcRbqSiXPjRCIR1tbXuHv3Li0tKYaGhonHI/peyxvs7Oxw8tQwg0ODNDVFPc+Ly87ODtPTD3Rlr0SEnu4eOpLN7OzsMDMzw87ODu3d7YTskFeoZA+Fw9DQEMKrUz83N8fU9BQbG5skW1owLYOJiQkiIVPT1ArBwcEBT5/p4jgT584EFeX299McZHa4MDkZVHJbXd3gwYNpMpk042NjDYr8WI7lWH4dxAL47m+8y8bqKrmDDEMD/Xzvg+8ipUu5VGH6wQOSyRYMU9DZ2cX1N99kcWED13U4eeoEo6NDgKaJbG5u5vT4ONubaTKZDD293bz7G2+zubXPLz/5Jc+ezdPa2tWgyH1XuR+T9iwx18FUkpjjEKs5FH/3u4gPPiDU04q5tEz/rZukd7OIqqK6uceMqWh57ztY//v/FrO5idF/+d8x//EXZP99J2pgHGJhosogbwoS589i/N//r9qyfzLL/tYyg9PPIVfWsWGpUPPrmDMzqP/+X3NqdgEbRXOmgOO6OKUS27k8Mt5M/r/9bYzf+A0iP/kluX/9P9L0wx+jhIUxeRpjbx/1P/xbBr66xfP+dprPjnLh3nPUygEiEkOdPYsY7GH4T/4J7s8/I7q+Reb8ScSf/jGhK2fBMGj9d39JtqWFlrkV5P4ePH5K/N/+ALm9ixge8kL9Xgz166QhXbZSqbC2ukM2m2Vq6gE7OzukLraBMjRWQClcWSObPQAhuXjxApcuXyCdPuCjjz5lbm6O1rYWenp72dnKMvt0iZJb4caNG4yfPkEmk2F66hHT09M8fvyY7p5uirkiphni9NlBJiYmqFRqbG6uMft0gY72Pnq7u7A8+s5XMm4FIhHSwRSClqZm3n/vXRACp6b46KOP2NrcxcTErdbY39mlrbWViYlzjIwM8/TpM+Zmf8SDh4/oH+gmHA7r6mwYtLe1c+PGDdram8nl8nwpbrO9sxk8VQgT16mxu7vL3Tv3eTr7nEqlQrw5gRAa93CQzuDicOr0Sc5fmCBkh0jvZ3nxYpGmpib6+4aoCcny0jKff/Y5lm0zPDRCoVjks0+/JBJJMDrSSzQaY2BoiEqlwpMni1i2zdVrl+jv78d1HNY3Nph5+AhDmKyubpLL5Xn2fI5Hj54w2N+r23Msx3Isv1aiwW7CqNez9kRKyX46zenxcWLxKI1FEJSSgSvU52RurLksDI9bWYhDsfbXcX3XObfrf4tEIlijw0yEQhx0dIBtvYyiBqIXJ7l26SIIgWhKvAalbDAyOkpfpgjd3fXvW1bQHwBcl1q5jHl/ip/++Md8kC/S3tpCNn0Q3NdOttD7/vv0vvceoi3xaoSyEDx78oTkp58RskNc+4M/QIydQv4P/xPLH3/G8hdf8G5nJwz2BICswKVsCHBdNhcXGbxwHlIpePKM6S+/4sLT5xSLJaRb50P/1uJdWyqXdHikUvGqUnlofsNLMxOCUCjMuXPnGB+fwLIsQqHDyuHoWvElnU5z7949njx+Ti6Xo7U1iW3ZnD9/gTOnzxAKGxiGQa2a/XaZEg3j6QMtW9vaGRwcoqOjIxj3Rle8UopINMJ33/8uCgPTsoJrhGEENaqFEDT//9s7kyc5svu+f14utVfWXtV7A2gMMEADmAGGIc5oaHI4HDlkh01ZYdlhWRE+OHzzzSf/LdLBEQ6bdPhgWYvFkURRMmlSwyExGGCAxtZAo7t6r659r8rM50Nm1tbdAGYTJbK+EYhGZWW+fFu93/77GQZLS0tkMhl0XUNRxvPfC6GgCDGo/Hbz5x9zcHBAJBJxantbQ9X1+fPnWTpz1i3ZKjAt69j4arUaP/zRDymWinzzm++yuuqUzH3//fd5/3vv87v/5rfxz/qPFY6R0mGU6406qqLwzjvvALCx8YxCoUDRrVY2xRRT/GpikNlN2o4TTavZZm97l263y89u3ubNN98kkUg6Ds22iYJE0XzYto2KcCszjciEtsS2+0hp0mx2OTwsUSmWoW+RjBvEIqGR19uDZ5xOuK34NHy5LM3//J8w+32imRQiEkHmCxj3tzjS/djL8zQX50ll02CEod9HfvCJ45Ve6xKNpyicXQQjhEjHmf8P/w671cSKx1B6JvR7yNtrLJYabF9Y4pVXlpFPdlFv36HzX77D14VA/KvfonpwiP0//hcoAl0KUDTE2RxYJnJjB0oleLxButUjf2YOFmag2yPYapGoNdBCQVpL84TPLiN8TlnMRLkC9YYzViFAMUGVLOwWkHfWkI83CP3F9yn87m+RySbhK1dYXllA3F7n8Pd/n1TzEQhQnyu9Tk6z45UeDoV58603qNcbdNp99vb3QfNi7B3nNVXXUXUdzQ+tZpPSYZNiuUrftIkYcYLhsPNa1cISfZAK/b7FowfP2M4fIoSOqvhxqp4JfH4Fn99Pu9Wi0WxSLtWwbTAMA8MwRkL3To5qwHajEVSVVy9e5MyZRcepEIfhPKrUqbXahCJ+EskoQhUEwyHMvkmj2aBe61AqllF1hXgqhq6qhAJ+zp1bIJtLoGs+IpEAlmnTqDdptZoEAgEMw6Df77O7fcAnd++yf3jolOe0JPfu3RubYN2nofk1Op0OlVKbZrNJt9vFiBrEooaTm8CU9Nt9sCVBn59wUCUccrQCnU4XyzIHpg/HGd3JkV4+qqJKnc3Np7Tabb713rtYpsm1K6/SbC7wyd3HFA8LCDkS2eDhS4stn2KKKf6+wJHIXQ9g27Y5Ojrik08+odfrcXBw4NQ2hoH9VFEEtm1jut7OTmUn2w2HkWPOSuVSmbuf3MU2HWe3pcV55hcWRiTYE+KRAYRA9fkwFlwVvKogW23k2hof/PgnXNJ0Yt/4Gpw940jqUtJqNCj9vx/TarfI7e2TmZkhcOnyIOFKcnbWDc8R0Gixs7lF5I//FJ+u8fbbv464dAm28vzZn/4fVvcPWP7aWzA3j14s0ZESuj3KlQopIwo+vzP2fJ5bNz9i9eNHSFty/vwKYt7xGbAtL3TNpFwuEy4UkI0mlmWNS7RuXLSUkqOjI+If/BQ0H4/X14nX62QsExGOkwyFkKUuPv3lvP7HMFg7BcXnI5PNEQgECYXD7tfD+Xc8ur2oA0eKfPDgMaVSkV6/z8zsLOl0CqGIgfRqWn1azRaFQoFoNEo2M8Pjx48H7XplYYulEk+fPqVSbtBstjh75hzpVMqRmp9HzL1YfCmJGgZRJYZTycumVqvy8cd3qFQqrKyscPXaNWf+bQvTstje3mFrc4dqpYrf7+fs2bMYRhQUhXAkQjgSARQs06RQKPDgwQOKxRLnz5/n0qVX6fV6rK2tsbW1RSaXZW5+jsODI1S3dGej2aDf66HrOhKnpvrjR48pVyrUajVyMzNks1m0gfbHGVur3aJSqdBoNLCsoUbGlnIQpeGMw2b98Trb29uUioXBmqmaRjKTIRgKEo7sna7VmBLxKab4pYcGrjTuqq2DoRCZTIZut8vBUdHNT+ElXRFIWyCERCheyUw3HnpCvQngD+iksyn8qo7f72d2Lkc8Ged49SVXBam6B7+F057uczyWN3eQ9+4h/+f/5nzhiEf//l/ya++8g1heHBz8it+H9eo5RK9H5Ec/xarXaO3vE+uZDrG3XGajb2J/7wckv/8DfrR3wLe+9S61f/tt/Ok09h/+JZ2nW1SCAebbXbSffkh3Y5OILaBUp/bjn5DkbcTqBYQi6OdmCJx/Bb3QpF2pEjgoIotVxwyhqGimhd3pEf6THyCTH8ODdYyOSXEyAYutINBoxQy0lXO0QyHK1SJRXxD0oBOuhgqqpK1K4haOpzzC0WK8KNpoNGHI2DpZSGk59nGpjLTjqIVtLAJBH8mk48RWqzZotep0uw5z54VZ9Ttdnqyv0+k0WVlZIRI2yG89Q0qJKjSktBDCMZekUikUobK1pVBvVOl03dDHseQyE3Ho6jhxd1TNklqtzc9/dof8xga53Aw3Xr/G/NyskxNAqGjCJhaJkE4nsW2Tw8MjauUavZ4JUiBc3wzTtCmVqty//4jNZ3kymQyvv/4aC4s5dnZ2qNVq9Ho9bLPHztYm+4clJwSuJ3i2scVsMkY2l0URPnTFRzKVQlFV8tuHtFsdmp0mFha2cEIMJQqbW9u0Ok1qtdqAcTJtGxSnPrk1Es8eTziaC8sNVxvMi2UOp8wLKZwS7imm+JXDQCIH5zBIp1Jcu3YN27YJhiMYhjGSCGRou/NqMLsf3Htg1MaYSqfdcBg3nvtYGNQp8AgPgG0h793jb/7y+1w+PCT75lfJvPctRDwxiC1G2gTCIZa/8Y9AUbH+9Ads/d8f8+TOXWbf+42RsCrJ5qPHxP/sfR4+eMh7v/M7iHfeITE355RYXFjgt//FbyEaLVdyb+D3uxKwqhAMBmEkDl5fXuby8jK2qaHcf8jDh4/49dEwLhfBYBCiEYehmIQQA9t/NptFfO1tQpkM76bT2OfOISZimBVVcVLEfhpMZlgb0IKReugME6IMUvMKgWHEuHo1xeHhIXu7++Tzeebnc5w7e9Ztzomf3t4gZNbsAAAdqUlEQVTeZmXlLEtLy9TrzUGbtittAiQTCZKJBNVqnYcPH5HP51laWubs8pzjr+BJ47Y1IEiKmGBUhGMiqNWq/O3f3uT+/QdcuniR1197nbnFmYGGw7YtNE1lcXGR2flF7t+/z+2P7/F0Y4PLl1ZIeTZ226JcqXPnzm02N7eZyeV47fXXmZ+fB9HDMKJcvXaNpeUlwKmhHQi0sKXt5FDQfaia5pqmbIx4HMMw6Ha7PHm6zcbGBplslAuvvMJoTXZN1wkEArTd3AaTa+HNraIoXHjlFWbn5pifn6fZGDHJuPtAcdfL80uZqtOnmOJXC65E7hBp7wBXNR8qcPnSFXZ2d5CWSSqVBEVFSoGULlGXipsdy03YMVCVKwihDf8OCPgwzvgkDHKte1m5vFzg3/s+C3/9Q/a+/lVyv/kuwlO5t7rU89uEf/QRaBriN7+B8CsgTGxMhGkxqIusAI02rVt3ML7/I95IJ7D+4++hh8MgdFB1xNdvoH79Bl72MHnnMb0//wvsD24STsbIff1tCASw/+RvoFRCXFiG8yugCCwF/DaeyIUioaVrhOIGzd/75wRXV7ErRSr7+47iVBGOPR/AsvHbkp6qgVARC1nE0j9B/O1NZL2FWL3gMAG9DtFux0l8I22UTg90CX6f095JqVZxp30k0Qs4Dn5SCizT1YJ4Na2BXs+keHREsVh2Pa6XkFIghOpqZFzpz903Pp/G0vISb3zlOstLizx8uI5tm4PkL/t7BYrFIrFYjGw2h2lKV0EwSK3HoH67UHi2sUW9XkdKSSQc4cy5ecepcqCq12g2O3x082M0XefSpYvMLc4BJrZt0bdg4+lTLMtmZiZH3IihSIbOblIyyEQnFGrVBuuPn2LZJstnlpibTyMUE9uGWCxJ3EgO51LafHLvIfu7O+i6xoVXVkhlMxzs73NUrOP3+5mbyzkZ31SwhT3ym3FMF0KRrKyc5crVC2xtbXHv7kMs03RmwZ0SVSjY0gLhxJKrus7szAy1Wo2HDx5w/vx5VF131sG9z01xxzD3utfnF4UnThPITDHFP2RoAE+ePBlkbKvVajx5vA5Ap29y7949Xr1wjlQqSavRIJ/P0+v1kFJSLBUplkqk0nEnI1W3Q+HICW2Stk2tVmNnZ4elhRkno5l0nZYmISa9dL3Up+4BpCiM2QBHCFK5VKb+wU8pFArEkyHC4TCJoyK5bBp15dzQq9y154uRd0kp3XSaE/2xJbbZh90ddvf3WAJoddh/+pSZ2Rl49oyPfvYhrfUZvvrmm+iPHmLbFgvzC5DJHBve4D1COLZlRTiq/l6fvWfPyBaOsEyLaqWK/OQuh3YLKW22v/cXnD9/Hn86RrlUZubefdqtNhEpkXv7PP35z4nFYiSvXR2G7j1PWpeSdqfN3u4B9XqdZrOJlM46rT9eR9cVcjMzSOn4Sty+fRdNU7l2rUOz0aDX65HNZoknEghFOPbwbBaAeDxBt9tlY+MZ+/t7+Hw6iUQSv99HsVjk1q1bRCIRzp47h21Bp9Mhl8uRTCbcNKZDO/id27d5trmJtCULCwssnZkdSprOQMb2w1A170iktmWysbHB7t4eC/MLnFla4uDwEJ+uMz8/RyAQOGELCqQlRzQS9lBDgTLoX6lU5vDw0FG12xaHh4dk0waVSpm7d+8jhEK1etaRttttMpkMqXR6LOHNqB/JpCRuS0m1XGJnZwfV3ff5fJ52q42UNvsHB2xtPWNubo5arUatVqNUKgIM4unDlSCpZJJoLHpyFMcUU0zxSwUN4NGjh0SjUQKBIEKRrK8/xpYSG4mmCQLBALaU1GoNtvO7ZHNO5rJup8/RUYlUKgZumE6lXCEQ9LO4NI/P56N4dMRMLo6uq0Mp4ZiEME7ch9WknEOod/0aBbOHtnoRsmmQquO4FlDJrK7g/6fv8OiHPyT6ow9pKAob585w7r1vkfrX30ZkU0MGIqDD/AyP//GbpFNpFlUNFG3k/R4R7NPtNBEHB/Rti91v/BpHPh/mk2fMpGcQ33oLPaqS/NltDv7fBzRNE231VZrvfQ1x7RqEfNi5NM/e/TWCgSCxZAo0HevaNQrtFuFXL8JMDlmvUfjkDtVcmlb0BoGIn91nD+nmNxFC0OuZRMJRlM09qvfuYe3tEllapp2ZZSMaxf6rHyFSaeTVVSdNq1BOl8yFwLIs+r0eT548odfrEQwEmF9YQEp4/HidaDRMPJ4iHA6wtLxEp9Nh49kGm5vrmJZFIhlncXGRs2eXAEkmm+DqtcusPw7Q6TTZePoURVHodvssLS3zyoUVcjNZksk4jUaTw8NDdnd2kFKSyaS4ePEyZ86cRdFd/wiXgQsbYZKZJLYlCRtRR1MzGpIlJQFdZ2lxHl3X8fs1kP1hiKBP4crVy47k3mjy9NkmnU6HcxfOcf3GdddPwxysus+vkJtxYukjkcjYvnQ0+a7tGptyrUy71SadTiOEoFIp02g2WVhYoNnqk8/n2dnZQ1UUQmEfZ5YvcPGVs4SCPsxeh8X5LLFIBCMcRhMaIX+I5aUFTMvC5yYlqlQqVCplFpfmEUKwd7BPsVxyfgu9HuFoDNOW5Hf3KB4dYdqwtHwOn67wbGubUMSPomlE43GHEZlK3FNM8UsNIaWUzzYeTFx045SFowpMxAyi0QitVp/Dw0Mst8SpT0A4EiHh5gI3TUeS6/SGzmyBQIBMOubk535ZeHTI09TfvIcslRDZNORyiKyr6hSWc8A+2IDdPWTDVVVrIDIZxOuXHOKmuQ22ethHRfj4Dvj9KL/xzoTE4tn8TSec7eYDZLkMzaYjTS/Mw9wsBHxwdIR8uOE+piBCIbhyHhGNOn2qVpF31hCahnjtCoTDyLvryKMiYjYF6TQiqGNu5VE29hxmQ/UKYbiqclVDZDIQDkGhgHQPc2y3QIZfQwRDiG98dUjoTiTkQ7W6E41w6FQ8k45katNHURVUTSGTyeD361imSb1RpzISo6xpQQzDIBL1uVKk4sSjV2q0Wq1h3LTtMH+JRNxNfQrVapV6vT7IfS6lJJ3KOrnBNbc4DipS2hQOy7TbLaQUBAIBZtJxx+FvYB5wss/t7RVQhCCdjREMhYdmA+HkQy+VGrTbw9oAiqaRzWYJ6IAQ2K703W51KJZKIBWSyQSh8HhmNK82C4pCtVqhUm4ONAKKopBKRgiHwtSaHaqVKmbfGuzDRDxBNORH1TT63T6FQoFezyaVTBE1HBt54aiCZVrMzabxB4LUazU3I5yX+9/J2zBqX89kMpSKRbrdLrZ7n+p2VNUgHosRjoQYlOWdYoop/mFDCTEwQwJHR0coisJ3v/tdh5Bj18YfEMLJlT5SSnTUYWzMmWbUCc5VayqK6oQHSYniFpR4Pr6onNBuiI/wvHnHi6x4VdaENaGGHozR/eNVwxoI6l5ZUe9AdGOYFS8jnfvX9trz+uNct1xnQnWinvWgHx68bgzqo7vOTK7vgOkSem3AJ42kbMNxWRhrbqDZGFnH0UpyXupWLBRFHVMnj7Xj9se2jyc5cXrxBROKSXXwCeGJxx34xOnfT15T1GGpWHBNN+4anjB+5xVDdbht22Oqcqd6nJOfXVGdeVQUdeCNLoQymEPHN8Ee++x0bRiq5+VpH1W/jw9FcduRg3U7ra8vA/Gin+cUU0zxC8OAfokAzpnvnDceIf/Od76Dl/ZqxGPYcTBTJg/Dkz4fe6NzsDjtqU4RiJOI+LGD+rMP0nuv89c90D5tlsrB8+7nL5guSUaYIEZ8AF7Grv0yGJHCxwjRqHR+jIiNRyB4hAHsMUIwem34eYK4fNGE4CQifNL3HgEfs59PPOep5UcZUGmP3T9KCEeJ7Og1jzALIVBVbfCM4saTwzDL4fD1ylgbk22O3ytGCLTDKAyjCMYZjeFfe2TdOJXwTzHFFL/c8LJUjBz0yvGD9NNK1JLne81+0Qf/ILbWI5Dj/RKTL/Rcg914djl4frJd9++kjVH0nWbsievHJHcH2sT4B8f7sTRcbvMDZ7/xOuXaQML27hy5INxxS9vxyvYcyLw61YNYcu95e0ySnXTAGvTlJaRC8WWrbk+TricJ9OT9HoH3iLkXRnmsvZfpgj3C3IwT/kk4avDREqSTUv5xifkkTYDHOLzofZ+XcH9+E/rnY0TFCWOaYoopXh7HA5tHpZ3Rg9LDaXGqA2nnhIP1Rfi8Ma9/3yWQY/2bOPi+LNWmtw6T5pFjppFxCfwkwjBJaEYlwS+l36P4tO8ZHa+Ujolnch8/By9SrY+/aig1e4R31AThtTeuSn9xPybndlL1PmCihGBSgzKVyKeY4lcLJ2QocTGQUk8gyicdrGOE4VPiSz94JiUGz5nPOQRPEYyHtoljvmOeCtUev+E00WYgOE8QUjkyx3A6wRpkOpskMF4RGS/DntuOogxV6soEgzVoc0TqHrWYnJa/XdonKCy+oHV70fqfpjY/6S8cMwEpL2j/ZWzEL5wXaTu+AvKUewdallPgteNpQAbXR97vfXbvFaPfnfD/vzN4cetwnHGcMhVTTPGlY2gjh+PqSU8q/2XA2OE+8l/xGQ4+Oa7yHmns+LtGr59qajjl/pH46BdioEZ+zr2jTNlpqujT+nHS98/r9/Mw2d4XLdmfpmof/f55+EUSoJeZi0lNy0lt/KL6fwqzOIZPux5TTDHFczG0kXsYPQQ+rYr8ZfBltPkieATRe+/AKcnNMT+pSvXozCnOb7bwvJHdBDNeRjrPIUxRXAbBdMc72R83+cmngdfOSYe07bQnhUQKV8Mg3Ou24gxoct5HfSEmVe2jtuST9sJp1152Xb9sie15RPxlnvusWqXTzEovM0+nOI+e2s/nMUGfdU4/6+/yeet52nxMMcUUXxiOq9a9H9kphTY+N/6uibgHIRhQZI9QCddm+Wmb8rQUcsLmOWLHdJzAcD3Eh4zDANJmzL1+UjU8dvDbgHL6OohxD3R3YIyFnU1ikA5XOU4YTlJTv4g4fpZ1/aL21fPa+SwMxklMyyieR6gHdQlOuf95fZlc99P6rkwwj6fui0+p8XheOy/DsJ0w7tFQvSmmmOLLgUvIx+ORAfdQwbHPwlCKPFGa9FTN3sEx+YMeeUYIjlc/+4wYSI8jBHH0XWNhWKMHrGuHtB1HqCFhlgMCP95/T9Jyn/a81SXuu7ywNzdm3nYdjqTAIdbefHkE1r1voKJXBlL1MIROH5knjwHx7N7q+GEqnD4KW0yEnHkMwMh8Sen2xyMELqMwediOHdaTAeoTDJ7XxiA+fXJ9leFzts3Ax0Bx+/h56fmxqAIxjJf3xjK6JwQnq99Hx+Omix1bl8G8n6A+FrjRASes7bH+nvBbGuwlOVw379ok4XSS9bvPq+MapbG94fbfjXMfMmXH32/bTi6BY30c+HO4cyi9wU70R1EAczgnUoLQUZSJ/XAiIzD1Wp/iVxkvy+gOk8FMYmgjty22t/MUCgUALNvGpzv1m6OGMTwgTlMJu1JCv9cjn9+hWq0y6v0bDIaYmZkhkYh//oN75DA4ODzkYP8Q0+yfeKvu87G6ehlFCDY2NigWi4Mc1oqi8MqFVwiHI8N2nytxOAdbr9OiWCqxv3eAlDa2tFEVBU33kc1myWWzIKFWq7B/cECz0WY0HjgeTzAzM0MoFAShsLO9zdHREZZbllLTdM6dO0ck6mTMKx4V2d3bpe/VhodBW6FQmFcunHcy50mebyN30e20efp0g45beQtsDMNgaWnJyYlv25iWRbFYJJ/PoypO3LTf7yeXmyGdcdLelssl9nb36Had8prz83NOXvHJ9R1xuGs0G2w926XTabN8Zol4PI6qTkjCL5KIXwQp6fWcdKm1Ws295OzFQCDI4uK8s6eHkwlS0u102Nvfp1yqkEwmWVhYoN1us729Tbvd5lh4mJToms7ymWXarTYHBweDJDCj9yhCYBgG6UyGfD5Pv9dDCAXLtlAVFcu2UITjjb6wMI9pWuzs7rhTd3z8gUCQM2fOkM/nabVajMaYe/9XVY1MNo3f72drMz+4bkuJqqgDrVE4EiaZSFKr1ahUyoPvJ9ucm5vHtm0KhcJgnw7n2zkTwtEAZ8+cxef3s7m5SbFQJpFMsnxm0UkM5a7NMVPWVNM+xRSfCy4hh939fT76+AHVapVUykBKyd7ePq1uj8sXVzBi8XGV3ijcZBm9riSf3+fevfu0mi0SyRgAzXafXq/HUrnGpVcvObnZx/ApOfKRw77T6bCR32V7exvTMllcXMSn+xCKoNVs0Ww1ubh6he38NjdvrdFsNkmlY1imxf7+ISY6F1fOEI1GTpa43PlBCCQWvV6PnYMCa2trlIolkqkkQqh0u13arS6zxQZC8+Hz+Xj4OM+zjWeomiAcDmNZFrVaDZ9vl4tdk6WlJarVKh99dJdmq0kkEsC0TKqVOo1On1cvXcAwDDqmZGv3gI0nm5iWSW4mRTQapVnv0u60sYXCysoKfp8+dlDaipjQkku63S6PHq1z584n+P1BIpEw1XrTycOOwuLiIpqqcXhY5N69h+zs7JDJpOj3+3Q6PeZKDVYVlWQqSasr2d4vkt/cxuz3eevXVRKp1EjpVS/kypP2FCq1Oj/76Oc0Gk0CkSBGPIbqMkheNsHdnQMi4TARI+ASspfL8OMJ5t2eyZONZ9z55C7SliRiUYRQ6HS6NBpN2l2LlZVzxBNRd/dJ2r0eW1t7rK2t0em2uHLlCjlMmr02+0dlnj59Sr3eJJlMEk9E6Ha7FI+qKEJBC/rRNZ3HG1sDRnhmdga/X6VQKFCvtVlaWuKNqMFRucqjR0/pdDokElESyQSW1Wd7exvLErz7zXcJBHw8295hZ/sAgMWleXRNp1qtUiwVSafSZGYXOChWWF9fp9XsEAqHyM1k6LQ7HB2VkFJy7dpl5ubn2NjeZXdnF03TSCQShMNhqtUq5XKZXC7Ha6+9RrFY4cGDh1SrVeLxJMlkEtM0KRQKdLot3vyqihGLOP3aOcDJl58gFA5RKdeoVCqk0gkyswskghEqjRb315/g8+WxFNthEjUdKUZrpruZCuWnzeA0ufCf7/EpIzHFLxYvon8vltgVgIODfT744AN2d3bIZrNcv36dy5cv02w2uHP7NtvbO+777BOlVSd2VaFer7O2tsb29g7JVIobN26wurpKJpOhXq9z//59tvL5Tz3ME+ES85lcjvn5eRqNBrVajeWlZa5fv85X3vgK586dG9RCv3nzJk+ePCEei3Pjxg0uvnqRarXKzY9ucnh4eLIKc/Au26mLLiWtVpPHjx6zvr5OKBzi+vXrXL1ylZncDN1ul7W1NdbX19ne3mZtbY1ypczS8hKvvfYaly5dIhqNsrO7w/379zk4OODWrVs8fPSQcCjM6uoqKysrtFotfvbzn7GzvYPZN4kn4pxZPkOr3aJerzM/P89r115jbn6Og4MDfvLjn9Bpd17Kn6HVbPH06VNUVeH8+fNcvXqNXDbHzs4Ot27dotVq0el0ePLkCWtra/h8PlZXV7lw4QL9fp8HDx6Qz+eRUpJKpZidnUVVFGq12oiEPw6vDvdQKg6g6xqaqg79C2wb27YpFovcvHmTfD6PZX02E0yv3+Ojjz7iYP+AbM7bz5dIJVOUSkXu3bvLwcEBXiWyXq/HzvYOa2tr1Go1lpaWHIZG14nFDObnnQJA1WoVwzC4cuUKFy9cJBQK0Wq36Pf75GZypNNpOp0OfbPPhVcucP36dRYWFgDodrv4/X5WV1dRhEK1WiUcCXP16lVWV1cJBoO0mi16vR4zszMsLi5Sq9VoNpqsrKxw48YNzro14Ov1Oj6fj6XlJYKhILVaDV3XuXHjBlevXsUwDMy+iWmZpFIplpeW6fV6mKbD6L7++ussLCwgXUZY13Xm5+cJBAPUajVCoRCvXnyVy5cvO4xku0On0yGbzZLNZun3+7Rbbc6cPcMbb7zB8pllNE2j1Wphu4z+4uIi8/Pz1Go1PvzwQw4PD+mbfSzLQhHK2L8pppji80ED+KM//B6VSoXr16/z1ltvEQr7aLVaKCJArdqh1emDoiNteSL36mh0bbp9k3qzRbdnEo4apLI5dnd2efpsk6NShYCu0e70BjnEh/iMP2YJvkCEcDjslKG0JYZhkMlk0DSNSDTC4uIiiqJRKdfo9y1CoQi53Cw+3clbW63UaXX6gwIVnspxFEJ6tj8b24J6vUmn3cOIxsmkcxQKBba3tykclrEsi0ajg08PUavVCAQCpJIZUqkMt2/fJp/foVFrUQ836Xb6VCt1ut0+gUCIdDqLquooika5XKXd6SKlIBgIYBiGq/J0xphOpykWq1imxWGhTN8CW2jY0kZT3bWSNkIZ1hC3bZNIJMHbb38NKR11uqKq7Owe0u32qdUa9LomqqrT6fRoNtsszAdJp7M0m018Ph8HBwc0Gi2kLfD5dGKxGKrqw7PfCKEy2CRyNAmKgsQmk8nyzW++h21bGEYERdGQON91On2+/1c/ZGtzl3RmwfElUHzIyQx6Exh8677PNhUq5QaWKTGicdKpLM82N7l//yGNRhtV9dFotAf3Hx6U+OlPb1Kv13n99de5evUq4XAYsPHpzhh9Ph8AoVCITCbD7Mwsqurn1q1bgELAHyIUcsajaz5SqQy5XIpQMIJCgEazgSI0jISBpvtQFZ1I2CCXnUXTFSIRgz/+oz9DCJVwKEoingIUFEUjZiSYnZknEjEQqNy+cxshVBLxFH5fEKE4xWVy2RzJRBJN83H37l0AwqEwiYRTKlZRFAzDIJfLYRgGuq6zt7eHpvkIhUIE/WGEUAkEfKTSCSKRCD6f5jJoCoFACMOIo6k+LEWSiKfIZHKEQ1FURWVza2Pw24nH4ly/fh1d1/nww5/z5+//Nd/+9j8jlUqNqNZdSfxzOz1+PpH8F+R+O8UULwUpTbyUzA5GNZ5OhJSQUsr81lMAkokE4agBOLbYvZ0jLMsmmQoTCkdxPXpOeJXjpNPtmVSrVXq9HtFolJgRpdPtUCzXME0LVUhisRjRSOgLHWin26VQKGCaJnNzc/h8PjeBxpBB2N3bxuxDOBImlYzRN/vs7x8ihCAZNwiFI5yuY7Pc7yRmv0Ol1qLdbmMYBoZh0Ov1KBaLmH3FOSxjIYQQ1Go1NFXDMAyCwSDVWnVgs9U0jWg06kjA7Z7TVixEt9ulVKpg2zaxWJRoNIpAodNtc3RUwrZsUpkY4WCYZqtLuVxGSsns7CyaquIcSyPOToN5GF072/1ORdomjVafYrGIz6eQSqVQNdWRButdAoHAwERSKpXo9/tEo2GMqAEodHttGlVHkowafiLRGMc3nBh5p3D9qDQc5yjhXlewLZP9vX0sSyEWi2HEhwzCy8G5z7Qs9vf3AYjH40TCIdqtJuVSFdM00V3iHHL3YafboVQqYds2iWSCcDDq9slZ977p7Ot2u0s4HCYej6AIlb7p1HL3+RWi4Sj1RnuwvtlsFl1zIgjqjRbdbpd4wkBTdA4Pi3Q6HYxYyGGm3EiDg4MCoXCIaCRMt9flYL+IEIJMNkXAHwIk7XaLcqXM7OwspmlSqzmV55wqgxlwM/tXK1UUzcaIGHR7fafAgqoQCUeIRhz/gEazTrfbxTDiqIpKpVqhUW8QCgdIJpMoQsW0+5RLVQKBAJFIiGazSbXaRNqSVDpGIBBAIGi2mzQbdZKpJJqiu+uh0mzXKRUrAMzMZNE1nSnpnGKKTwPvPPWCzJzf19FRCU3V+G///b+61c+eixNsxlP8A8SXsY5f5t6Y7rsppphiipMhKZXKAHz3u99F+4M/+AM8ij8MLVbc+E/ns0AfPn5iAorJYg8MbF/2hIeqIpRj938ReF68qvedbduoqurY6Ubu9ey0lmWhquqJY3Rsf25ZUe/RU+uGuh853tao6n7w/xPmw/nOcj3i9RP75o3LKyNqu5KOwoR5YJCDdlh603vea3Ny/k4qVzrs+7C/trRRxNAs4czt5GiUwXicedEnxn16IRA5CJd7DibXYQS2tFFVMTEOOZwDaaMIt3+2Onbteft0ck9NrrNnK1YU5eQ1n7jPu9e7dtJaj94zitF9JoQY9NvbM5P7fTgPx81Ik+3Z0j5hPY/Pg/P/4e/esi1UVTx37KP9+Dz40nL+TzHF3wN45bEdR1EbRXEipSzT2ffFYpH/D5XI73ut2Mx6AAAAAElFTkSuQmCC
- data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAZsAAAJYCAYAAAC0DEt/AAAK5mlDQ1BJQ0MgUHJvZmlsZQAAeJyVlwdUU9kWhs+96SGhJBABKaE3QToBpIQeQOlVVEISklBCSEHFhsjgCIwFFREsAzrSFBwdARkLYsE2CFasAzKoqONgQVRU5gKPMDNvvffW22udnC/77rPP3neds9Z/ASAnscXiDFgVgEyRTBIZ6EOPT0ik454ACGABBVgCwOZIxczw8FCA2PT8d3t/G4lG7Ib1RK5/f/5fjcLlSTkAQEkIp3ClnEyE25HxlSOWyABAIQyMlsrEE/wbwuoSpECEP0wwf5LRpAlOmWL6ZEx0pC/CjgDgSWy2hA8AyRvx03M4fCQPKRlhWxFXKEJ4M8KeHAGbi3A3wnMyM7Mm+DPC5ki8GACyMcKMlL/k5P8tf4oiP5vNV/BUX5OG9xNKxRns5f/nq/nflpkhn97DFBkkgSQocoqh3vSsEAWLUhaETbOQOx0P9QrkQTHTzJH6Jk4zl+0XolibsSB0mlOFASxFHhkrepp5Uv+oaZZkRSr2SpX4MqeZLZnZV54eo/ALeCxF/lxBdNw05whjF0yzND0qZCbGV+GXyCMV9fNEgT4z+wYoes+U/qVfIUuxViaIDlL0zp6pnydizuSUxitq4/L8/GdiYhTxYpmPYi9xRrginpcRqPBLc6IUa2XI4ZxZG654h2ns4PBpBtFAAORABLiAByQgBWSBDCADdOAHhEAKxMg/NkCOk4y3TDbRnG+WeLlEyBfI6EzkBvLoLBHHZg7d3tbeHoCJ+zx1RN7SJu8pRLs848tuB8C1CHHyZ3xsIwCOPwGA+n7GZ/Rm6q6c7ObIJTlTPvTEDwYQgQpQB1pADxgBc2AN7IEzcAfewB8EgzCkkwSwGHCQfjKRTpaClWAtKATFYDPYDirAXrAP1IJD4AhoASfAGXABXAHd4Ba4D/rAIHgBhsF7MAZBEA4iQ1RIC9KHTCAryB5iQJ6QPxQKRUIJUDLEh0SQHFoJrYOKoVKoAqqC6qAfoePQGegS1APdhfqhIegN9AlGwSRYHdaFTeG5MANmwiFwNLwI5sPZcC5cAG+Ey+Fq+CDcDJ+Br8C34D74BTyCAiglFA1lgLJGMVC+qDBUIioVJUGtRhWhylDVqEZUG6oTdQPVh3qJ+ojGoqloOtoa7Y4OQsegOehs9Gp0CboCXYtuRp9D30D3o4fRXzFkjA7GCuOGYWHiMXzMUkwhpgxzAHMMcx5zCzOIeY/FYmlYM6wLNgibgE3DrsCWYHdjm7Dt2B7sAHYEh8Np4axwHrgwHBsnwxXiduIO4k7jruMGcR/wSnh9vD0+AJ+IF+Hz8WX4evwp/HX8U/wYQZVgQnAjhBG4hOWETYT9hDbCNcIgYYyoRjQjehCjiWnEtcRyYiPxPPEB8a2SkpKhkqtShJJQKU+pXOmw0kWlfqWPJArJkuRLSiLJSRtJNaR20l3SWzKZbEr2JieSZeSN5DryWfIj8gdlqrKNMkuZq7xGuVK5Wfm68isVgoqJClNlsUquSpnKUZVrKi9VCaqmqr6qbNXVqpWqx1XvqI6oUdXs1MLUMtVK1OrVLqk9o+AophR/CpdSQNlHOUsZoKKoRlRfKoe6jrqfep46qI5VN1NnqaepF6sfUu9SH9agaDhqxGos06jUOKnRR0PRTGksWgZtE+0I7Tbt0yzdWcxZvFkbZjXOuj5rVHO2prcmT7NIs0nzluYnLbqWv1a61hatFq2H2mhtS+0I7aXae7TPa7+crT7bfTZndtHsI7Pv6cA6ljqROit09ulc1RnR1dMN1BXr7tQ9q/tSj6bnrZemt03vlN6QPlXfU1+ov03/tP5zugadSc+gl9PP0YcNdAyCDOQGVQZdBmOGZoYxhvmGTYYPjYhGDKNUo21GHUbDxvrG841XGjcY3zMhmDBMBCY7TDpNRk3NTONM15u2mD4z0zRjmeWaNZg9MCebe5lnm1eb37TAWjAs0i12W3RbwpZOlgLLSstrVrCVs5XQardVzxzMHNc5ojnVc+5Yk6yZ1jnWDdb9NjSbUJt8mxabV3ON5ybO3TK3c+5XWyfbDNv9tvftKHbBdvl2bXZv7C3tOfaV9jcdyA4BDmscWh1eO1o58hz3OPY6UZ3mO6136nD64uziLHFudB5yMXZJdtnlcoehzghnlDAuumJcfVzXuJ5w/ejm7CZzO+L2h7u1e7p7vfuzeWbzePP2zxvwMPRge1R59HnSPZM9v/fs8zLwYntVez32NvLmeh/wfsq0YKYxDzJf+dj6SHyO+Yz6uvmu8m33Q/kF+hX5dflT/GP8K/wfBRgG8AMaAoYDnQJXBLYHYYJCgrYE3WHpsjisOtZwsEvwquBzIaSQqJCKkMehlqGS0Lb58Pzg+VvnP1hgskC0oCUMhLHCtoY9DDcLzw7/OQIbER5RGfEk0i5yZWRnFDVqSVR91Pton+hN0fdjzGPkMR2xKrFJsXWxo3F+caVxffFz41fFX0nQThAmtCbiEmMTDySOLPRfuH3hYJJTUmHS7UVmi5YturRYe3HG4pNLVJawlxxNxiTHJdcnf2aHsavZIymslF0pwxxfzg7OC643dxt3iOfBK+U9TfVILU19xvfgb+UPCbwEZYKXQl9hhfB1WlDa3rTR9LD0mvTxjLiMpkx8ZnLmcRFFlC46l6WXtSyrR2wlLhT3Zbtlb88eloRIDkgh6SJpq0wdEU5X5ebyb+T9OZ45lTkflsYuPbpMbZlo2dXllss3LH+aG5D7wwr0Cs6KjpUGK9eu7F/FXFW1GlqdsrpjjdGagjWDeYF5tWuJa9PX/pJvm1+a/25d3Lq2At2CvIKBbwK/aShULpQU3lnvvn7vt+hvhd92bXDYsHPD1yJu0eVi2+Ky4s8lnJLL39l9V/7d+MbUjV2bnDft2YzdLNp8e4vXltpStdLc0oGt87c2b6NvK9r2bvuS7ZfKHMv27iDukO/oKw8tb91pvHPzzs8VgopblT6VTbt0dm3YNbqbu/v6Hu89jXt19xbv/fS98PveqsCq5mrT6rJ92H05+57sj93f+QPjh7oD2geKD3ypEdX01UbWnqtzqaur16nf1AA3yBuGDiYd7D7kd6i10bqxqonWVHwYHJYffv5j8o+3j4Qc6TjKONr4k8lPu45RjxU1Q83Lm4dbBC19rQmtPceDj3e0ubcd+9nm55oTBicqT2qc3HSKeKrg1Pjp3NMj7eL2l2f4ZwY6lnTcPxt/9ua5iHNd50POX7wQcOFsJ7Pz9EWPiycuuV06fplxueWK85Xmq05Xj/3i9MuxLueu5msu11q7Xbvbeub1nLrudf3MDb8bF26ybl65teBWz+2Y2713ku709XJ7n93NuPv6Xs69sft5DzAPih6qPix7pPOo+leLX5v6nPtO9vv1X30c9fj+AGfgxW/S3z4PFjwhPyl7qv+07pn9sxNDAUPdzxc+H3whfjH2svB3td93vTJ/9dMf3n9cHY4fHnwteT3+puSt1tuad47vOkbCRx69z3w/Nlr0QetD7UfGx85PcZ+eji39jPtc/sXiS9vXkK8PxjPHx8VsCXtSCqCQAaemAvCmBtHLCYh2QLQ0ceGU3p40aOobYZLAf+IpTT5pzgDUeAMQkwdAKKJR9iDDBGESMk/IpGhvADs4KMa/TJrqYD+Vi4SoTcyH8fG3ugDg2gD4IhkfH9s9Pv5lP1LsXQDas6d0/oRhka+fUjMtFZjZE5KdB/5hU98Af+nxnzOYqMAR/HP+E8R9IgX6GUmeAAEAAElEQVR4nOyddXwUx/vH37N7EveEYMG9uFtpoUBpKbSFlrr8qpS6t98adXd3d6Ve6oZLcZcEi3tOVub3x95dhEChhUBh3n3R5OZWZvcu89mZeZ7PCCmlRKH4lwSDQTweD1OmTKFXr16cc845mKaJy+Xa7WNJCUJAaamfOfM2R8qFENimRctWKbRrm7onq69oQMLflUmTJuHz+Zg4cSLNmjWjU6dOZGZmIoTY11VU7Aa2tNGExpJtS+h6e1c+mPwhE7tOwLRNXFr13//utwQKxV5HAoK8vEqee2EOaE6ppmmYVQGOndA1IjZhYVIoFPs3SmwU+x3hJ9t27VL54J2T/mbbhqjR3kUiCQ8waMJRViklkupBB4GI3Bdb2k6ZEAgOgBugOChQYqPYb5FSYhj2duW6LtB1bR/UyMG2JUKwR4Z7pJSOaNQ51s6EJCxINY8hkduVKxT7E0psFHsV25aYpiMYmibQdYFlhZ/kBeA0trquOdsJkLZE0wQul4bHozd4nU3TxradXoXLpaFpAtsGwzQRCC678kv69mnKWWf0ImhYeD0uhADDsNA0DV3fdRESQlDiK2HxtsUkRiXRrXFXpJQszVtKia8El+ZCEzrNEpvSJKEJEsncTXPxmwF6Nu5BnDeOVxe8Sl5FLlcOvgpLWnh0jxIexX6HEhvFXkNKRzTqCobLVX9j7HZv/8Te0JPFti1xubZvqIUAr8f5c/F4dHw+E00TRHldkf3c7l0XRokECdsqtnHvr/exLn8d2ypzuXjwFE7rfirvL/qABZsXkhidyKKti+nYqD3vnvQO9/xyP18u/4LM+MZ0atSB24+YimGZBG0Dt+7GjXvP3AiFYg+jxEax13C73WzZUs5d9/1CcX45vfpmccqkbsyclcPsuZto2jiB3IJK2rdLYdzRnXj/gyVU+Q1mz1jHxBN7cvyxnRu0vmFx/PDjpXz68SIS0uK56dpDadIkAcu0ufG26WzaUsbs3zcy6K7RzF+4lbff+4tbbzyc+Hgvd937C717NOHII9thh3pnOz6Z06uxbItTup9M/2b9+W7tdG6dfitn9Did20dOjWx672/3kBqdxsaSjXy6/GPmTJ4NQMv7W3Ns52OJ9cTgK/Ez9fs72FK+mcuGXEbn9E6RKCGFYn9AfRMVe5zwEFTOphIuungaLVskMWlSd4YObkFRURU3T/0By7J56tlZbMop5Y8/stm0qZSbbvue3G3lnHhCd26/62cWLc4FoCGi8y3LGdb77rs1fPnVKo4+uhNZTROYcsnnWJbk2hu/ZdvWCk6ccAgtW6Xg95s0aRzP0qX5PPXsLL76aiUzZ+bQvn11SLZp2juse7jH1iyxGf2b9QdgQ/EGOmd0AsBn+jEsg9mb5/DTul84rftp/J79O0NbDmV98XpGvzqaFslZLNq2iBh3DB8t/ZhezXqiazr3/HJv5Dw1gwwUin2J6tko9hqzZuXg8bq45sohkbLly/Np1zqVSSd0Y+PGUs4+sxdff7Man9/ksKEtueWmw4mOdjPty9UsWrSVbl0bNUh4szPhD0uX5fHbL2vZWlBBaV4Fmc2S2LixhEWLc3nmiWNo1y6VP//IpqIySGajOD5+9yRGHfMaz70wl1VLL8Pt1pHSmZ/aac8mRDgX4bs13/HOwnd54fjnQUKUy4uUkrcXvs3RHY4m2h2NaZmsKVzLNd9ey+WDLmdZ/jKqjEqiXVEc23k8x3QcS5TLywtzX9y7N0uh+Ae41HOPYk8g6/wEZ3J9y9byWtvZtiTK68LnM9A0QTBoYds2tg0xMR6io505h5zNZaSnxzZM5akWs+ISH8cd35UH7hsdea+kxI/fbxAd7TybzZq9iY4d0gBYvaaI1lnJeHUXi5fk0qtnE2efUj+//bGRQQOak5oSU+85pZS4NBdfrvqS1+a9xpdnfU6Mq3rb79f9wIItC7j9CGdIrUfjHtz4zU38euHPtEtpx6N/Ps4tI25mQ9F6kqKSkFJSHqggyhW1x+/P3kTW+af4b1H3b7/mz1rtQYPVSHHQEB4iGjyoJZ99tpJRR79G47RoevRuxhGHtyG/oJJAwKKwyEcgYFJS4sfj0ViyPI8zz/uYvG3ltGiZyLBDW0V6CXsbZ7RLcsbpPbnoks+ZNOkdPDFuDh3SkvPO6cPggS044ZT36NmzCWvXFuFy6SxYuJVzLvyUpx87BtuymXjSuzz75DhGjWxLQUEVE056hxuvOpTbbh2OZdm1wrXDwQ8zc2Yx9uWxDG97BFd/cS1R7iguH3wpjeObcOdPd3FKj5NJ8CYgpaRLoy5cNHAyd3x/J1WGj8ZxmfRv2o8FmxdQ6i9BCEHADFDkK9rr90uh2F2U2Cj2OOFeQnp6DM88PY7pP6zFXxWkcdNE2rRJ4fHHjqZZ0wQee/goMjPj6NQpHU0IkhK8HDW6PR63xuiR7YiKarivp6YJpIS2bVJ44dnxzJm9CSmgVcsUAG67ZTjf/7CGhKQorrtyCLGxboKGzdOPH8OAfs0AeOv1E0hLjUFKaNokgZ5dG9O0aXz4rtQ6X1iQsxKb88sFv+IzfFQEKoj2RJMYlYimaTw85iG6NOrszLsI8AgP1wy9mm9WfQsSRrQdjktzMaHL8Ri2AcDIdkfQs0kP55pUcIBiP0KJjWKvYRgmUVFujjm6Q63yLp0zAEhMdIZ7UpKjWbeuGK/HxaSJh0S2a2grGiGcYb4WWUm0yEqq9V50tItjxnbcbp8mjeMjQQAD+zcHIHtjKRdePo3Dh7Xi3HP6Auww96ZJQhOaJDSp973eTXttVxYVmp+pSeP4xpHf02LSSItJ28EVKhT7DiU2ir2GEAIpJbYN4eRNJ0FSRt4L/4yL8zB0aAsMw0bTiGzb0ITrFxaQcD2kBNu2Iz0S54eIhEsDWLZEE5DVIpGvPjl9l84nkdi2Hc5vBeH0SAQCW9rbOQlIpGNXI0Pbhe5fuK5h6xvVq1HsbyixUexVHHcAqDmMFG6cqxtuQUZGLNdfe+g+qOH2OPWrO+xFvRY5NZNO9RriWFMAalK3tyYQ6JoeflG7HvUIhkCgC73WtjXPUdND7e+oW5fwvBWIesq372XWLa/en3qOUf/9UBw8KLFR7BdICZZl15u9/19kR43qrra1UlKr17Q3qFmX6iRUETq/0+vcWXJq3WsJ9/bC1BSjmvdDLWpycHJg/GUr9ktsWxI0LHI2ldK5x+N8Nm05AMGghWnaBIMWhmFFnrCldN4LBi2CofJ9gWnZkXoYhgXAlEs+Z+7czZHycN1sW0bKnMTQaj84wwiXO8mdgYBJfn4lVVVGKOR7+wu0LMdH7tvvVtNn8LP0HPAMixdvc96zZZ3zVZuU1iwPe9HVhzMc6Jx3W24FFRVBwOnNFRRUsXjxNjZtLouIg6YJsrNLyc2r2C5BdfPWckpK/ZHXxSU+VqzIZ/GSXPLyKyO5S0HDYvHibSxfmR85puLgQ/VsFHsNj8cFCJo3S+T4Y7vQrFliqLx+D7G63mj7AiklLl2DOlUsKKzazuetPu+3nSV0er0uLrjgA554/Ciahu5FXcJDdUeObsfQIS2YdPL7lIcEQUqJrmvb1QFEvR509WHbEl0XfDZtOaec+QH33z2aKZP7s2JFPpMv/Rw7ECAlM5FbbzicHj0a88mny7j7vl+JT/DwyXunkJjkBHXk5JRy4mnv0TIrmbdem4imCS674ivmzdtEcnI06IKnHz2Gtm1TuenW71k4bxOlPpOLzuvHWWf2+Nt6Kg48lNgo9jjhJ+ANG4p56tk5VPmDdGifTnqak7D45VerCARMpv+8lnZtUpl8bl+8US7ue+A3NuYUExPnJS7Ww9WXDSYhwdtgUWnhoaOvvlnFF9OWokd5mHT8IQwZ0oLoKDcrVhbwwstz6dw5g3PO6k1MjJtVqwp59LHfES6N8/+vL927Z7JyZQEbNhQzc+4m8rcWM2FiT1q1TObuB39l4dKtXHnDt6Qkevm/s/rQt0/THV5f2BRUC73p0jW2bi3nrvt/wQpanHF6LwYOCEXAZZfy+DMzqCzx0ad/C845qxe2lKE5nOrj6bpg8ZJc3nh7IUMHtiTK6wjUnff+wtFHtufqK4dwy9QfufZ/3/LVZ2eQl1/Jrf87nHffW4RlV/eYvv9hLWee3INZczazcWMJrVolo+sa3359Ns2aJnDm/33E9B/XYhg2mzeV8uOP5wFw2IiX6N0rkx49mqrhtIOMff8oqTgAcVq3mBg3PXs2pnfPpjz19Cx+/2MjAM+/OJc77/mZfn2a8ubbf/Heh0sAaN8ulcGDWrB5Uym52yoiPZ2GEBpnaEmwclUhb761kC5dMhk6pAUZjeIAqPQFeefdv+jXtxkvvDSPb6evYf2GYi698ks6dWpEm9YpXHLFF2zZWs6G7BKmXPYFjdLjaNo0mRdenIthWPTt3YSEBC9dOqbTr28zUlKid+n6wv5mGzeWcOHF02jWJJEe3RpzzfXfsHxFAZs2l3HxpV+QmhJDv37Nad0q2TluDaGRIePPoGHx2BMzmXx+fwYOyEIgMAyLyrIgY0a34+lnZvHptOXExXjYmF3CBef1JT7Biz9gRobWDMMiv6CKoYe2ZPCgLH74YV1EOMYc/SpDDn0Wn9/knLN6s2VbOcVlfkzTZu68zeQXVVFQWBW5MsXBg+rZKPY44QYuIyOWUyZ1A2DGHzlERTlWNKkp0Zxzdi/GHdORpYvzyM0rR9MEE47vwvr1xZQU+Tn3nD5ER7saNNdGCIiL81BaEeD3mZt4/KGjSM9wLHNcus7FU/owelRbZs3eRFFRFd9+u4Z2bVO45OIBAGzYUMKqVQVEeV2MGdWWC893cmxKSwMkJnpp1y6V779Zy+knd6dV65Sd1sWynPkuW8rIPMw3364mKTGK668ZCkD25jLWrC6gtCxAamo0N1xTO5qvVtRb6PcXX5xHebmf5lmJLF+Rh8sFa9cWExfv4Y67fyEtNYYXnh7Pw4/+iWna+HwG/oCJlOAPmFiWzdx5W/npx7UccURrYmJcTPtiBeee2xtpSy6aPID+/Zrxxlt/8fyLc7hkygB+/GkdPXs+TL9BbYiN9uDxqGfcgxElNoq9RjhnRgIVlYHqpY81QXJSNKZlY1mSKK87sv3rbyzkvHN6R3zIGkpownMsTZvE8+Unp1NVaTBu4ls0b5rAKy8ej64LUlNjIpPvUVEuXLqkMjSfAlBQUIXbrREI2CQmRREImLjdOomJ3tD7lVRWGRg7mcAPo+uC1JQYEuO9ZGUl4XJpxES7qayseb7KSL2Linx/e0wpYd2GYgqLKrnwkmmsX1/M/AWbiInxEDAtLNPmycfHMv37tfj8Bk2bJBAd7aZF8yQSE6NonOm4ISxYuIWVq/K57ubpBMoDuKPcVFUZxMZ6GH5YGzp0SGXevC2sXltIdLSbRx4cAw+OYfnyfM6f/BmtW4WFVgUKHEwosVHsNYQATQsPhVU3LIWFVZRXBHHpGkXFVaSG5nLOn/wZ8xdsoiIQxLYkl08ZSPPmiQ2yiFo4xHf9+mKeeWEOlmXRvHkCjdKcnk1RkY+KygAul0ZhYRXFxT5OOqEbH3y8hPPO+whL03C5BF26NOKnn9ZRVOivkcQKQkiSk6Pp1j2TC6Z8RtdumZx+Sg/69q49ZxOuxw8/ruP9jxbz7Y9rKC+v4tjju3LMUR348rtVnHbaeyQkRVFS6qd7j8ZIW/L2O4s49awPSU3w0LNPc84+o2ckebYmD9YwGJ08+XO6dWvE5Mn96PzdGl57cwGXXvopC5cVcvHk/sTFebjvwd/4/Y+NzJq7mfMvnsb4ozryxecrePGF4xl+eGsArrz6ax59YgaGYXHZ5Z/Trl0KGzaVcf3VhxIImDz6xAw2ZxeRVxjgyssH07RpAtCw7hCKfY8SG8VeQ9e1SIMiwhnywE3/O4yskB3M1VcOJjbWefKfeHwXRoxoTXlFAK/XFfFGa4hEwPA5YmLcdOqYTiBgEBPj4YTjuwBw+20jaNPamQv53w3DSEyMIi09hmeeHMfXXy1H87g4aWJX4uI8DBjQnA7t0yM5Q47eOktiX3XlIL74MgV/wCIlecdzNmmpMfTu1ZSRI9tSVuSjWdMEUlNjeOqxsXzyyVIsCROP60JqqiPUr71yPJ9/tRLDb9A8FOlWX0RcOCxbCLjgwr7ExXmwLJvRo9ri8eqsWpHL8RO6c9iwViChTesUMtJjOf30npSU+MjIiGXqbSPo3Ckdw7AQQnDO//XG7zfxRrmYOzuHQMDk9DN60a9PM0zDpkO7NJLi3ZzdvwU9ezQmEAjg9Tb8ct+KfYuwG2JlKsUBTzAYxOvxcNGUKfTu1YtzzjmH4uIqiov9rF5bxE23fs8n758cCX8+EKivx7U355jqP58TPqDVKS8q9lFS7ENookZOP2Q2ioss41ATy5K1/Nv+dqXRXaDuMZ0yG8sy8Xg8TJo0CZ/Px4SJE2nWrBmdOnUiMzNTuQz8x7CljS40Fm9bQrfbu/L+5A85oesEjNBaTWFUz0axZ5HVvmJ/zsjm3vt+QWqC668eSrNmiZHM+HBWeTjBUNNEKPmx+lA1e0YNWP1ayZK67ti/WJbT+IbNOsN1tkOJljW3lVLucGkEKWUk+TO8fX3UPC6A0AS6JrClxA7tr+kCTTjOaeHtLcvG5db56ONlvPbKHFxxXmzbRuKkDj14z5H06d00Usfwdei6c43hzyac71P3Mwn7xIXvRbiuNesNYZsiUesYznk0LGsXPgjFAYcSG8WeJTRHY9s2Rx/VnqOPqnZKtiy7VihuzU61M79Q16vL3ie5GFqNYCkpqxvgmg001BSd2tvWfX9Hx6+7/c7qAXK78yEldo39NS08RyY575zenHdO73qPa9t2nddhgag5d2RvVxauR333Yvs6y3qOK0OiaDsCqAZVDiqU2Cj2KJZp4nK5IoEBNanPyFLR8NT32TQkUVGOC4HL5VKCcxChloVW7BHC36OsrCzuvvtunn3uOYygE6YbfpIN/zuQkIBu2+i2xNA1pBC7HdBrI7GFjS41dn/v/x6OzY/G1q1bOWbcOEzTdMpRaZ7/RdSy0IoGxePxYAM33ngjV119NVZoYN4wDLKzs1m9ahWrV68mLy+v1tDPfxnNtgl4vbRdt55DVq5i+qFD8Hu9aLt8fRIPHnLIYbG2lCHWIGKJxRIHliDXJSynbrebmJgYx/PN5VKBAQc4SmwUexQJRHk81QXR0RiNG1NZVYUQgqZNmhwwCRbCtjGio2ni8dKsopKePXoSjIlG28Xemy1torUo4n3xFJeX0COlBwl6AibmQdPDEUBicjIJCQnExcWhCaF6NwcoSmwUe5yaTa0AkpKSaNq0KR63m4Dfv6Pd/nMI28aMiyOpqJiE1Wto1bo1VlwsYhfDrWxpE+uOpbKwioQt8bRs1YoUbzKGbRwUYgMgNI3Y2FgyMzOJi41VQnMAo8RGsVeROL5iTRs3JjEhAcMw9nWV9hy2jYyPx715C57kJKLatUMmJkBoDuJvd5c2cZ44ijYXkVSVRNt27UiPTiNoBw8asQEnYCAmJmZfV0Oxl1Fio9jrSJwn2IT4+H1dlT2LbYOmIRPikV4v0SnJEBu7y7tb2LjQSEhIJMrrJSU5mcSoeGwOPtcw1aM58FFio2gwDrgGpU4gQCSMdxdtBKSUtVQlvL/jCXCwyY3iQEclPigUCoVir6PERqFQKBR7HSU2CoVCodjrqDkbhWJPIKUTMGDbtedsdtEaRuJEp9nSxkYeVNFou4oQQt2X/zBKbBSKf4uU4HJBXNwui0ut3ZHoQiPOE4cmNDXcsBMObG+FAxslNgrFv8XjQa5aAw8/4giOZTk9nNhYxNln/W1kmkfzsL5kI4/NeJTk6GRMe9fydA4WdE2nIlDB6HZHckhGFyxpowklyf81lNgoFP8UXXdEpW9fxDlnw4oVEAyE8m905LTPweVCnHG6I0B67dUpdaFj2jbdGh3C+X3OZ1HuX/hNf8g77oALFP9HSCnx6l62lG/hgd/u56ExD5Mek4rVAEuFK/YsSmwUin9DaNhMHDseGF/7PcMAny80lyOdcBxRd3dn/6Pbj+Ho9mP2fn3/o6wqXMPjMx7DsA4gB4qDDJd6gFIo9gDOanBQc80eISAqOryqWWi7+ne3pAwlcypqYksbl6bhC/oAqgME1K3af6ibg7yDNQZUz0ah2FPoGuRsRk77DOLikTNmO/Y1AqiqQkyaBMlJTi+nzhCQirTaMZrQ1JDZAYASG4ViDyI/mQaXXQvJqQgjNNH/ybdQWYFMb4SYcOw+rZ9Csa9QIR0KxZ4gtIaNGDoYEuLBCvVehHDey0hDDB64jyupUOw71LLQCsWeQNMcUenYDnnSRMSLr0NisvNeSRHymimQllrvEJpix9Qd/q+79LBi37Ojz6RuTKXq2SgUewIhwLIhOhqGDgK3K/TXJpEx0YhhQ53Ez11cxVOhONBQYqNQ7Ck0zYlIGzkCBvQDXxVUlMPRo6FXT+e9f+AwoFAcCKhvvkKxp9A0MExEowzo3d3pxQicuZr4OAiaaghNcdCiotEU/wjVZu4Al/MnJS88B/HOx5CRjjzxOITEGVpT961epJqEOeBRYqPYLXThBFoFg1b1ypS7uq/+z1paW4JWZ1ebUC7ZLlQhnHNW9xh7DUtCu3YQ7YX0FMjMhEAwZG/TQHX4jyCECPmYOgaklhKdAxYlNopdwjAMojxubr/jDt5+622aN0/F5arO6K5uI7bP8BaAP2hRUurfrQd7GfK/SvS6KA2YtRKVYzRw6aK6QDj/kzWqULM+EqjwW7tx9n+BBKSNtCsR65dDz57VYdCKWkgpcXs8FBUWcsutt3H6aafiDxq43e59XTXFHkaJjWKXCPdi1qxZy6233ESrtmNYtmwrukdzGngZyjMh1ORrocBHAbYtadU8iWFDW/yjc/+6sYShLZJqacgKP+SXSzRTgi0RoXVkhJSRKDBRIyjTBfRpFfOPzq/Ye1iWha7r3Hrrraxbt3ZfV0exF1Fio9gt3G43CMHkK2cyoIeGHhUD0kZIZ2DLxMK0JGbARpgStynRAlVc/9saNmdfv8tDWRKBz4Snf/sL2xVPsc9gdNsU3Loz3HLrCpNst0W8GSRYamKWG5jlBlZF6GelgVlhYpUbWKUWUYkuZj3cgxiPionZn7AsC03T0DQNvY4rtuLAQomNYjeRGIZFy1bxPPNkJ2AFkig2IAjQGJtmmIC9AhpXQCMb8FSwKPtVbAn636qNxEagUcn8329hxrpxXDOyKe8u2spR7dPQhDNwl2ibtEkUFP2pIapMRHkQVyAA/iBGlYnpMxGmBZpNoMAmKkag6UJ5bO1nCFH9majP5sBGiY1itxECgkFJIHs1hutzFqTF8YclKBPd0GQ0clES/GbSpUQwTEjSvWsJVPhqzdAbptwuwEAgcbt1hAwiV06mc1oiqfPXcNeHRTx19ijcmsC0JS5NQJXJHYmxuA/zIFzRJMRLSkolgaAkORmiogW5hZIqA9okCa54fi3llRbRiapnsz8ihKCysir8AiFUhNqBhhIbxT/GKyuQIhufJ4FcC0q05gjLxgxoyC0amYUCqYHHKIFgsNbEvdvlzO5sh6zEXnoeWlIrUgta8Zz3S7SLngctFmnbiNAKjW7bhDLYshX69dH5ZRY0aWmzNtukZdDD7EUw9FDJqhVB9CYeNuaA19Mgt0XxD3C5XORl55Cbl08wGKRxk8ZqNc4DDCU2in+As3aLDJZjs54SUtgoLYpoi2Yb+EsF5kZJVi6YLkGgvAArGHSkJRRS9tLrefy1rBTNZSEIYlmSVk2DXDDoQaIbtaZsbVPeuHIqi7rfQMwdM8hqHM2V5x8RCXXWDZuicovlG0z69o7m59mSH5+pIuAvoVObpngCkje/qKSspJjeHbIwLalSXPZjdF1nW+42Vq1aha7rRMXEkJqcvNvh9Yr9F/XooPgHCJAWoqIQYRZRQjFbtAIKRD4FwmJLKazfLNiSr2EWaPg3FWKZAQTVQyN3PbqBDu1i6N09ga5dU+jQzktz39XoyS3wbcyidPqndLn/Y7qMOZxW7dK4+/nvqKwKREbiNMui0meSne9DCLj1EsGQPhYlwSruv07w3IMaA/oJCv1+7roSuna0qahSDdf+isvlIi8vl+zsHEpLSigvK8O0bDWPcwChejaK3UcIsAIUb9vGtjI/+dFVVAYMfFohmrkJXx5UVQYp9gm2mDrFvs0EPVYoFcbp2rRv42b88alc+cRKkr0GNw2+n+Z9hmMsaswXdz/NI77L8WyWlOas45GHh9On1x8EgyaxMV4ANFNSXG7giqvilQ9TSEyxuevieM4f74FKk5X5Fuceo3H04WkkJZuUlOi4VbDTfoumafh8fvwBH6YVj21H0nb3ddUUewglNop/gEBaBps357JSBNhmVOELmPj1YjRzDcEtZdg+k7IArLV17OAmDBJqNRuGGWDdhnI++cHPnSNfIKNVO3wLMvj6rme4Pf9isu103LPWkL+mlOWrCjAsX60aaJZECpN3PivnhtPh0jsFJXOK6PXEk+R3LaakKkBVVIB5KzZj3n4tyZkdMY0GSupUKBTbocRGsftoAtsKsj4nl5Wmn1y/G1/QJKAVI6y1GNuKsfwmpX7BelMnENyKJWOrh9EECM2PYXvo2WQrk1qsxbUAPnjxV+7Ju4jNoikxRim4XGgegVvXQDOoaUtQUW7QqXc8g7ul8dtfULjNZs7GaPr2tyk3ZmLHutDjTfIrs8kvKcGdrtfaX6FQNCxKbBS7h5RoaJhmkJU5BaysCpBbquM3JX5RgpDrCW7Nx/ZblAdhvalTJfOwaF3nMH5sLY51Cz7jpfJN5Fd2ZnrJWRTIDNyBIsoCEh0bu8KPP2BtJzam36RpWizP3BLLc59Ibm+hcc2ZMeSsvoKCX09ARlkYZpD+48sZcUQXfnivHE1PbuCbpVAowiixUewWktBKx5isy8tjc1mAklIL27SRIhdYgVYQhTBtfBKypU6VezNCr92r0FySRikWjdsfz68xx+NPbEpqciUZQR+BYDpWwERDUmTpZGak4PLUdrD0VZlsK/IT69bp2hLatoHcIohukUi/c5IIB1bbgOmH/KJctH9oBKpQKP49SmwUu4cQSNtm/YYClm4y8blaUl5RAlYA8AHZOM28xSYkmwAog83FBINBbFuiaYIVq7fwx+/LuOqcthjSRlpV2HiwpBsLC7CxsLFkFDnlM5n911+ARTAYBKBDhotLnluBR4Mot8Tvk0hbgiWRtg02yNDCtDYajdOiiNItAuEQbMV+gWEYSCmxLEtFnh3guNQotmJXCH9PLNMmIz2VB+8dwYoVI3F5PWhChmLoLWdLYQN2aB8b27TJyPDg8VRnVd4/dSyLlmxG81QiRBCECRighX7XDBAmQjOxbB/3XDmF5KSkyP63nNiqQa5bsXcJfydSU1MxTdNZcoDt168Ps6P17hX7jrqfRc3PqOZ7qmej2C1SU1O45rrr6d2rI5pm18qdqR2mKmr9umIJfPheeaQoLSWa6Gg31WsChP5JUec1gEbuHIMvXnwusr9lS9y7OiwmHHucv/dlUzQ0tm3jcrlYu3Yt6enpGEFjX1dJsZdQYqPYLSorKxk/bhzDhx9B0DDQtR0lr9TxPRMCd41EF8Owq7PDRf371C4TeNy1v667k1yuRmj2T0zTxO1289577/HHn38q5+cDGCU2it0iGAzSo0cPhg0buq+rojiAWLRoET/+9BNC9T4PWJTYKHYLx523Etu2sSwLhOaEQ2ua6j3sACmdBeQANE3s9D6FAygOVOreC9N0VuX0+XwqQOAAR4mNYrcRQkTERShn3l1iV0eHtH9wO8PLZ+9tJDKyDHh9r3dWp5rb1rwXtq2FvktKaA50VEuh2G3CT6YbN5Yw4aR36dnzcT74aAlQPY9imjaGYWGa1fkxpuWUGYYVOca+wArXw7RruQpbNeonpcS2JaZp17qm3am3ZTnXPv37tfQd/ByDR7zAH39sBIgcu+Y9ys2t5IorvyYQMGuV27bEsuzQ9tvXoWZDbUkLS1bb8li2hS2d6zRsE8MyMG0zFBYe2t62MCwDwzYi5fUhEJT5yyioLMCWNgKBRBKwghT7iimsKqTYV+y8JwSmbVJQWUBFoCIiNHPnbqb/Yc/Ta8DTTP9+DS6Xet49WFCftGK3CQ/zNGoUx8vPHcuVV31NdnZp5H3blrhcWq3XmiZw6RrUeKqVsuEn7m1bouvadj0Ny7K3Kxei+lotq/Y17QrhZnvjxmKGD23F9dcNJS6uOvy77j0KBk1WrMzH663+s5QyPKxW/42qrAxSWOQjq3kiUoIual9YzQAOt9j+z10XOgjQ2XHXy5Y2mtCYvvZ77v3pfip8pQxuM4Tbj5iKW3Nz5odnsXzbSuK8sSTFJPHmpNexbZuLpl3M2tzVtExrze2jbqNzemcO6ZrB15+czp13/8zG7FLVozmIUGKj+MfouiAxMYrk5Bg87uqGU9MEz780ly2biunesynHjeuMlPD2u3+xek0hui44+cRutG2b2qD1ldKp2y+/ruenn9aQlBrH+f/Xh5gYN7quMWNmDj/8vBZMycknd8cwbWbP3cSpJ3VD1zU++GgJrVul0LtXk90aunK5NJKTo0lOjo6UaZrgldfns3F9IZ0PacyJEw5BCEFyUjQ//bKeP35bw8hRnejfrxkrVhaQl1fB4mV5BAImZ5zSg9TUaCxbMmvWJp5+djbvvn0iADM3z8Cju+nXrB8SyYzsGaTGpBHl8vL+og/xG37aprVhUrcT0YTGgq0LKPWXMjt7DsnRyZzW61SiXdX1lEg0oVFpVPH0zKd55rgnaZ/aniu/uYo3Fr7BBX0vIC0ujV8nP0uiNzGy33XfXk/jhEzeO+kdnpv9PFd8cSVfnvkFXq+LKK+blOSY3RZvxX8b9Wkr/jHh4SXLsrFDo2VCwFPPzGbDhmKSE6P4+JPlvPPuIgCiolykpERjW5Ibb55OcYmv1nH2JuGhpz//zOGDD5eSnBjFtm0V3HjzdAC+/34tt079EcuqHjqTUvLAw3/wznuLmDt3Mw898gfSlqH3nGPuSt2lrB5SsyxnhxdfmseKlQUkJ0bx5dereP3NBcTHe1m0ZBsff7oMy7K58OJpbN5Szs+/rGf8hLcoK/Pz2+8buf5/3yGE01NMTY0hLc1puF0ujWX5y7jtx9uwpY1pm9zx0x1UGBXoQifeG09SdBJfrvyKV+a/CsADvz3I3b/cg2VbvLrgVT5e9olT51C/LDzMWBmsoMxfhltzA5BblseW0q0AFFYWcOKbJzHp7ZO54bsbKfWXsqksh5O7ncxXq77ixbkv4tLdrC1aFxlOsyy7QT53xf6D6tko/jFSVs9jhOcUAD7+bBmGL0CjrGQWzNhI8+YJnCwgOsrN99+sRMR4WfzXVgL+hrX8FwL+nJnNt18vJ3dAC3Kzi/FbEtuG51+ayxmn9eC0U7vX2uebz07npDPep6rK4NvPzyAtPTbSQ/onaJpASvj0i+UU55bTtG0qi2Znk54Wy5jRHUhPj+V/1x1KZmY8y1e+z6JFW4mOdnPKpG7ccM2hbNhQwmVXfsm3367myedns3ZNAcXlQRYMepqxR3VlypUTmb72O1YVrGJL+RbS4zLo3bgX5cFyVhesZlPpJlYUrCQruTkAaTFpTDhkAhM6H8/lQy+j1OcMh4ZFQRMatrRJi0njpO4ncfwbJ9AxvQO5vq10y+yKaRvEeGI59JBhtE1pS0J0AkErSLQ7htcWvIrP8HPP6Lt5ZcFrVAUr/8Wnp/ivo8RG8Y/xeHQ0TSM5KTrydF1eHsQybe68YzSHHtoysu3SZXncfd+vfP7JaWTnlHDBlM8adF2s8JBXbl4Fx0/sxj13j0KrMQxWWRnEG7X9vIXQID0lhk2+8lpGnj6fSc7mUlplJeH27EYionAWlgv4TW6+ZQRHHtk+8lZ2diktmieRmRkPQCBoER3tJuAz6dY1E4Dy8gCBgEXHjum88vxxzJyRw7sfLObhB47E7dFJiomif9MB/JnzJ+uK1jOp64lIJDdNv5nGcZncP+Zerv76Glya86cf7Y4iNToFwzKIdkUTHR+9XZW1UMTheX3O5bw+5+IzfJzzybk0TWyKR/cS54lhdPvRtE6uthCyTIvVRRuZ/n/fsapwFcVVRWQlZTVY5Jxi/0OJjWK3CQ9/5OSU8tkXK/n0q+WkJkfjNywmTTiEY47uwAOP/M78v7YgJUw4tgu6JigsquLll2ezZl0p69eXNMz4WYhwkMKx4zpxy9QfeOjB33B7XXTt0ogRI9pwwoRDePCh31m/sRhp2JxwYjcMw+KCKdO44dpDKS0JMHz0q7zywvH06J7JqlUFDBz+PA/eOZqLJvePBBj8bT0sSWysh3FjO/LEM7NYsboAKWH82I7Ex0fx+4xs7n/kd7ZtLsMXMBg4MIu1a4v54INFlFb4+fX3jQwe0oIWLZIASEyMoqrSICMjDokTITaq7RFc/+2NRLmiuWbI1QgEbs3Nnxv/5PXY1/l69dcc03EcAAVVhZQFynDrbizbcsKQ6zwFhAXit42/MW/TfAqrCkmPy+CYDmOpMqooqCokrzKPlkktMCwDr8vLpO4n8u5f7/LQLw/xW84fjGo7itSYVEzLwqVcAg5KlNgodp8aIlFWFuDUU7phBCzKywNYluSqKwYTF+8hO6cUTRMEg86T+EP3Hcmff6zj8MNbcczYDiQkOEs8N8SDrq4LpJQMHpTFbbcM59uvVyI1gc9vAnDWmT1JTY1h5twchFkdZvx/Z/di9Mi2SAllFX6CQRMhoHv3TNpkJRMI7NpQYHjYTQ/1ji6ZMoC4eC9r1hYghCAQtGidHsM1Vw8he3MJ8fFenn9qHF6PjmXbBA2L0rIAxxzdkQvO6RM5btu2KUyZ3M95IQUI6JbZnfP7nE9GXDqJUc6k/TVDr+adv96lsKqIh496iMbxjQE4u9dZtEhqEarj9kID1b3CoBWkoLKQZolNub3/+QgEATPA+X3Pp01yGzSh4dE9SCk5st2R2Lbkj/W/c8IhJ3Bqj5Od6w8lEh3IiauK+lFio9htwpYiLVokc9MNw7Z737YlF5zbt1aZlJKjxrTnqDHtt9u+oRBCYNuSoYNbMHRwi1rvWZbNMWM7cMzYDrXKD+mSEekVnXt2bwA2rC/hkqu/oH+/LC68oK8TcryTXo1l2VRUBKmsChLldaHrGrYtOfuMnttte8G5fbYrKysLMH5cFy67dABQO2GyceN4GjeOj1xf+P1ju4x3fg8lUzaKa8Tlgy/b7thDWgypvj84guwzfTUt6ZBS4tJcjGg9ghGtR0S2l0i8Li/DWlZ/B8J1sKTFUR3GcFSHMbXqbFmSQMCgvCIYCZpQHBwosVH8Y0zTRMqa7s5OhJSmCQzDJtxiuVxOhrgZSqIMN0i63vAWN5omQtFz1ZYpTn6NFqlfuG5QnTPkBENY6LpGs+YJPP/UeFJTYvDsZL4mfGnNmyXx1HOz+fGPdTxwx2iGDHGEru756t43BLhdOo0yYikvD4aSTallaBpOPq0pduGESoGI5NnY0sayLWdJbgSa0NCE5gydCS1SvrViK2d9eA6BYABNCDShUx4o45jOY7nhsOsiy3q7NFd1ZFnoGDXnYnShRxJKhRCR/J8FC7cy5cov8FUajDhstJrDOYhQYqP4xwghcLnqb2zd7u2f9IWoTuQMN45SSkxLggSXSzRIw1NfUiewXd6HU1cZqXu4kdc0QePQJP7OElPD1zh6dFtGj25b6z1NE/UOJdV3304/rccOr0UIERmaq3UtWu0/bU1oaPX0vuq6djeJb8J3Z3+9w/PVx46cv3VN3y5ZtG+fpsz+9YLIa8NwvNEUBz5KbBQNRn2NvBACt2v/fLKtKYo72+bvkOHugPPKWSBsN9wTpJT1hlvvLQcGW24/vCXYMw8C4fwlCbWiARUHPiqpU/GvkNJJgjRNO5KwGPb9csqchsswbK678TuGDHmKBx/5A9Nwyhct3saYY9/g0FEv8eeM7Mj+e5Oa9QsPY1lWdYKm87tkzdpipt7uJHoahhW5vh2xo+A6IQTBoIlhWrWExpm/MGtta5p2yBvNrrV/ePgvEDAjCZFCgC23P8a/JTzEVvPfnupxhi2A9L9xv1YceCixUfxjwuPt4ez18HCOptUs0yIN+lWXD2bMUV1YsmRb5Cm9XdtUnntiHDFuN9nZJQ1S55r1q54/qm78nN8FpWV+5s3fgq47C7+FI9p2dFwhoLjIx8Bhz3PxZZ+DdHJlbrhpOv36P8ERR73C739sRAhYuSKfYye+xaBBT3LqWR9SURFESsl1N3xHn4HPcEjPx3jxlXkR4Z0zdzPDRr9Cn75P8OTTsxACZs3eRL/BzzJgwJP875bpEdFRmfmK/RGX+l4qdoX6viculwu/3+SDT5ZSXuwjq2UyY4/qwKLFufz6xwasgEnX7o0ZflhrNA0yMmJp0SKZLVvLI6NK0dFuspon0iQzvt75ij16DdLpJcxbsIUZf2zAE+PhsCEtad8+jVlzNtGhXSpJSdHMnbeFzMw4orwu0lJj+WNGNosWbmLUqI60aZOyg6MLbEtyz/2/4q80ifK6QcCnny1n9uwc/lp4BTNnbeLs8z5i3ozJzJ63mQfvPZIOHdI4atwbvPzafC6dMoCHHjgSOJJly/I4/sS3Oe2kbixemse113/L9GlnEB3jzG/4fCZXXfcNt900nLFHdeCIMa/w4svzmDK5P86n9d/sNuxo/fodrXOv2PfInfys+TmpORvFbhN+ci4qruLmm3+gpDxAerIXQvMbFRVByssDYFg8+sQMpA0jhrcGIBisvbyAbTu9I8Pcu15Zznlg/foSnnxyJo0bRWNpOt27NALgllt+ZOqthzFgQBZ33P0Tx47rxJgj2zNjVjaJyV58FT4++HQF7745ifS0mFAvKBxq7AwPvfzaAkzT5pqrhvL7H+sBmDN7EydP6saatUVc/7/viI7xMGv2Jk4/tUekbkmJUREj01WrC7n3wV8pyK/k1v8NJyrazU8/r6dHt8bc+cAv5OZWcusNh1FWFiApwcuRo9tx/4O/sXFjKatXF2JatuOurVDsZ6hvpWK3kIAMuW7+/PM6NmSX8NZrE3n00WO46AInubBL53Q2ZJeweE0hyxdtZdWaAoBIyHF4nic8WezMQciQx9reUZxwr8YwLNasLyJoa9x35yj693c8wjIz40IhzpJGGXHExroxgjZpabHcfusInn12AjFeD/Pnbwnl6zjHDYvYylUFfPHlcm668TD8AQOkIBAw0TXB/AVbufmWHzj/nD7069mUgiJfRHCfe2EOfr/BSSd2w7IkCfFeDh/WmtGj2vHjb+spKqzCkjYzZufQo1tjMtJiufeB39i2rYLYaDeXXvYlW7aUceO1w6goD+5wmE+h2Neono3iH1NZGSQ6evuv0IVTPufQYS0YP7YjUy75AnfoSVvXNVJTYkiIj4rkp4SjveLjvKSlxdQbxrsnCB+3ffs0fvvxXGbP2czAYc8zangbpt46gpJSPynJMQghKC7xoekahmHRpVMj4uMdpwNNdya2axJO+Pzqq1UsXZHH0RPeIC+vkqryIAHDpHXrFN75aAkLZ08hJSWKF1+ex+TJfdE0wZNPz2Lu/M18/MEpkeNlZsZx+imOGWjPvk85LgxoTDi2Mycc14VjjuzAmed8RFych3lLtnHGpB7ccvNh3PfA76SkRuPeQSi6QrGvUWKj2G3Ck+p9+zTnhRfn879bv6dVViJNmiYwZnR7KioDLPprG4kJUfz+RzajRrbFtiWfTlvOex8uZvXaIl58dR5jj+xAMGjx/U9r+XXGBvyBIJU+kyMOb010tHuPhvaGj7VtWwU//bIeW9r07tmEbbkVAKSmRPPQ43/SIiuJDz9YykkndgPgl9/W8+Kr81i5qgA0GBxyHgjfg3BuzhWXD+KKywcB8ORTs5gxM5uXnj+O+Qu2Mn/+Fr74Yil/zNpMs6xEundrzL33/8oN133N40+N59VX59GqTSr9+jTjk8+WUV4RoKDQx6CBWXTvnonfb3Hv/b+Q+Lyb+YtySUjw0r9/M449qhP+oMHLL89h2pfLeeCe0UC1ACoU+xNqGE2xWwiq7Wo6dkzn1Zcn4PObLJi/hXXrSxBCcM8dI4mOcrF6bSGPPXQUhw5piZSwYkU+zZsnMHp0O/5atI2KigDl5QEWLNzK8cd1Jjk5mlWrC2oMpe25IaHw8FJFRYA58zbzx4yNJCVHcfftIwG45abD8IR8yN558wS6dsmgUaM4Tj65Kwv+2oph2jz/1HhiYuoXwfCaNVLCoEFZnHpydyxL0qtnYy67dCAzZ2aT0SiWZ584BoDMxvHceusI1m8sZvbsHHJySjFNm2Ur8lm0eBtlZX4evG8MQggGDGjGmWf24q+/ttC4STwP3+9YwNx95xG4PTpz527ijttGMGhgFqB8xxT7JyJoq0Fexd8TDAaJ9Xr4v3POZcTwwzn11FMxDBO3W3WOd8ae6GXs6jH+iz2asIPAI488wsuvvMJlV1xBRnoGHTt3JisrC6EJvJrGwm1LeGHuc9w47CaaxjciaCubm/0FW9qRz6jn7V1558IPOanbBHyWWcvJQrUUin+MpolIgmT4tculRcqEqE5IdHy/rFoRZ2532HOsRgKjJnDvxeWCpZTVCZMC3KFcm5p1RoSTDp06g9OQezw6s2Zv4uLLPkf36qGcHQ2zIsDFlw7m7DN7RYIebCkjPnGWFUp4rXG+8KJzNe+l489mRfzHwttqWvX2QlR7zYX92hwjULFLSxwoFPsKJTaKf4Wmie3MKOsrg9oGkmGEYKdmlnsaIeqvW806h8WvvroNHNCcuTMvque41T+FEGg18lycJ3DH/y08BFfXhw2qI+bqyzeqb/uafm37I4ZpI+3qJFrFwY0SG4WiDn/XMO7u6M2OxLe+4+7vjXLN0OrIkgYhIXUKq5eU3ps9VMV/D/VtUPxjaubG1M2RsSxZy8o/vG2YcL7NvsCpq13LD01KMC3Hy+2Rx//kh5/WRvKBwli7Wefw/ZgxI4exx73JmGNfZ9asnOo62LXvUWFhFffc+2vIh63aa67mfQ4HIezw2qRdy0jTlnbI+FJiSSti+193e8t23pN/E5QhhIj8i5RRXRYWmqoqk8uu+YpRo57nwYf/iFyH4uBFiY3iH+NyuUJzDSLyE5xGOTyHEJ7XCc89hNG0hllOoC7hSXTHgbraDy08x6LrGvMXbGXV6oKI71t4P3036xxuuJcszSUzI4577xhFp04ZofdA12rfo8pKgx9/WhfyYdMiXmzhexe+pzWrYBjOwmxhwsaZNV+HRUAXOrqmb/e+JjRnOQBNr3elTjuUwfrR0g8Z+uxhdHu0J1d+eTU+owqAdxe9R8/H+zDkmUOZtuJzADxejYsv6M8pp/Zm1uxNzjUrrTmoUcNoit0m3Nht2lTC1q2VBIImcXFeSsp8DOqfhcej89Mv68jbVk77Dhn07NGYNWsKMU2bjh3TkVKycWMJpilp2zZlr1nl1yVs0790WR7z520iLjGacUd1QNM1dE3ww09rKSisYvOmElKS27Npcxlr1xUxbGhLNE0wa/YmUlOiads2dbcW/XK7NTp1SKd718xIma4Jpv+whm1bymjVJpUhg1qgaYKMjDiWLMtl6eIt9O3bktatk9mypZzKqiCr1hRimTZHDG9DVJQLy7L5449sXnh5Hq+8eBxCwJqS1Xh1D61TWjvO1UVriHHH4tZd/LLuVwJmkKyk5hzaaigAG0s2UmVUsWzbMhKjkzi8zWGRhc7CaKGlnI/tdBwTukwEYNiLw5i+9gf6Nu3DA78/yEenvU9SdBJHvDiSjukdaJ/annZtUwkELH7/M2dPfHyK/zhKbBS7haQ6j+PGm6ezZWslBQWVxMV5saTNEw8dzco1hbzy+nyaZcTwxLNzuGvqCPLyqnj8qRn88O3ZeDw6197wHROO6xISm70fxhqO5Fq8JJ+XX51LtFtQ4rNYvjSPG28Yxosvz+OFl+fQuUsjsjcU43bp5OZWcNZ5n/Dkw0fRsUM650/+jEceHBMSm91Zj8YxznSGw5zIsc8+W8GPv64j1iP4/ucNlJX6GTiwBStW5PP4kzMJVlXx2FNzmPbJaUz7YgVT7/iRCRO7sOCvbfz620YevG80mqbTuHE8ifHeyJzQt2u+5Zd1P/PJqZ8gkVz99dVcc+i1ZMSmsyxvOaZl8sXKL8mrymNilwnc+sOtbC7bQpukNvy68TduH3kbE7tMjCwnXRNN03hy5lMszV3KgKyBDG0xhE+WfcKhLYfQIimLiz6fQsAKMitnNu1T2yMlVFYG9poFkeK/hRIbxe4Tajv8fov/O7MXC//aSuPG8bh1nd//yGb6D2t4/snxtG6dzOtvLGDa5yu5644jeOvtv1i8JJf4OA9VlQaTTjwEaJgkxHCY8vTv1/DNlys4bHR7Nq4q4LffN3DmGb147c0FvPD0sXTrlsmlV3xJYVEVxx/XmU/fO5krrvsaaUnef+tEOnRMr3chs78jHKUmNOfmvfDqXALlAdp1bcTcmRuIiXHTv18Wniid668eSuvWKYw//i3mz99CTLSbI4a34clHxrJ2TRGXXPElP/+8nhdem8fqVfnkFlRx5FEvM/KIzpx2/sn8vP4n1hevJ7cilyh3NEOyBmNJixh3NBvKN7KucB1zN81hYpcJxHriOK3HaZzZ8wxyK7ZR4i9z6lvfcJq0yYjNQKZLVhauZHHuEgJ2AJ/pZ8rnF9MquRXpcRlsq8ytdc0KBSixUfwLEhO8xES7CQYt0lJj2Lq1HMuWxMV6SEp0/MRSU2MRSNxujZEj2zBz1iaMgMW4cR2BvbfaZF3COSjbcisYOao9U6YMQNiSps0TKSr04XHrNGuWCEBubjm9ezUBoGWLJKLcOtnbymjTNjVyPNO0qfIZJIR803YVTQgqK4MYQYszz+5Nv37NuOGKIWQ0iiM3t5L2bdNo3dpZxiA2xjm2328yeJBjkxMMWuiaoFGjWK65Yghz52ziy69XccN1h5KSEkNabBJ9mvRlRs4M1hWt4/jOxyGR3PbjVPxBH5cMmsJjMx7H644CIM4TS6vklgStII3iMmkUl1l/xQFd6JzY9QQArvvmOr5fM53DWx/OHd/fxasnvsyoNqM47YPTObbz+N26J4qDAyU2in9MQUEVFRVBSkv9lJcHyMurZPDgFuQVVHLT1B8ZeXhL3n5/CYcd2gpd1xh2aEtunfojVT6DZ54Y16B1tSwbTdM49NCWPPXUTNauLsDtdWHZ0K5dKrGxHh546DfatU3js89XMn5cZzZvKWPKpV9w5hm9KCnxc+TY13nhmfG0bJnE4iW5jDn2dR68azSnndoDy5K7ZCJqWTaxsR4G9GvOT7+uJzMzHltCdIwHr1dnwcKtfPTZMrZuKiN7SwmDBmWRnV3Kzz+vJSMzlmlfrKRN29RIoEHAb/Hd9LX069ssco4RrYfz4O8PAXBh3wsRCPIrCjCsIEW+ImbkzOCIto5NT2FVESX+Ejy6B9M2twswgOpF8uZtmceGoo2ApNBfxFk9z6RbZjcGZPWntKqMJ2c8RX5FPsNbD/8Pr6ij2FsosVHsNuGoognHd6brIY2IiXXTrGkCrVql0Lp1MseM7cBV13/Dhx8u5pixnTgjtHbLIV0aMeaoDrh0aNkyqUHrHF4xdOyY9lRVBXnrrYVIXWPkiLZ06pTOg/eO5p77fiY23ssrLxxH10MasXlLGX36NGXSCYdgGDbZm0pYu76YVq2S6dmjMQmxXjZsLAnfFXbWvErphDqHJ9un3jqc2+78iZdfn4cQgtSUwfTs0Zijx7bn42nL0G146tGxxMV6kMDy5fl89OlSWrZIZupNwyPHTE+LYfy4jk54s+04Uw/MGsjwViNoltiEtNg0AK4ZeiVP/Pk07y36gIv6T6ZtalsAxnY4mvZp7Z17JHTHTaFGaDSAZdvomsa8LfP5Y92faELj//qdzZAWQwC4a9Sd3PfzA3h0D0+Ne5KU6BRs6YSV7+0lvhX/HZTYKHYLgRMmDHDaqT0B6N59+6GXxx48KvJ7ONxYSsm5Z/UCqofPGnJIP2xLc+KEQzhxwiG13mvfPo1XXpq43T79+jRDSiei7K6pRwCQk13Kjbd9T/eujZl8Qb+QXcyOswhsW+Jy6bWWJ5BScttNh2+37T13jNyurKIiwLnn9mPKRf22u57WrZNp3TrZea1XH3vKwMnO76GJ/jYpbXl07MPbHfvYzsfWOh6wXc9GC13b+X3O4/w+59W6BiEEndI78eoJL1eXIx0HBQ2iY9xKcBSAWhZasYvU58McCBi43a5aYhJO7gt7itW0Kgl7gsG+y5Sv6TNWs371+bmBM+zldutICYZhOWvypMVwyUX9ad0qhdTUmB2fLHSzUlJiuPfB3/jsmxU8cMcohgxpUcvXDJz7oWmCYNCK7B62o4mOclNa6icYtJBS4vG4IiLtLD4na91PIQSGbSAQESNEW9qYtgk4uUUaTm5NeOgsnIuzpXwLZ394DoFgACE0dKFRFijjmM5juW7YtaHLkrg0VyREuvrYoAkdl6ZTWWVw6dVfMuu3NfQf1HaXPpu6ywnXXRZaUv/3ULFv2dFnopaFVvwrHMEwCQaD2LaFaTpfJ9uuf3vbhmBw+/L6yvYFdesnQ/5lNa+npgBYloXHI0I9HhO/P7DTyLRgEI4a04YRw8/HMC2io9wE67l407S2K5PSOffZZ3ULnx0hwDC237+++ymRBKn7hpNqaoX+A7CpvtgUTwrvnPBWrVZCInHrbrCcoUKBwLKq96+JjUUQC5dL8tA9I5HyCKKj679mcFyfHacGU0WuHeAosVHsFlJKMjMz8Xg8+7oq+xwhXERF7dqfkNf737lfUd6oPXIcr/fvI/XC36O0tDQsy1KCcwCjxEaxW3g8bq65+mpeeP55goYRWj5AR9O0kJWKckAK49JNJALL2n+dmfc1tm3jcrlYsmQJiQkJmIa5r6uk2EsosVHsEm63G0PCLVOnsmbNGoyggZQ2hmGyZctmsjdsZMPGjRQWFigTLASabrJ4ST88Hj+dOizEMDwIcbDfl3oQTvpo+44dadasGT6fD13XCS3KoMKnDyCU2Ch2CSEEEmiSkUHTjIxa7xWVV7Bm9WqyN26krKzsoG8gnOg1i7iE3sTEBBh+WDsCfiU2O8O2bQLBIAkJCcTHxxMTE4NL07BVKMABgxIbxW4RrGOzrwnQdZ3YuDjS09OJT0jYh7XbP5ASvB6b2Fgv8fE6zZtnUVmlo6kRxp0igJiYGDIaNSI5JRmhCaS1g8gTxX8OJTaK3aLuWiYAMTHRtGjRgpTkZALBoOrZSPBGQXpGDEmJNp26JFNRjhKbv0ECUV4v8QkJeDzuyMqligMDJTaKf42UTrSVJy1NLZBF6H7oEB9vkZAoSE9KJi5Oic2u4DzMqGm/AxElNoo9QrhxUE+iDoLqFSzDiZTq1uwaSmgOTNSzlkKhUCj2OkpsFAqFQrHXUWKjUCgUir2OmrNRKPYwUoJlwT81O5ZSbmfzf7BiSxsLiSW392FT/LdQYqNQ7EGkBLcOOhAdtfsRaBJwaQIdZXHj4NyHBG9CxMFa8d9EfXoKxR7CtiFKh+ytsGihzV+LJb177XoImi1tvJrGtspCZuXMxOvyHPSh5LaUROlulhesJLdiG8rA5r+LEhuFYg9g2+DRILdActfdNpVV0LSJ4PjjNAz59z0cKSVuISj2l3LPz3dQ5CuieVIWQTNw0MdMuzQXxb4iJh5yIhmxKQRsWxm+/gdRYqNQ7AFs2xkCKymDQFBy5eU6h3QUCPeu5Y2E52jKApVUGJVMGXAJPTK7ErBt3JpLOYQB0S5niWxL3Yz/JEpsFIp/gbNMNkS5ndDO+HhIiIPUVPC4wQYMuePOicDZJirkdBzviSfBm0BydArRriiiAQMVNgrVInNw9/P+u6hloRWKf4gATBuidVi8QlJcIMkrgJzN8McfkuwmkvhEQY9DBH7bMS2VdfeXNlGaxsqiteSWb6U0UE5OWQ6zNs2koDKPKE8sfTK74VdDR4r9lLrLQtdd3juM6tkoFP8QywZdg/wiyfVTLWb/5USgVVTB3FU2wSAc0g7efE4nLV1g2rXnbixpowtBSaCCW7+7mZ/X/kysJ5aKYAVzN87FsixapbbirZPepkl8YwxpoynBUfxHUWKjUPxDNA0ME5ITBXFxgoICSUwiIMFfDr4yiOomSEsRGBbodaKZNaFh2AYJnhgSvUnklW0lMSoFiSQQDFAZLKd9RnsyY9NDQqPCoRX/XdRjkkLxLxDCEZHzThM0bgxIp7cjgLRUuPAMgdu143kGgYYmNM7q93+0TmuLhYWu6QghSIpO4cKBF+HR3aiZCsV/HRXmolD8C3QNAjaMGKbRLMMmbyXERIMRhEaNYPQojWA49LmevzVd6PgtyaCmfWiZ2ppNJZtxe9yYlklGfAZj2h0dChDQ6t1fodjn1J2sqVleo0z1bBSKf0voj+r0EwRel/NSx3nt0pyw6J0hcPJsTu15GnFRsU4ipyY5tfdpRLs8f7u/QvFfQImNQrEHkAImTtCJcjuh0C4BEydouzT4JYTAEoLjO08kzhOHjaMux3c+AZdA+aQpDghUgIAC0zCwD3JblH+LaUJcNJx2nMXjz0nOPUOQkmBRFRBOz2QXVMcjXJzS/TTu/e5uTu13Go1jMqgMBEL7qzmbf4oQArfbva+rcdCjxOYgRwKxXvWHuKe44Hx48hH4v/+D5ITd3/+i0Zdw/593cfphZ5EWl7TH63ew4rdViMW+RonNQYxpmkS7XVx5zTX8tXAhUV4X1bN6Yvv56BoZ3BIwTBvL3L0hHolEEwKXJgiYNlqNJ3ZXzaWTRc192L4QZ57D2k9GmGQoCKC4VGIHJRecJUhPEdg7cQ+otT8SXQjKAhXY6yRXfnsJmXGNsJBOcIBi9wl9UbNatuDlF18iaEu1bPk+RInNwYyUaAK+++ZrHrj/AXQ9mYpKv/MWYclxEJH/OU2/pgnSU2OJi/PU2XJnOEmMhi0oqAzQPDGaQA21KDXBDEqQMnQ0WX1uqhttEcrEdwuIjdq/ck90HRISoLzcGVrbXTShkRiVSEWgAsM2IsKu+GeYRpATTpykRiH3A5TYKGjSJIPklI6cet58OnVMRkobXUg0aSMxsaWJLSWWLcGycWtQurmIFl0b8cbL43b7fM/Ny8Hn9dKtQwaNaozgHbcSPC7QghKrwsCuNLCqLKwqA7vKwvKbyCoTfBYVFSa92sXx+FmN9+CdUByIpKdnsJ90gA9qlNgoENhs3JRP317xvPtqP2AjBh4K0bFIxySeYBXITZDhg6RoyPlrOWe89idSSoJBC49nZz0MG0PquLVinvr4FXJcR3Bs9yY8+uNy7h7VEZCU+aCy0o8rRWPLcj/4fZhlAYyKAFZFEKvKxKwysKpMbL9FxSqbrIQMpMzEsiW6ph5dFdtjBIOYpqkGIvcDlNgoAGf4JxjUMIKzKCr9hflJsfxlRWFofdD8PbHmePEuMOkV0DgsxiY/ZzO6riGEiPyzanq/h8Z/hJBomo4uqxBrL6FDfCpfr8xna3ERU4/pC0IgEJjCpnHAZnKsl+LWGprw4tIsLNN2elpu6djLW6DpYBSafDS/KHRu1Fi8ol6EpiGljS9oIjQNTRO7tOSDYs+jxEYRQSBxmyVo2iYq3PHkatEE9EqEAUaFwLtZo02Vhh5l4VpfDHrtwQldr6/BFyCDsOxcSG3DyKRGNC57gQ4XvIrbHeUkMAqBYUOqtDjE0qlqrpGR6sE0YEsR6G5IiAahQV6ZIzZJHeD9OYUNc2MU/1mEEBiGybr164mJjiGjUQYej1sJzj5AiY0ihHQafn8ehrWWPJnIWhlNQBaimRZVBZKodZIulRLLa1K1Ng86ewFnwt60JH/OKqegOIBlW2jCREiN1lkW3VzXQ1JLchel8c09TxJz6oNs+nkNWS1S6dzemXORtkTHYulGE5/LBpeHi26SRKcU49I18rIT0HVIaVKKJgTbNsaR2EqNxCt2jhACwzRYtXIFSYlJSGnTpGlTtL9bOlWxx1FiowBCEV+2CVX54MkjXwTZ7HJjUwRCUFio48kR5Ac1pBt8OfnQuQkAbrdgQ3aQsScv5ZQJKURH20jNJD+3mOHp19D9ohEEc7KwZ35C2YQ7mVkQw5pffqesopRZn14H0kZK8NiS/Iog5VJyWG8PT9wiGHhyGV6XxsJpiQSCkh7jS/B6dX5/PYmb396nt0zxH0BoGoZhsHb1applZRGfEE9ScjLx8XGqd9PAKLFROLG1mub44ufmkxvlp8hVRbmpI/QCZHEB5QU+tDKLAlsn313J5qo8BE1CB9AoqzQYNyaB2+9uxdMfbKZZcpBzu74E6UcRWNyIL+98lmmZt5GZ3JlUt8k5d/Xjxluerq6CbeOybLYV+fAkCx54JpYrJ0t+/LQxMsoDLkG0R/D1563weiBBl/gqVWuh2DkaYFsWRcXFpDdqRDBoYP6TmHTFv0aJjQKJRAgdw1dOYXYhK+wAhcU+goaO1HORZcuxCqIhaFNoaiyzfCwnD03IWkcJGkGm/1nA1AfX8OikF6jo3Bp9YQZf3f0cU/MvZvVGHeubGRgVNm27uBC6Ub23BJcNRZU+yss1mqTD8dcInhu0mU33fseGRgZFvkoMj5+NhSWMe+ZqYuKjGv5mKf7zqGCSfYMSGwXgDDcEfOWs2ljA6kCAomINn6mDno+sXI1REIXttyg0dVZbPjZQQC2twUYQwKW76d8hj4sGlODelsgHd7/MnXkXsUU0I9VVipUSRdBr4fXoSKrFRgCV5SZ9O3m55Q5J4yaSaT9C2zkmk2O/Iy41m6QqsBINfvqmlMK8C3C5ldgoFP8VXGog4uAlsgyFBF3TqKyqYHl2MWvLAxQVSIKmC1PLB/8qzAIPBG2KDI1VVpANFFHT+ksgkfgxicO98SV+/qKIWUvn81H5hWzVmxAdKCVoSGzDwghaWFKCHozs73ZBYWGAI8c15siv4ZrHLW7tJ7jtgvb8+PC1bPhrPb4kg1LTR5PzKshsk0xweVmD3i/FfxO5k3+Kf88uLmejejYKx2NM1zQqfFUs3VjI+qIqiuNNDOnCEvlgrEYWu5AGlJiCtRhs1UpIrtm1kTbCJdHtAL8v78PFohWb7U64/MWIQAmVARs7YGJbFsFKC6EJND00di6cNV+0GtY1wzrojB3t/D78ygHAgFp1NoGAr2Dv3hiFQrHHUGKjAMC2TVZu2EaCO8i64ji2+suRwQCwHsxcqBRYWKwCNgdtKqkgq6wKw3CGwqQ0WbU+j27NDD74/Ho0zUSYFZh2FqYUWLaNtCWWlOguCMhy8otyMQwD27bwaoLsbZWceP8SNFuSmih5/XaJSwMraCJtCdKZXwKJ39ZonOrFMAwsW2IrBwFFfaiQs/0GJTYKTAu6d2nB0eNPxGI8qVIibQuwQdrOT2ycTrGNJiSm38/oMb0i64R065JBm1ZNuf3xJXg8QRCG808LgmaACJXpQTSXQVlxAZPGjwnt78brha9v6kpOJbg0MA3H1QDYrn8uAV1AZqzzWi2QoNgZmqY5OWSKfYoSGwV+v8lTT93DiCGNai30JXbg5CxxInqCvp+5445vnW0FHNbFi23XfJiss16ArD6elpCOtW0zd9xxR3WZBq6d9VBqviXBsKR6cFXsHCmprKzEpe9f7uAHI0psFAgBlmWTl19Z5wlw5y25EAJddzKxbRvyC331bFVjEZw6xUKAXqMRsGynHuyisb4KYVUo/jsosVEAcN9999Vq+BWKA4VXXnsN07L2dTUOepTYKADIycmhadOm+7oaCsWeRUps21a94P0AJTYKAFwuV2SyX6E4YFCTevsNyvpUoVAoFHsdJTYKhUKh2OsosVEoFArFXkeJjUKhUCj2OkpsFAqFQrHXUWKjUCgUir2OEhuFQqFQ7HWU2CgUCoVir6PERqFQKBR7HSU2CoVCodjrqGWhD2LqW87VtiWm6ayY6XZrylNKcUCiloXec9S3HHT4p1oWWrFDNE3g8ew992cpwTQtNE1D1x0hM00b25YITeDSNcL6Zhg2QoDLVbsDHhbDcLll2ViWBAFaaNkDIULCGVpq2qVraGo1T4Vin6HERgE4DTPAokXbeO7luaSkRnPemb3JykpCSokQIuRpKAFBzQ7PjsrrQwhwu6vFTLK9mIRxu+svr7u9rmvUtzqCpgk8Wv3CKUPr6SgUioZBzdkogOqGNyUlmn59mvHRh0tZviIfcBZGC28jhCMoNc10a5bviLCY5eVVctIZH/DO+4ucfYHb7vyJYcOe4YKLP6Oy0gAgEDA55/xPmHL555SV+gFHmEzT5pIrv+KOu3+OHPuFF+dy2OEvMPTwF5h86eeUljjbT/9+DYcNf4FhI15k3vzNteqhhEahaFiU2CiA6lUvmzVL5MzTetCnZ1PcoR5EePhp9ZpCli3Lw+czajXWa9cXsWxZHjk5pfUeO9yLME2be+7/lR+mr2FzThkAjz05k/nzNvPKKyfSqkUKl1/1JQA3/G86zZolsXplEeWVwdCB4I8/s7ENi9mzNrFtWzkAM2flcMYZvfn0o9PIz6vk0SdnkLutgkce+5OHHjiKqbccwZ13/cLG7BI0TWDZkuISH36/ucfvo0KhqB8lNopaSCnx+00qK41I78WybJ56djannv0hU6Z8ytnnfUJefiWWZfPo439yxv99xJQpn/Lks7MAp/dQs+cTHoZ74qlZgGTy+f2xbUkwaDHjz2wunTKQ5JRYfvp5PYuW5LJpUxkPPziGicd3JjHeGxE7IWDZsjyOGN6GPn2a8uvvGwGIi/OyanU+P/60hvh4LyMOb83adUV4PTq9ezflsGEtKSiuYvHiXAC2bqmgcav7efzJGZH6KRSKvYuas1HUQgiBpjkT7FZINH77bQNvv/MXM34+H10XnH7Wh/z88zqymifx0UdL+eGbs4iKrl54re5EvKYJ1qwtYvnyPJ5/djz33vsbyckxeDw6uiZYuSqfl1+dz8D+zVi1qogtW8tp2jQBv8/AtGxkaOhr69Zy1qwt4szTe9KlSyOeeGomJ048BIB58zZTWFiFz29Q5TNp2zqZKr/FRRd9hCc6hm25FZG5osRED/fcPpLBA7Ia6K4qFAolNort8Hg03G4dr9eFELB+QzGd2qdFosf69W6KZUk2ZpfSpl1qLaGpS3gI7e57f2H696sZc9zrLF9eQJQmyM2vICrGzXMvz+XDd04mNSWGM8/+iIyMWISA6BgPbrdGdLTzNV28JJfnX5zNwmXb8JUHKK+q7n3dcfsoBvRvxvsfLObNtxby+isTeOOVCUyfvpKMzEQWLtxCSko0APHxXq64ZFCkjiq8W6HY+6hhNAVQPeFfWupn+YoCNm8tY82aArZsLWfI4JasWF3At9+tYfWaQj79cgUZGXF06pjO/Llb+PLrVaxeU0jO5rLtjhtux+++YyTffX02904dxaB+zTn00FaceXoPOndOp2e3xsTHubn7vl/IbBxPi6xENm0uY+XKfDZvLWfZigIKC6uYNm05l1w0gEfvH8PTT4xj6MAWfPzJMlwujV9+WcfSZXnMnrOZ7t0aRcKex43rwrp1RbRulUL3bpkA5OZW0Knn4zz/4tzQtathNIVib6N6NgoA7FDI2S+/bOChJ/7AG+vi9dfms2ptEffeOYp77hrFjTd9i7AlF186mBHDWwPw0ANjuPvBX7F8QfoPbsm9d47CMCyEJqjZX8jMjCMzMw6AUcPbkpDgpXmzRK66fDBT7/yJE054g3ZdmvDo/UchhOCe+39lyeKtxMR7uOF/33LqyT1ITY3lzNN70LpNCgCHH9aa1WsL6d6tES+9OIcvv1pB3wFZXH7JIJCS++7/jTmz1jFsRAdeeG48uu48W7lcOod0ziA9LabhbrBCcZAjqiz1WHewYhoG8V43AwYN4sP336dZs2Z79XzhfJzwsNU/zXUJ90TU8Jfib5GSlq1bc9Kpp9GhY0fatWtPu/btSUxKRLV8ewZb2sTqGvO2LqHPHV1568IPOaXbBMpNE5dW3Z9RPRtFLWxbYoWy7sFp0F0urVa5XiMbP1xuWRKXS+PTz5bzwvOz0GM9SMsGAbYpueV/hzN4YBZSCixLIkR1IEE4CEDUyP43TbvW8JamaUgp0XURERkn6s1JJg33zML1hepjhJ0JamKYNromlKuAQtFAKLFR1ELTBFo9Wfd/V+5yOb2UIUNa0LJFIkLXCOkASEmb1qmAs0040CCMS9egzqHrdxXYPsotXKbXYyGwI2cCIJJD9E+xLEdkw+K2o05WWBB1fe9Oj5qmHfosdi6eliW3u/8HCmHbI00TO/3sFfsGJTaKPUK4sc1sFEdmo7h9W5kGQNdFvQJXl5qCuDf5u8bVshxbRF3XQj1UUUt0DMOq1StsaCzbwpIWAoFLdyEQ2NLGtKsTb3VNRxd6rXKX5kIT4bk4JTD7M0psFHuUap+02hwo8yvhBNU/Z2Tz7dcriUmK4pwzepGWFht5r+Z269YVs3FjMYcf3rrW+393Dvj7e1ZzDuyrr1fRtm0q7dul1nseR1gEs2dvol+/7efmavrVhbFDQ5t7+6OTUjpCUqd7qwkNj+7Zbvu65RKJbUneeOcvVi3bSq8+LZh4fJe9W2nFbqMeBRR/S30TqTuaXK32Sav9b+/WT9Z5XX95fdvsLmFvtbfeXsSqNUVkpMXWO0QWNi6dv2ALL786P1K2K9S9Zzu6DifAwtnuqWdmMXNmdq1z19zviy9Xcve9v/LZtBU8+NDvfDZtReQ907C59n/f8dxLc2odX9P2rtBIqkX1jflvctTLR3HOR+dRHgzZEOXM5Iz3z+SENydx5MtH8fGyTwBYkb+SE96exDGvHctvG34jHPeYnByNZTn3Ivw5qRiA/QclNgrAGegJT/aXlPipqjIoLw9QXhGMNDi5eRVs2VIWmeCvqAiGJuGdhs/vNwkEGt5vTAhBQUEVGzYWU1hUFamvEIKKiiBbtpSxdVs5liUpLfMTCJiRbUpK/QSD1m6fMzExigsm9+fsM3qRnBwdOd+mzaVs2FhMZaVz36KiXGRmxlNS6mfLluo8pEDAxDRttmwtp7QsADhDWYZh8dIr83nu+TkYhoVpOvNC5eUBNmwsZmvID05K0DQoKqpiy9ZyoqNdxMd7qfIZlFcEIqJfVh6gqsqgU8d0LNPmg2nLKC0L0KlTWmSphmeen82zz85m1YpCLMvGMGwMw+Lqa79lztzNGIZF0DSoMioj9belTZVRhS1tCqoK2Fi8kZzSHGzpHNOwDSxpUVhVyLbybbWGwyKElODLlV8xfe13XHfYdfRu2pMrvroCiWTRtkUkxiRyz5i7eOyYRzi05VBK/aVc+uVlHNF2BFOPuI27fr6HlQUr0XWN8Ud35H//O4IWIadyxf6FGkZTYNsSt0cnLy/AjTd/zYaNxfh9Jm6vi+TkKN58eSKffbGcBx75g2gdOndtzGMPH80NN00nJTmaqbcOp6TEzwUXfcaVlw2mf/9mWJa91yfFw5PBK1cW8OCjf1CSX0pUYiyXXzSQ3r2bsHDhVq6+/lsqy33EJETx7msn8uZ7i3jr3YXM+Ol8Zs/dzGVXfMVrLx9P587pSCnRtF2rs2XZ5OVWYJp2ZIjq629W8+pb85F+g+at07j5hmF4vS4WLtzK5Vd/xfxZGznm2EO46/aRXHHV16xdV0RFIEhVhcGjDxzFsENbOsc2JUbQigxtbd1WzsOPzWDD6m0Q7eXMSd0ZO7Yj079fy5XXfU18opdVS/K48Px+/PLrBi696ku++uQ0UlJiOXzkSzz1+DH4fSYVlUGOHtUOIWDR4lzat0vjiy9W8ueMHG66/jBy8yqwbIkndN6C/CoS4j243To5FTmc8d45PHzUQ/Rs3IMvVnzO12u+5Z5Rd/P0rGdYmbsKv+mne5Nu3HjYDfy+4Xeemv00whasyVtNj+Y9eWb803g0TygHq7r3tiR3MR0zOjKs9TA6ZHTg1fmvUx4oIzEqEaQktyIPKW3S49KZu3kucZ5YLuh3Pp8s/4TleSv4dcNvdEjrgGXZbN5c+o8eHhR7HyU2CgcpiYp2sXRZHjffeBhPPzeLY4/pTE5OKe+9v5i331vE7z+eS1ychxNPeY/vpq/h5BO7cu/9vxEImMyZuwlN0xpMaABsKdEQ3HXvLxj+IIce0YFpHy/h3od+461XJ3L1dd8w+fz+TJjQObLPFZcMpLCgkvMv/gxpSp57ehxdumSE5ie03aq7rmuRSWlflcn/bpnOUWPakd4ojvvv+5W+vZvSvFkiuXkVfPDuSZiWzeijX+PKy4Zg2ZJWrZJ59qlxPPDQ77z1zl/ExLiZ9tUKZs/ejC1tthVUcPSRHZg5K4c5MzcyYVI3Fs7ZxI23fc+gQS2YeuePPPXIWA49tCWnn/UhBYVVnHRiV67fMpT/Tf2BOK+bu24fydAhLQAYObIN06evYeTItgCUlwf5/MuVPPf0OKZ/v5ayMj8et84nny1n3pwcFi3fxr0P/UabNimcf9ogejbvyk9rf6Zn4+58s+Y7hrU8lCRvEmf2PJNPlnyKz/TxxsI3uGrolbg0F8W+Yr44/XOiXdG8vehtqgwfUdFRTq9DVM9rdc/sxkO/P0KFr4qiQAG2tLGlja7pzNu8gAp/FQErwOVDL2Vb5TaaJDThiZlP8Gf2DCZ0PZbN5Zu3+zwU+x9qWeiDmJqfvRACw7Bp0TyRpMQoEhOiadkyiQ0bilm7roiunTOIi3MmZQ8b2oq8vAqOHN2WtLQY5s3fyg8/rmPi8Z1DDUgD1F1KXLpGMGhRURkgq0kCpmFx3LGdGXJoa8rKApiWzbBhLSP7hMN+LzinL936PsWRR7Sld+8mkR4S8I9Fcv2GIrxROklJ0ZimzZ23H8ERw1szc9Ymxh7dgaTkKEpK/DRtnEBBQRVer4tJIRPR1i1TWL2qACkl8fFevFE6tqURH+/F49HZlltBZmYcpmFzyCEZnH1uH3JzK4mL9dCte2boflTHvJ1+Sg+efm42vkqDl186Hqieaxo5si2GYaHrGo8+PoOPP1tCSaWfZcvz8VcGMS2boUNbEB/vxe3SiInxEB/nQQqLU7qdwkuzX2VJ3lKqjEpGthlJYVUhV319FZ3TuhDriSXeE4emafhNP4e2GIomdKSUnNLtlMi9Cvdowj+PbD+GxOhkZm6YSZfGnVlVuJoYdxyVRiWn9TyFi/pfFNm3qKqY71f/QJwnjrdOeJM7fr6TGPffO0HIHfxT/HvqLi+vloVW7BKloTmMiooAPp9JeXmQkUe04bGnZvDnjBzatklh2pfLOfvM3sTEeOjXtxmvv7mAioogt908vEECAsBpqCzLxuXSyEiPo0mzxFrmmsGghUvoPPfCHM47tw+madMoI47iYh833jKdZx4/hmmfr+CFF+dy1pm9APj4s2U89+IcXn72OJo3T6wlQn9HVlYScbEeBvVvzuDBLSLuCLYtWb++mNy8Cr7/YS3FZX5at07C7zPYmF1Cu3apfPz5Mjq1T6df32b069uMhJgoggGDSy8dCMDPv26gsLCKKy4ZGDlfeXmA0rIAM2ZkExfn5dNpyzlh4iH4/SY33DSds07vxcYNJdx403RuuelwPB7dWcvHsnG5dISAM8/owehRbaj0GXz44RJycso4aVJXenRvzNFjOrB0WSGXTh5Ahw5pAKTbfXlde5Mn/nySLuldSI1J5c/smawrWsc7k95m+prpPDvnWYQU2NgU+gqdIADhzOG4NBeinjBwwzLo1aQnA5sP4Kbvb2JA1gA8upuAESC3Io+g5axn5NJc9GrSi5SYFE485ETWFq3jqxVf89yxz/yzL5GiQVFiowCcnoLHLejSpRFJSVF07pRBWloMzZon0L9/M/6XMIxLr/gcHZg8ZSAnTjwEKeHkk7ry3U9rOHZsR6KiXQ263LITLSV4+IExnH3ex/Qe8DQAU28ewdijO/Dyi8cx+dLPmfbVcmJjvbz3+om8/s5fZGTGcdKkrmRlJXLz1B8YNDCLLl0y6NQ+ne+nr2HxktxdEhvTtAkaFi5dIy7Ow8MPHMU5kz/BlpKEWC8fvH0SrVsls3p9IeNOfJtor4snHz3amYsRgjvu/JHHHv+DAYNbcN01Q5xgCyAm1o3Ho2EYNgjJVZcP4tobvqV3nyfApXPGqT247JJB3HjtMG65+Tt69c/ivLN7k5kRyw8/rWVbXjkP3X8kubkVnHHOR/z08zrGHNke2649RJjVPJGs5okAlBX7ydlURo/ujSNBH82zEqisMpwgBU2ga4Lxncbz+J9PccOw65FS0rNJd0a0Gc6AJwfRr0VfRrUbiRCCpKgk2qa0RROakzujubBsKxJAAE6QgSY0tlZs5fIvriSncBPn9D+byf0vBKBxfGPcuicS5iylJCM2nUePfoSrv7wanxHg6kOvokfjHkgpsSyJYaj5mv0VUam80Q5aTMMgoQG90fZnli3P59kX51CQV8lTj48lKSkK2D5cOTync8P/pjNmTHsODc2H7C4XTJ7GWWf0ZODA5v+67v8UKasXuQuL6q7mAu1vhM0qKisNLrpkGi+/cBy67lgctWrdmknKG22vYUubOF1j7tYl9L2jK29e+CGndptAmfJGU+wMy5JoGti2E1pbncshQ1nobGeLErZt2Zc+Y5ZlRxqPsH+alI6bdbg87PEmpbONlBLTcuZ+BM6T/nVXDiE5OfpvG12fz+Tyyz5nwNAW3HTtMJo0ScC2ZWRuBOHY8EhJLa85KSVut055eZD8gspI+HHNie3wMWrf47APXPX9D58vXM9wIJ1ty1BDC5bteMDVdy01EzZ3dM66uTZSSqdHommRITFLWtX3SzqZ/lJKJBJNaFjSQhc6L817ia9XfEusOzYSBOBxebjx8OtpndwaW0p0TYs4AoR7QeHXNetgSacHo6GhaRqWafPAo3/wwzfLsIVbed7thyixUdQibGESdmKpbmgELlf9f8ANEXn2d9SfWLl9ec1GSAiBO3RNnTql06lTOlA7WbIu4dDo664dwvHjO6K5NZKSqvNs6t4jIWoLSVj47rtnJElJUfVGT9XXUIbDq+tut+NtQ+fexc9mZ8epiRACXdTO9NeFXl21GjlOYTHSQul8g1sMISuxBS7hIpzSqQuNjNiMkINAnTqJ+usuhAgdo0YdNMGYke3o3yuT5lkp1UEIO75kRQOjxEahIJzQ6kSr7eypOKxBjTPjaZwZX+97OyO8TfPQXMnBQLjh75jWgY5pHfbOOTRBj+6ZQOZeOb7i36PERqFgx72EHVHffMfuEF4a4T84PfKPCQ+t1WVHPZjdxZYyEmurhtH2P5TYKHaJhowy213q1m1X6vpvric8zBbeP3ysnR0zLEw1rXQONmoOre0NNCHUuNl+zL4fbFfsN4QbxGDQwrYlpmlHJrCFIOKXFib8XvX+EtOqXdYQCAFVPoPiYh9+f7XvWVWVU1Zc4otsG/ZuC29jGFYk8GF3zucPmBQX+6iqMmoIiDMcV14RoKIiiG1LgsHw5DmRReHq3jeF4mBAiY0C25Z4PDp5eX4uufQLjh73BiNGvcKRY1/n5DPex+cz+XTacgYMe57DD3+eiy//Ap/f5Kprv+Hu+34BoLQ0wFn/9zFz5jjWIVYDiE44gmrjxhIuu/IrzjzjXc6/eBrLl+cD8MBDv3PmuR9x+mnvcctt3xMImDz65AyGjngR25bMnbeZIcNeZPny/Ejk2s7P5/zMz6vk2hu+5cwz3uX/Jn/CnNmbANi8uYyJk97l8CNeYviRr7BhQwnvvL+YPoOepawswMYNJQwY+jyzZm/aLkpNoTjQUWKjcJASb5TOjDk5XHh+X9wenXFjO9KuVRoffLiEx56YwfdfncXcuZewaVMZ06ev4dhxnZg5cxNBw2LBwi34/CYDBzQPJUM2jDcawG13/IThDzJuYncKc8u5eeoPAFwyZQDjxnRg5FEdeef9xaxZW8R1Vw2lV/cmXH71Vzzz3Gzuu2c0hxySEZlDCSc01nu+kNrc//DvbM4uYdzE7rhsybX/+w7bklxx9VcMGZTF3JkXMfv3C2jdOpkzT+vB2DEdufqGb7n7vl+49X+HM3hQVoOs3qlQ7E+oORsFEPJGMyWtspLJbBRPakoMHTuks21rOcuX59HjkEwy0mMBOHJkO7ZuLWf44a1ISY5mwYJtTP9+LceN6xRZR2VvT9DW9EYrK/eTFO9hw4Zi+vdtyvAj2uH3m1x97TcgbZpkJeL1Vn/Vr75iMJ17PMHYI9tz2LCWtZwCdlRvKZ0QZiklhYVVeD06GzYU06Z1Cmf9Xx9My6agsIrx4ztH6ucsAyC46rJBHNLrSVq3TOK5Zzrs9DwKxYGKerRSVCOhoiJAMGhSVWXg9xtUVhr06d2Uv5bmsmRpHn6/yedfriA2zkNcnJfevZrw7nuLyM4pYfy4TvXmtuwNwt5oui5IiPfSq3cz7rx1BLfccgRDBrUgJ6eUP2dm8+wzx3Laid0pLQ2ga44FzB13/8yjDxyFbcN77y92Ll1Kpn2xgoknv8vWrc6aMZEETZz5FmduR5CcHE37jhnceesIpk4dyRGHt8Ht0Yn2enj11fn4/SYVlQbgzNHcesePXHf1EFq1TOG5F+bUTv5UKA4SlNgogPCTu6BFiyRiYz1kZSWSmBhFSmo0AwdlceXlgzjl9PcYMuRZjjqqPSed2BUp4ZSTu7F8dT5DBrcgJtbdoBYgmibQdY2HHxzD19+uplvvJ+jW50m++HIlrVsnM2Z0e/r0eYxb7/qJ/n2bkRDv5bGnZqDpgnP+rxcXnN+Hx56aybLleQghaN4skY/eX8z8BVsAthOEcDb93bcfwao1hXTr9QTdej/Ba68vQADPPzue+X9tZcjw5xl+5Mts2FDMG28vZFt+BVMm9+eySwfyyuvzmTEzJ2KKqVAcLChvtIMY5Y1WzZq1Rbz6xgKWLc3luafHk5bm2NYfjCHKBxRS0lJ5o+1VlDea4h8R9tqq9gYLv65e0z685HDtffZtw1x7yEtEwpBrommi1lxKOAJN1zUqK4NI4KH7x5CeHvu3js/1na/mPao+X/UcVvj3mjk6CsXBghIbRS3CDWy1cDg/HXPHHfmF7fuWs7461FdWs6GvOb/UvVsm3btVL0T2d9dU/7HrE1wJototQPWUFAcrSmwUu8SOhOZAwbadhFSXru2SeJq2iS0dt2u35gacBcLCPRtd6Oiavtez5hWK/woqQEDxt5imzew5mw/ohak0TeBx67skNLa0cWkuPLoHt+aOCIxbc+MJLfYVttnPrchlSe5SgHp9wRSKgwWX+vofvOzqZ19VZXD1td/wyYcnk5oaE1nrBvYPz7Rd8UarWbYrXmY7QxMabyx4k1/X/kKPpj2ZMvAiAJ6Z/SzLt60gYAUY32UcR7Ufw+8b/+CLlV/wyvEvO6IkUD2dfYis80/x75F1ftYsr1mmejaKeqm5GJkQgkaN4vB69dB8RvV2NRvwfUVYOGr6uAG1/N1qikrNOZvdwbKdnt2bC9/irUXvcHibw1lTtJZH/3wMgNfmv0avpj05tNVQbvt+KqsLV5MUnUhabFrofGpITXHwosRGAVRHUZUU+zjvwk8ZMeIFhh/5CouX5BIT46ayIsAdd/9M794Pc/rZH2GYNitXFjDl4i+YMOkdevd+jIknvYvfb0ZWw2yoOufmVnDBlM84ZuzLnHX+J6xfXwzA1Dt+4pjj32Ds0a9y932/YBgW9z74G0eOew2AxUtyGTLsRZYsyftbbzSJY8FjSYvPV3zOFYMv5ZSep1DoK+CzpdMo9BXSMrklA1r0Z1CLgbRIbk6UKwpd6KwrWs/kT6dwyCPdeXr2MwCRlSYVioMFJTYKgIjz8Xffr2HTplIeeHAsP317Nl0PaYRhWGzZVk77tqnMnXsFC//ayooV+URFuZg5O5vrrh7K3LmXMqBfM7ZsKQvNe+x9tbFC4cc33/YDwrI59ay+lBVWcv1N0wG49JKBnHZid447sRuvv7mQ1WuKuP7qoTRtnMj/bv2eJ5+eyXXXDK3ljWYYVr1CKaVEIMivzEfXNYJWkPM+OQ9NaDRNbsKWsi2U+8u54KPJnP3+uWQltiDaHQ1CsDxvKdcddg1PjH+Udxe+CzirV6o5HMXBhBIbBVAdbXb4sFb07d+c51+cw7XXf0N2dglCCFq2SOa0U3sgJTRtHI+uC6p8JkOHtKRD+zQ0TXD1lUNo3ToF2PshvmFvNMOwKCquorTUz8zZm8hqlsDZZ/YkGLS45dYf+OSzpSxdnhsaanOa96k3D+eRx/6krDTAMWM7YFkysnia263vdHgt1hOLJnXu/fk+xncaz72j7sFn+Il2x5AWm8K3537Nzxf8QLGviJ/X/4xpGRzTaRwtk1oS5Y4mOSbJERk1mqY4yFBiowCqxSE9I47bbx7OIw8dxYKFW3nx5bl4vTpVlQbl5UEAfP7qEN+KigDBUJSaaVq1khr3dn0ty0mQ9HhcjB7TgScfPppHHxvHkaPasXFjCT/8vJYPPziVay8dgt9voWvOjMmDj/zOvXeMwjQlX3+zCl13kj2/+W4151z4Cfn5lUCdBE3hDKHFe+JJjUmhZ5OejO04ltcWvEaCJ54WiVkU+0vIr8zHkhZB26B5YnMASn2lSCSWbRGwAvVdjkJxwKPERgFUr63y4UdL6dH/aUaMeonktBhOntSNYNAiPSMWl8v5uqSnxeJ26bhcGikpMbhCiZG6rjVo0qIQjhPzww+M4c13/qJrryfo2usJPv9iBS1aJHHokJYccshDXHL1V7Rvm0pcrJcHHvmdomIfl14ygLPO7MHNU39gydJchBAkJ0bz8nOzmR1Zk0fWOZ9zbXeOugPTsuj+SHdmZc9h6hG34dbd2BImvXky/Z8cTOf0zvRu0huAlJgUBAKvy0taTFqD3R+FYn9CVChvtIMW0zBIrOONJqXEtomst7Kvw5p3h7BgOoaZIlRW2/mgPhsaKSU5m8p478PF/PzTel587lgyM+OAnQ8HWraFrum1ymxpO/euTrliH1HHG62t8kbb49jSJl7XmLN1Cf1qeKOVKm80xc4QQqDrEJ5UkOz/0wvhfJn6ljao63xQU2hqhnbn5VWwMbuUB+87ksaN43fqjSZxggXCghJ+Dc5w235/wxSKfYASG0W9hA05/ws9m12pY33iUXO/Pr2b0qd3U+DvvdHq5sqo3BmF4u9RczaKegmv3XKg8Hc2NLYtCQatiIO1QqHYs7hUqP9BzA4++0DAZOWqAlq2SCYhwduwddoL2LZk6bI82rROISbGXe82mibweNQ8ywFLTe8U5VezZ6nrV1P3PodQPRtFLaSEdeuK6d77SX75dT3gJE/adf5Vb19/eUNTsw7huRjbtrFtSWVlkLPO+ZjVawqQUkaizBzXANXiKBQNgZqzUdRCCOjYIY0/f72Ajh2cMF19Z/MX+8m8Tv3r2TjPUnFxXjIyYiOh2XqoA6PWl1EoGg7Vs1EA1WHDv/62gUNHvsStd/1IdnYpAJVVBv937idcePE0+vR5jIsu/ZyqKgOA779fy5ARL9KnzxNcdtVXAA3ujVZS4ufCiz9n1KgXOO+iT9m8uQyA76avoVufJ+k79FkWLNpKQpyXhx77kwknvwPAqlUFjBj1CkuW5IXqvWNvNIVC8e9QYqMAqsOGBw/K4vOPTkOYsC23HHCirf6cmU3nDun8+OOF/PLLBjZsKGbFygJunfoDjz9wFL/8cgH33DkSaLjggvBw2E23fI9bSM69YCBlxX5uuvV78vKruOnW73n2iXF8/8WZtGudSnllkEsm98el69z7wK88/uRMzjm7N506pWPbdqQnpFAo9jxqGE1RC13XiI31kJAQhRAiEqXVuVMGF5zfF6/XRbOm8Xg8Ogv+2kanzhn06tUEaNhlBqSU6C7HGy03v4JAZYDSb1bhdQuOPbYzCxdupVmzRAYNzAIpSYj3EgxaeDw6D94zmvaHPMb4sR055eRuobBoJTQKxd5EiY1iO9xup+GNiXFHeimBgElFRRCXSycYtDAtm8xGccyetYm8/Eoy0mMbdO6mpjcawCmn9eKkE7tG3p87bwvZ2SXYtuSHH9cxd8EWYmOdSLRnnp/NLTccxtx5W/j9j40MGdxip0mcCoXi36Me5xRA9ZzNx58so++QZ5m5IIfzz/uYq677hkDAJC7OG2mM4+I8lJcH6N+/GWec3pMjxrxK335PNficTdgb7YF7R/PkMzPp3udJuvd5ks+/WEn3bo04bFgrevd+mPc+XEK3zo3wuHUeeuwPVq8p5NprhnLKyV2ZctkXLF2WH+rFqTkbhWJvISpM5RB0sGIaBolRtb3RgkELn8/AG+XCDFoIXRAT7cG2qz3GLMtGCBERn4qKIJZl43I5Q3D7AsOwqapyXKmjo92RnJmyMj8xMR5cLg0pwR8wifK6Ir0wv9/E7dbqtbpRHACEvdFOCXmjtW9Pu3bKG21PYkubeJfGnC1L6HdnV9684ENO7T6BUqOON5q63wcv9X32Ho9endzorf6i1PQYq9swx8XtG4EJI6Uz9JeYGLXdewkJ1WVCQHSUK7KPEBAVpUaSDwbqy+dUbd+eYRdzOtUwmuK/zz+ZK1LpNQpFw6LERqFQKBR7HSU2CoVCodjrqAFrRS2cqDQRWSrZsiUuXavlKaZpTnBAtbeY3OmaMg1V73AdNK160bdwOTiRa06knLMwnJTO+/9kkbiaxw3vX9MfzrHFcfKUbCkjq5mapo2uC2WTozjoUGKjqEVYLJyGW+AKBQYIIXC5tl8Pxgkc2PcN545Erm65E0EXviYiS13vifOFRXi7shr355+eT6H4r6O++YpIjwBg8mWfc9sdPyIEfDt9DSec/C5VlQaLFm9j0GEvMGDA09z/0G8ArF5TyB13/cwZ//cRAwY8yUWXfr6d8/Lerbdzkqoqg4sv/5LRo17goss+Jz+/EnA8084692MGDH6GI8a8Sn5eJY88MYOzzvsYgA0bihk7/k2WLt01b7TwNVmm5IabpzN61Aucef7HZGeXAPDwo38y6pjXGD36JR546DeklLz82nwmnvIulmVTUuLnmOPe5M8Z2c5xLJXXozh4UGKjQIhqn7HLLhrIz79t4O13/+Ltt//ivP/rQ0FhFRdePI0H7hnNJ5+czjffruHrb1bhdmm89/5iJk08hA8/PJ1or4t164pCQ2x7X21qeaPpcMFFgygr9nP9TdOxbcmUSz+nTcsUPvnoNF594XhSUmM4+/SeFBZU8dSzs3jsyZmMPaoD7dqlYts2UgqChrVDoQyLwz33/0pBbgUXXDSI+Gg3l1zhJLOedWZPJp/bl3PP68877y/mz5k5nDjhEFyaxgMP/8FDj/zO0MEt6d2rSShvSf35KQ4e1DCaAqi26O/YIY3bbjycww9/hgcfHMeokW159rnZdOmQweCBWQBMPK4LeXkVtGyRzOGHtWLYoS2Ji/Py0ANjtjve3kJK0F0apmmTs6WUkvwKcrZVYFb6GXVkD4qL/WzZWs6jDx1NenoM4IhTUlIUTz92DO27Pcb4ozvyyINjalnV6Hr9C6hJSWSeJzunhJUr8yiuDGKUBxg+uj0Ar72xgA8+WkzzFskUFvuQtiQuzsOzTxxDpx5P0r5tCr/8cM5evS8Kxf6KEhsFUD0kZRo2n32+gptvOZJZczZTUFBJnz5Nee3NBfj9JlFRLn7+bT0Tj++CpgkMw8Lvt4iLq55sbwiEkNi2U28zaDPl4sEcO75T5P2qKoOy0gAzZmUzbmxHoDox9fW3FnLVJYNYviKfhX9tpUf3xkgJM2Zl88NP67hsykASEry1hhfDAQBCOJP8J5/ck8kX9oucr6jIxwsvzuWveRfjdmt07fVkJFjg9bf+4sxTu7NmTRG//b6RoUOUF5vi4EP14xWRYACACy+dhi0lU28bTqtWyZx8xgd07pjBpBO70Xfg0wwa/AzNmycyelQ7/AGzVuRXwzaezrncbp177hzJvQ/8Sp+Bz9Bn0DN8+eVKYmLc3HPnSG6d+iODDnueI456lfz8Sh5+7E9mzs7hlpsP57hjO3H62R+xbFkeQkBlhcEtN37NH3/ueE5FCMHtt47gg4+X0GfA0/Qd+AxvvLWQ2Fg3/fs1o3fvxzjm+LdAOu4Fr7+1kI+nLePm/x3Geef24dwLP2XGzJyQkaias1EcPIhy5Y120GIaBkl1vNEKCqtISY6OzLsUFFaRmhKDpgm2bCnDtGyaN0tynvAtGyNoERXl2uehvGVlAUpK/QCkpkRHPNqKi32UVwTRNEHjzDjKy4NER7vwhqx4CgqriI/zUFlp8N33a3jq6Zm8/soEWrZMQcod9z4qK4MUFvkASE6KIj7e6yx3kFtBdIyb2BgPbrdOZWUQl0sjJsZxnC4q9hET7VY2OQ1FyBvtxFNOo2PHjrRR3mh7HFvaJLg0Zm9ZQv87u/LGBR9yWvcJlNT1RtuHdVTsh6SlOvMb4d5Oelps5L0mTRIiv0sJLl3DFb3vO8dSShISvCQkeLcrT06OJjk5OlKWlBQVes8ZGgtf7+w5m3nvoyXcf89oWrVK2ekwl5SS2FjPdqajbrdOs2aJtcrCdQqfL6VGXRSKgwklNop6qa+jEn4SFGL/8hYTwumFSQkI0ER1bhAQKRfUvoaaDB3SgqFDWkRe/z97Zx0fxfX14WdmVuKuJGggCS7FKU4LRQulQt3dXakbhTo1SltoqUChlBYoWtzdCZYgMeK+MjPvH5Pd7IaE0r4l8Cv34ZNPNnfsziTcM/fcc77ndC5Br/NWO5fnOo/3MX/njs4c11rb2ZxZ1nZPAsHfQRgbwRlzPg84klR7KWrP9tr20TQdp9Mok3Cma09nw6iouuo2IIqkuI2IpmtouoaEhCJXRczVhfvyfP69C/53EMZG8J8gN6+MjPQizBYTTRqHYjbXHMJcUmLH6dTc7jQXsixVlVaoRvX6PWcTRVJOEWTQdA1ZkpEll7qDUaG0tNTBwcO5WM0KDRqEuNeF/k0qKpwUFduIivT/650FgtNw7h3ugvMGl1aYw6nh9Pgytuk4HCoOh+qOonKqmjuxEoyQYFe4b13hut6TTy3g+ht+4v2P11JUZAQKqKrm7rPd7gRg2vc7eOvtFTidGhU2p/t4p2rcq8Oh4nRqXovHiuI923FqTjS98rmg49Sc6OiouopDdeBQHaia6t6uaipOzYlDdeDUnLXei47OkkNLmLzxK77d8h355fkAyJLMzsydfL7uc37fO9dwG6KTmpbPM2MXMWjoFKZ9v919z3+Hmn6vgPtZLP3zMNffOB0Au0PF6dQrr6O7/zYEgjNBzGwEQJVfXlFkanq/lyTplNmCqVpOzbnU/fLztTB16jW0aR3tblMUmeo5miaTjK+vGZNJ9upv9XsBY0CVZVi85DBhYb50aB+LhOQVYeP5syIppySFVnd7nRYd0grS2JO9l8N5h1iWtozJI79ka8ZWnpz/FMlhSWw4sYmcimxubn8LLVtEMe+XG/j8843Y7f9s4K/p9wpVv8vY2EB8fIwZk6VyPyPB9fzQxBP87yBmNgJ0XcdikcnJsfHFFxu55fZZPPDQ79x13xyeeOYPAPbtP0n/y76mT5/P+XzSRgDeeGs5P03fCRhJlK+/sZwNG08Af60zdjbuITOzGIejana1Y0cmQ0d9x+Ah3/DttG0AyIpE9slS7rz/V/oM+JI/lx0B4K23V/LKa8vo0/9L7rpvDvn55W515oULDrJl6wnDdaWW8OQfT7H++HoAThSd4KU/XyKrNIuvNn/FyKlXMPSb4Xy6/lMAjhUe48N1H/LQ7w/T5/O+PD7vCXd/9Wq1IiVJ4taLbmXCkHd4deDLnCg2nuW3W7/lkmaX8NHlH9EqpgUfrPqYgooCNE3DblfJyy/72+sqrpnb/v05XH7l9wwe/DVffbPZvf2TzzfQp88X3Hzrz2hARbmDG26bybQftiNJ8P2PO3jg4bk4HJrX+QSC2pCrl0kVXxfWF1Alza/IfPLFBpKTIlm/8Ti+VjMlRQ4WLjzIw4/P55EHe/DZZ6P4/qcdrFiZSnxcENN/3o2uw8FDeaxak0bLFpGVawp1/x5jMsmYzYbLKz+/gmeeX8SVo1py2+2dmPDeatZvOE5IiA/zF6Rw162duPG69rz06lI0TWfpskNs2ZLOZ5+MICuzhEmTN5ObW8buPdmUVjg4ebKM3XuzsRcrOHEwZ+8cAFYdXcWJwhOE+YQxOHEwt3a6hVs73cq0bd+zLXMbZsXM15u/oUNcBz4b9SmlzlL2ZO91R9C5cLnldmTtoMsn3bh5xm08efET2DU7OeW5tItty1sr3mLOvt9oFtWM/TkpyLKMxaLUqNrgcGo4T+NSkyQoL3fw+NMLGDY4kdvu6MzEzzaw9M/DzF9wgJ9/3smnn1zOIw/2QHNqWKwmrr6iFV9M3sT8BSnMnr2X0SNbYDJJbmWF8x2Nc///7b/+RbXvnl/CjSYADHePrus0bhhKn16N2b49kyGDE1mxIpVly4/QtFEYQy8zNMCuHNmKgwdzGT4smXnzD7A/JYf581MY0C8Bf39LpWzNuR19UtPyOXQkj59/2Y3NoRER7U9EhB/79+dwzVWtuahDPeLqBTF79l5OpBdRPz6UO27rQHJSJMOGJLNnTxYLFx/ii8kbSDtehNWqsGjFQV5+7DJu73ITby5+l6ySLFalrWJ48gjMiplf981h2ubviQuOJ7M4CxkZm9NG9wbdGZ48jFDfUD4d/om7j7KHQXZ9To5IZtVdK8gty+Han27gtYGvEO4TxlsrxtGncS++v3oaj85/DLN8+mAA82lcmq6Xi7S0Ag6n5vHLb/twqBqh4b6EhPgy+9e9XDKgGc1bRFFa7mTWnD3IssTQwUlkZpYweNAk5vx2G717N3ZH8AkEf4UwNgI3rhdtm82JWumisdtVmiaE8fPs3WgayDJs3HScbl0bEBHhT4vmkSxYcJB9KTm8/calwLkroOaJySQTHubLbzOv92pfuvQIwcFGYuXBQ3nkFZYTEuKLrcJBdHQAAJu3phMZ4ceYq1sz5urWvPnWSpKSwhk1skXlWeoR6hvMr/t+xe60M6jZQPIr8vlsw+dsuGctZtlCl0+7ouqqewZT4bSho6PpmhFxVgsWxUgUjQmMRZNU6gXGEmAJJMDsz9i+Y/nzyJ/kluaRGNHMHaXmiSRJaKrO199tpVGDYPr3TTjlGpKkAxIms0JQgIXfZ3k/o1m/7CEjqxiAX2bvpazcARiqCTt2ZHLvfb1ZsPAQgy9LchfZO9cKEoLzH2FsBG503TA0mqZjsxn5HkXFNnr3aUR+UQUXdZ1IaKCVlm1iGHl5c3QdrryyFdfeNIPLLm1GVJT/OU0A1DSjmqgkQetW0Yy6vCWJrd8nOiaQqDA/fvj2KgKDrLz86hIW/HmAwoIKnnuytyFXU+Hg6ut/IsCqEBTuz9jn+uCoLDeQm1dGVrYVu0MFdMxmhWHNh/Hob4/zWO/HMCtmrJqVNjGt6DaxJwkRjSmsKMQkm1A1FbtqB3Skyn+6rrvdZp6UOEq4b84D5JcU4NAruKvTnTQKacw9Xe/m5SUv0/uz3iArPN/vGQIsAThVFR3vCEBN0zGZZH6asZPjxwrZteUB5FNmmUaV1aYJYdxwXXsSW71PdGwgYUE+fPXFSK4b04bb7p5Nv0u+JDjIj0B/K6WlDq69eQYXtYvj2ad6Mfqan7jtztl8+fkItxq2sDeC0yEVCW20Cxanw0Goj5ku3bsza8Z0YmPjyM8vJyDAQkmpHX8/CxUVToKCrMiyxN592TgdGsnJkV4RTCfSiwgL9cXX99/P8/grXLIyDz8yj5tv7kC7tjFe2/el5OBwqFjMConNwrHbVY4dK6Tc5iQo0ErDBiHoOtxw80xGDEsiOSmChg1DvVSfi4psKIqMv7/3/R0vPEFsYIwhRopEqaOU1Lw0gnwCCbAEEGAJQJIkim0lBPkEnnZG42J/TgpO1YlZMZMY0cw9a8gpyyWjKJ0w3zDiguPQK40XwGefb0TX4Z67O2GzOcnNK+e5sYsJDrTw3oQhtRoBY34DKQdysdmdmE0yTRPCMZlksk+WkpVZTJOEMJwOjYAAK8eOF1A/PgRFkSgrc3DyZCkNGgSf37MaD220xORkmgpttH8dT220rq+1ZupdP3ND2yvIF9pogprQdSOxMbxSK8wlVOkpGNk8Ocpjf73SRQRxHppp54rc3DKmTdtCRlYzel/cED8/wx2VnBjhtZ/VaqJp03D3z641h7y8MpITI2jd2jBWnq6h6pprLuKD47x+9jf70zK6xSn7hfqGeJ3zYN5BNhzbiEW2uI2GU3PSrWE3kiIS3cfp6G43XIRfOBF+Rr81XUeWJE6eLGXJ8sPM+2M//fo0AQypnomfrUcH3nr9UqM0QuX+1XG1JDYL92rXdZ2oSP9TEjkbNQyt3A5+fmYaNgyp8bkIBDUhjI3AC9fbfPXvxjbjVdCQhnHpj3FOXSiu644a1ZKFC/YZ60md4/Hzo1qUlHTKfUCVKsCN17cjLNyvcpvk9bZe2/15zi5cP7unC8ZZvPZzfT9RlM7SQ3/iZ/JD1zWQJOyqncbhjWkQUt8wSng+Y8nr3K4rFhbZ+HP5ERo2DKZPn8YAmMwyr788wKufNRkar/vweB6G7p1U+dZfdTOev2fXZ8/nLxD8FcLYCLzwLBbm+d34XPPIci4HHFefRl7enJGXN/faVpu8jOd9uD5fc3Xr01yjlvZqSY2SpyWoYT/XYn7vRr3o3ajXaa5X0yzE49yV35smhPH5R8NPOdbp1NA5fUTaX15P8riQV9upnwWCM0EYG8F/ApdUjiSByaT87cHQ6dTcSZxnG03XapStMcmmU6LLTochNWMEGngKiIpQZMH5iDA2Aje6bmT+e+mbSRJmk+w1sCmKhKLIOJ2aW+IGjAFblutGsPLUvp+62uup1ebus6qha2A2G/fkWrP5uwN0bcbN85pms4ymGc/UbFbQdXA6VRRFdoc4/3+QpNrFQwWC8w1hbARAlT++Jj0xVyE1z4FN1099gz6Xb9Sn0/fyalNkUKoW62tThz4duq7XeO6anomi4NZLk6Sa+ykQXAgIYyNwa6Pl5dqYv2Af69YfIzDQis2hEhho4aXn+5Gals+Dj83DUWrn+hs7cN2Ytrz3wRoSmoQxfFgyFRVOPvtiAz0vbsRFHeqdttLlv9lvl9vrmRcWsXdnOsmtY3nx2b74+pp5Z8JKVq87iuTUuO6G9owe1YqJn28gM7OIV18cwMmTpTzz/CKeePRikpIi/rLPVQvkEm+OW8H6NUeonxDBK8/1IzTMF0mC195Yxuq1aSgmhYnvD2XD5hOsXpPG++MHU1Hh5MFH5nLHbR3p1DEOVdXPudKCQFBXCOeuAFzRVpLEO++uIizMlwWLDlBSZOf4sSKWLTvCAw/P4+orWvPii/35bNJG1qw9hr+f2S1wefhIPvP/OEBCQlidZZS7yhu89MqfaE6NG268iOzMUp55fjEAI4a34Mbr2jHqita8+/4aDh7KY/DAZixZeoSZv+zmw4/XERsdSFxcEJpmlBVwOLzLC3hfz3AjfvjROk4cL+KGGy/CJEk8/Ng8AF54cTGHDuXx4vP9ePqJXkRG+tOjWwN27Mrmqylb+OTT9fj4mGnWNLxOjLFAcD4hZjYCoFIbDWjUIIQhlyVx4GAeo69oyaqVaSxecoj42ECuG9MGgNGXt2T//pNcPqI5i5cc5uChPObPT6FP78aEBPvUiTaaroNiklBVjT37sjl2JJfte7Mpyi5ixKg26DosWXqIqd9sIiwuiBMZRdhsKi1bRPLNpFFc1ONThlzajB+nXe113tr67ZLV13XYsy+bjevSOHg0n+KTJfTu3xS7TWXNumN89P5QWjSPdB/j52fmxylX0qHbpzRrEsqfi287q89FIDhfEcZG4MY1oFZUGJI1RtExlfoNgtm6PcO9367dWbRvX4+oqACSkyNYvPgQe/ad5NWX+gN1pY2mo2vG7Ka01M6LL13CoIHN3FuPHMnnsy82sH3z/ThsKp0u/qzSnMLyFUe4ZlRrcnPLSE8vol5lUuquPdls257B6JEt8fExnZJfY/ysU1Ji5/4HenDLzR3c2zRNp7zMyf79OW5j4zp22YojXHZJM7KySjh4MJemYmYjuAARbjSBG103pFmcTs1dPjk3r4y+fRrTsVM83Xp+zrDhU9AlGDYkCV2H0aNa8umXGwgNsVKvXmCdSYC4MustFoVnnuzFCy8t5rJhUxg0bCpLlx4mJMSH8HB/BvT/gquun05+XgW+Pma++GoT30/fwfh3BtG3T2MGj/iWlJRcAFJScrjh2u9ZuSoN8K56WZXUKPHUEz358utNXDZ0CpcNm8LMmbuRZYmnn+zFq68vY9gV3zLsimkcPVrIjFm7mfDhal5/bQDXXduWIZd/x+Yt6UiS5FXlVCD4ryO00S5gqmujxcTEkZ5eRHi4H3n55YQE+1BSYicy0g9Jkli34RhOu0rHjvFe9e73p+QQExNAcJDPObuXA4dyyUgvBgmSEyOJivInK6uElJSTREUHEuBvISrKn6PHCvH3sxATE4Cqauzek02jhiFYrCbWrT/Ow4/OZdrU0bRsEV3L7MPIqk87mkNaWgEATZqEER8XBJg4cDCLjMxiJEmiQ7t65OWVoQMN6oei6xq792RRLzaIsDDf81i88j/k8BDaaGcdoY0m+Fu4XGj16wcDuI1JQEBVPkj3rg3cn10Dsa5DUjX9sbpG03SaJYTTLKFK40vXITo6wF02wEVCk7DK7TqKItOmUgtt6Z+HeemNZbz+8oBKQ6MhyzVN/CU0DRo2iKBhA+/71jRo1jSaZk2rSlP7+xvlDDTdUBBo1bJKT+38NDQCwdlBGBuBF1UCmy5drCrBTU9tNNcbv0voUfLQHqtrDKOne+h1SZVuL91r9uBZHdMVLecSqezXtwn9+jbxOGd1Q+N6HlnI0jJ0zcfQNfO4niyBrlU9J5cxBmMbumF0pJpVbc4xEqAC/iANPNedEfwHMYmZ5IVLTb97T/HHypbKn2vXRvsroce6wDXgn0mbJ66+67pRC6d2BQQNIxt0H+h3gx4DGJIzEoBuzKY8n6muV5rrSiPj7kPl/p4VbTwv6TqPu63avpVR6kavPM57unNU75vs+evVXR9sQINKY+OhKPofo3oZY8H/j9qeZ/U2MbMR/Cu4CpeZzf+bMSeSJGEyncng6oOuxyEp0UiuqvaqZqgxK5KHOKd7moOkyC6TbeyvaaBIGK0SoKGrVQrV7vNolSZGAdkrlsewXprkmoF5nBfPc+C2RlV9M66nqRqyJKE6dWT3NhsQhUBwNhDGRuCFphl6YYCX7pfDYeigudZqXLIsDqeGruksW3aEzyZtZNaMMefEreaqqunZ5xq10Zwauq5XapXpOJwaZpN8xkmoOhqSopKTW8qO3DKCgk10jPZB13SKCpzsz3dQoemoOrRo6EO0LHM0005amRNVBT9fmfZxvjgLnGzLs1GuQlykmaQQi2thh5xcByd0jdZhFmTAUaFx6KSdk3YNhwT1wy00CzQjazrr0sqxaRpKoIke0VYkDZAkjmXbKLFINA82gwZZuU4OFTqwqxr1oiwkBlvRHSovTjnBqFtjaeVU0GU7VvlUgVCB4N9AGBuBF7Jcs7hjTTMWXdfdMvYxMQHYbOdmoHIZj+pU1ynz1C5zGU3L39Aq03XQJJmcExU8PreMYpOOrw+M7hnCFfWDWLDkJC+dLKVNkIUyu8oT9WKIqNB5ZVYme/wl6kkyMVFmkuJ8Kc+y89XWAjJLVMrN8OzwKPoF+6CWafz6Zx4P5Zew+Zr6JAX6kppSyK3zMgmpb0WRZYZ3DKJZsJX1y3J5K6MUiyqTWmznyUsjGJ0QiDPfyWfzc5mi2Nk2pgERTpnXZmexyOmgrZ+ZvFInD10Rw9AwH0rtGhZZxmKxAKq3v04g+BcRxkYAVEm/bNx0gk++2EBFiY2EpEiefaInFquZSZM2ouo6K/5M4dJBLbj1pg7IisTMX/bw04/byDpZSoAr9LnO3P1Vhc5eeWMZe3em07x1LM8+0RuTWebDj9eydsMxJKfG9Td2YPCgRL78ZjP5+eU88cjF5BeU8+pry7jnrs40a/YXiZY6OHUwIzF1RR7hHeL5tmMMq+cd59ZFJxl4qz8B/jLP94vh2tBQjMV2JxUFNhKa+TLukijCsBrtmoPgJD8mJRmRf09PO8qyExX0Cw0gNbsIU7SJN4MDWX28nKTmvmhOnYvaB/DRwHhAwXB36fyxr4Rew0N4tF407/5wiN0ldkajsONoEa1a+HJfusyKvApGhfqDn8xLl0RzTUQo65dl8vjCLFqMjiferLBtbzGvrE+nbQczT7eKReG/vGIjOFf8bzrYBf86rkG2SeNQRl3enBEjWnDoYC4ff7oeWYLX31rO7t1Z3HhjR96esJJjxwpZsSqNDz5aw003dGDQwMSqvIU6GqWcTuOCb49bSVmJncsvb8nRtEJeeGkJAH16N2Hk8OZcemkz3n5nBYeP5NOtc31++GkHfyw8wMRP1qOqOpGR/m5tNMPNduq1dECRgRIHexWdSxv4s3BZOq+mldAyxMKuYjt+usRzX6fT57P9dPn6ENsr7Fj9ZI4eqqDHxCN0+2Q/ty9Jxykbyzkf/XiUDu/tJ7eewkPJwaA6OVmgklffwgOJIazPsqGi4ecrs3tbKW0nHmDgtwfZVGEHHR65JoaSP4vp8PkebM19eLRNGNidHKlQMTW08mjTYBYeLTf6r8HJAgd21UHbZv40URRO2pyklzr5LaOCm9uHMmNxPnNLbHXzyxNccIiZjcCgcoQtLrbz5VebKSqp4OTxIhKahCHLEm3bxPLma5cSEuLDh5+uJ6+wnOXLUxnQN4EhQ5OJbxDMunXH6rS7siKhaTqbt6WTevAk2/ZkcfJoPkMubwnA9h2ZfDpxDSExARxOLaC83EnLFlFM/XI0vS75kkv7JvDj91dXO/NpVJ8BNPA1y8xcmocSBdMuj+HVVbk4AExw46Vh3NcoCIeqEWU14Sh0EBFrZkL3SC7yNaNIEibNcONdPSiCEZLMrwtO8vqWPN7pFMYva/NRuwWwzl/hwIEy9nW10zzJj5/vbUipCiv+zOeJOVksvLIhvyzKY1+cidmNwnhiUTZzoy1c5WPh9y0FtA4NY6tDYvfuErR2oe7ZChiRaL4mGUmHYD+FEX3C6CX78seadErs6r/+uxIIQBgbAVQGNxlD0XNjFzFkUBJ33t6RBx6ZW1UIzGTETjnsKiZZxmIyFtjLKox1mkWLDmF31qXD34jldTpVSkrsvPraQAZeWqWNlpZWwLvvr2brxnuxlTvp3ncSruF2+84MBvVvhs3mJD+/nNBQI/HywKFc9qfkMHBA01PWgCRA1UEJMpNQqPFtqMbWfg3J3ZHHQZuTZgEWtqsQHmAiKsAMugqShE0Hi1kmNshEtNVcGYOsI5sUokLMgIlGgQXsKXFQctLBnxVOEvZU8C7lBOgSy3JttIyzEhZoJgyZlhEllB4qpUJ38ntaKXeOjKeBKYTLgwqYu7OYVg0D2VahYdtSwlq7hr8msTHPRohJJiLEjEUxs2TnSTLQaBBgBgn8ZQnNqYIiYRG+M8FZQhgbgdfLfMvmUXz46Vo2bj3B0kWHufqqVug65OaV41Q1ZEUmJ6cUu0Nl6JBE7rh3Dkevz+NkTnlVTH0dOPwlSULTNCwWEw8/0I0XXlrM11O3oAP3392V5smR+PubGTlyChY/X9JPFONrNTN12ja+nLyJWTOu5euvN3Pp4Cn8+N1VJCSEsWVLBtdc9R1Llt5Jv75N3FU8Xc/IrIEq64zuG0bGGpkx3x2htMTJgIGhxEgyf1Y4KXKYAB2HqmM2SegaFFeolDp1sLqi3xRWrMvj2yOllCoSvj4S9/SIYOHifFr3DmZyhxhAp3R7EX1X5NB3gJnpf+aRgk52gYNnhkYRKCuMSAjg+e8y+NaaQ6bDydNtI1mwJJ/hIyJ4uUk4oLN5ZS7jluYSqcm8PiuLP0ILSM9z8MjwKGJ0mewSJzaM2U5hmUq50HARnCWkQqGNdsHidDgIq9RG+/mnn6hfvz7l5Q7WrDuG3aGS0DiMAH8LsbGB7N9/kqZNw1EUmb37smlQP4SAAAu7dmdx8GAunTvHU1Gh0qRx6Dm5l63bMkg7WgBAxw71iI8PJjU1nx070qkXH0pQgJWGDYNJOZCLn7+ZhMZh2OxONmw4TssWUQQH+7B5awY33zqTH769krZtY6sVN1MBBV1fhyTdQeqJALbllhEVaaF7rC+6ppFX4MTmK1HPakLHCP/WHBonSpyEBpsIkGVDsUCWOHqigt0FDmwytKrvQ9NAC8cyKrCGKISYKnNnKjT2FDuIDzKx92gFubpO/WgLF0X4GDk1dp0VR8spsKvE17PSIczK8UwbvqEmAmXJmFmVqKSWOfGzyhzKslGhQ1JDH5ICrOhOlaMn7YRHWwhA4khWMUHhjQi3zOY/EyJQgzZaU6GN9q/iqY3WzUMbLU9oowlqwpVn4utrpr+HbIuL5ORI9+cWzY3EP13XadUymlYto0/Zvy7RNJ327WJp3y7W3abr0KhRKI0aeRu/1q2i3cdYLSZ6XtwIgCVLD/P8K0t4eWw/2raNRdO0GkslSDjQnFk0ilNoFKcB5ejOUiQZwsOq0vpdw7Rsgfrhkju50iVb0yBepkG8a69iVFWnfqzsdrMBECjRLtA4oGcLV1/KUJ0lKDLoVuiVqLjbdbWE+Bjvc1hCJFqHGNdJCK+6ntNZhEmGhrEyaCWARONYO+hFf+fRCwRnjDA2Ai903RiIq/TEXC6rqrBgY7vkbvfUHzsXNVpkuaofrp9dCajV+6ZV6ra4dMtcWnD9+zWhf7/TaaO57isaWRmDrgWh6aqhiVY5+6mUSvNOZnWN+9X00FwaajrG81XkGo7XQKucIXntW2lfpMrflatdruEcugaVe3jpwpkU13bjAUmApjmQCBcCoYKzgjA2Ai8kqeZqlZ5GpLbP55Ka+lFjm4cKpqfeW5XhqU0DzrV2k4jOByBV5Q24HE41HlaL6GZNYpynHO9xjRqfsnRq7sKpWnCnd4Z57u/9uM6P36vgv4MwNoJ/jCsvxWSS/+ffhk8nNOqN7qF/5omT/4a0o4QYFgRnA5HUKTgFh0PDblexO1R0XaekxMH1N80kN7cMu13FZjNyMY4fL+Sq634iIWEc30zZAnDOFl1dfXZppIFhCO12o7S1q+qmU9VwOLTKvuqV+595p3UgrSCNrelb2Zm5k52Zu8guyUbVJMD8H/gShkZwdhB/WQIvDJ0x73cQTdPIyysnKMjqlX9Sr14gv0wfw8OPzCc/v6Kuu+rRv5rVpmvURlNkUKq00WrSVKsJ3WPtZPqO6SxIWUSIbyhp+akE+wUz+/pZBFgC3GtAAoHAG2FsBF5IksQnn29gy8ZjBIX788DdXYitF4Sfn4lff9vLH/P2cOmgFlw1upW7QFlt6zx1hSxLTHh/NXt3ZdC8dSyPPtAdSZaY9OUm1m8+hqTqXHdde/r0bsy0H3dQWmbnzls7Ulxi5933VnPDde1o0iT0tNpoLteZLMk80esJnuj1BABTt01l38l9BFgC0HQNWRLOAoGgJoSxEQC43Ux/LDzAyhWpDB+aSHCYP8HBPphMMocO5bJiRSq9ejVh7CtLad0qmuYe4dDnqs+KIvPBR2s5mV1Kr96NWbH6GK++sZyxz/ehTZsYfP1MlJXYee3NZTRuHEqzpuHccscsmidFsG7dcY4eLSQoyIqmaYDkPufpcGhOdF0jqySLb7d+x2cjPgVcUV8CgaAmhLERAFWxR6FBPqSeKGD7rmyefOxiwsJ8KS1xEBUVwHPP9CE6OoBvf9hFYWGFux6MqumoqobDoaIoSp0EC+g6SJUhz6vXHuVISjY79oVy/OBJQgc3ByA9vZhJn60nINKffSk5lJTY6dwxjqlfXsHgkd/S5+JG/PQ3tNFcmGQFCRPTtn9Px/iLSAhLQNVUFPnMyxUIBBcawtgIAFAq1ze6dK3P2mV3sj8ll4t7f8ED93fjnru64OtrxtfXjN2uYrUqKLKRZ2MxK4SH+hIdFXDG6x//DkbipN2hUlJi45XXBnLZoET31mPHCnn9rWWsXXkXtnIH/QZ97d529HgBXTvWR3XqlJc58PUzG+3HCkk7WkD3rvVrnd24XGV7T+5l9p5fmTHmJwDhPhMI/gKTmPhfuHj+7l1utBUrU/nx5534mBWat4whKNCK06lx8mQZDoeKv7+FzIwSJFnixIki3v1wDbN/20twgIV9h3K5/64uREX5n/WFckkyXF5Wq4k7b+vEa28uZ87cfeg63HJjBxo1DEGWJe64YwYoZg4fzsfHamL6zF18+NFaZvxwDV9O3sQlg7/hu2+upFGjEFauSuX6639i+Z930qtXo1Ncai43mabrjF38Iv0S+lI/uL4RPCCCAs5rdKr+3vVqPwv+f1R/ltWfswsxsxFUYgyWUVEBdO4Yj9OhcsklTblsYCKqqvPBe5cRFGRFliU++WgYzZMjsdtV2reLpVv3+jjtxsDs42PyOt/ZxGUILh/RnNAwXw4dygVJIiLcj+joAL7+chQbN6TRsHEED97XlXr1AjmZG8InHw8nNjaQxx7tQdv2sfj5GX1u0yqGhGaR+Pmba7wHqbJQm47Ooz0eITkyWUSfCQRniDA2AqAq2z45KYLkpAh3u44Radbxojh3W+fO8QD4+8P1Y9rWeL66HH9VVad3z0b07tnI3abr0LJFFC1bRHnt27Wy75qm4+dnYfiQZAAWLznEsy8t5oVn+9DxorhatdHAMDrdGnQ7OzcjEPxHEcZG4IWu66iaoR9mhDQbA66nArKqeuqkacZUuXJ/Wa57NQFFkVBV3Z2cqShVum0uHTdXu6s+j6GNpleGO8v075fA+n4JHjpqp1+DUXUVGVnMagSCM0QYG4EXhkjjqQOoZx6N9+fzY2Hc6JN3v2VZOiVvxvNnQ9TSe7uncOdpryeJyDOB4O9wfowUAsF5gpioCARnBzGzEXjhdGpu95mm6aiqIQXjyqlBN2YRiiK73VCusgSyLJ0iEVOX/dY0HUmWMClVrjx3uwQmk2K4/XRDykavLCttCIn+PStTdV7JLUSqqprbBel6Rqqqo+k65srn4nBoKMqpMy6B4L+OMDYCL1zGwmU8XIOiK6fGhWv7qW6ouo/O0jTdy8jptbRDldvv72qjeaKqp57XdW7F43SaZqxzKRh1dGRJqlHDTSC4EBDGRuC1TvHFV5tIbBpOn16NSTtawOxf93LXHZ3QdZ3X315ORYmNkaNa06N7AzKzSkhJyWXP3mwOHcima/fGXDGyRZ0bHFmW+HzSRvbvzSSpZQx33dbJ3f7Nt1vZtTMTX38Ljz/cg2UrU6mocHD16NaUlzv44stNjBzRggYNgk+rjeaJokhM+2E7mzcepX7jcO6/uwtms8Ks2XtYtTYNHCpDhjWnf98EFi89xLEThdxyQwd0HSZ+up7+/ZrQPDnyjK8nEPwXEK9ZAkNQszJKCx0eemweqan5vD1uJRkZxVRUOLn97tnYbCoNGoTw5LML2LYtg+KiCu6+91eOHiugXr0gJn66jtTUfKAq6uts4kpEnfTlJg4dziM5OYqNG08w/t1VAIwbv5LffttPg/rBREcFYFJkgoN8eOHlpWzeks6kyZtZs+YYFovi7u/p+q2qxrbpM3axcdMJkpOjOJKaz8uv/glATHQAzZMiSU6KZNz4Vezem01QkJVx41exeOkhfvxpB/P+SMHXx1wnz0cgOJ8QMxuBQeVM5M7bOuJrNXFR90+5/84uvPxSf6bP2EV5qYN33hwIQGGxg+07MunRvQGdOsbx/NO98fO3cPPNHbFaTX+jENk/x6WNpus6i5Ye4siBk+xvEs7BXRn4B1gpLLTx29z9fDNpFAlNw9zH9OnViG8+H8nIq7+nW6f6/PTD1VXnO02XPbcvW3GE1csPceR4NMdSTpLUKhYwXJDTZ+zEP9jKtp2Z5OaU0atnI37+/hquGPMj9eOCWDT/5rP5WASC8xZhbAQGHi/aNptKckIkxcV2ACwWBWflLAKgpNSOLBu5LaGhvpRXOLFYTYSG+tZphyUk7HYnJSU2xr44gGFDk91bCwoqqCh3Ggv2lbiMRUmJnaSECDRVd+cPSRJkZpWQnV1C65bRSDW4tyTJmPnk55fzwEMXc/ttHd3bSkvtPPToPKZ8fQX144K4ZPA37m3FxTYSGoWhqRoVFU58fExnHGItEPxXEG40QWVlS2NQHjdhFb/P288vM6/lSFoBd98/h359mxAY7MONt/7Ms88uYM++bDp1jqe8wkl2dql7Id6Q6a8bjKRNQxvtujFtefeDNTz/4mKef2kx27ZlEBxsZfCgRO64ZzbPjl3E2FeWUFRkY/acvbzyxp9M+vxyEhMjGDR0CseOF6LrsGDRQdp2msiadceAKjedcT3QNGMd6Mbr2/HdD9t5fuwinn9xMatWp+FwaMiyxLvvLGfsy0vZsT0Lq8XEspVHeOjxeYwfN5BBAxPpM2AyKSm57kg+geBCQcxsBIbbq/JNPiEhlJEjmhMV5c97Ey5j5apUfHxMfPrhML6eshmHzclH7w2lUcMQ8vLKeeSh7gQFWYG/zrr/t3FFll03pi1BQVb2788ByZiJSZLEyy/148fpOzl+ohCr1YQsSQQH+fDOW4No1DCEJ5+4mF9/24dSGSrdtXM89esFo7hnNVK16xk/XzYoEYvVxNYtJ0CSsFpNhIT48OnHw1myOIX4hmEMvSyJpKQI9h/I4Y1XB9A8OZLGjUIJj/TFbJaR5bpZ1xIIzhekAue5qhovONc4HQ7Cfcx06d6dmdOnEx8f7972V5FS51MklaeUjieni4qr3v8lSw/zzIuLuOX69txzZ2ejlEAtxrOmAmt/5RY7n57XBYWu06hJE6689noSk5NplphIQrNEgkOCESPfv4OmawSZZDam76Lba62ZctfP3Nj2CnIdTkxy1XxGzGwEXqiqhiRJ7jdvl4tM13WcalXCoqEtVpVLci5RFAmnU3MvOynu/KCqdgkwKXLlGo7uTko1DJVMr56NWDr/FgICLMDp69MYyZoaromJ63qqWqnFJhvXk2XjGrruup7LUElCU01wwSGMjcALzzf26kmdZlM1yX2Jc25oXNSUZGmoBlRP6qzSUDOy/43PZrOM2Ww54+spikz1dFBDNaD6M/K8Xs39FAguBMRfvkAgEAjOOmJmI3Djcovpns5syXA/6bqO02m4oGRZrpT1r3K5geEikuVz4yJyOjX3Go1r9qCqWlVJAUVGkatKEbi00f6pW8t1bkM5ukqLreqaktv96Cmb43QKN5rgwsQkFskuXNy/e71qgbsmqf4qXa+qdmOtpmbdsbpGra6NplcZAU+tMmPtxLi//49wqCtAQFGqt+untHuuf3kaQkEd4fmnrINW+bfu+hL8/9H1yhLQetXP7naPZyxmNgJ0wGSSKClxcvhwDjt3ZxEU6IPN7sRqVRg2JJmKCicTP1+PrdTO0KHNadMmhoWLDxIfF0SL5lE4HBqr16TRoH4ITZqE1qk+miIbWmWHDpykaVIU117dBoBfft3Dzl1ZSJrOiMtb0KZ1DAsWHUTXdQZd2gy7XeWHH3dwyYCm1KsXeMZ9VhSZ2XP2smPbCeIahHLrjR2QKkVJ/1h4kC1bjiObFG67qQMHD+eRmVnMyBEtAPju++1061KfhIQwEaEmuKAQr1kCdF3HrMiUl6ncff8cfvt9H08+8weTJm/m62+2sm9fDo8++Qd79+Vgt6s88OhcUg7ksmJFKuPGGzpkWdklvPr6MjTdcLXVxVujK+nyu2nb2botg6BAK0v+PMwnn20AwGxSCA7xwWJReOGlxaRnFONUNe57+Hf27M3mm6lbmTFz9ymlEmq/nrHtt9/2s2z5EYICrWzelsGb41YAMO377bz/wWrsdpWyMof7mCeeWcjqtUeZPXsvk7/e4o7yEwguJMTMRgAY7gWzVSYwwMojD/XgvQ/WcMN17diyOZ2Zs3aTl1PGj99fBYDzxSWsX3+M2265iEcfn0/2yVIWLTpI2zYxNE0IqzEP5d/GcPsZ4ddz5u7j6KEcGiZFsXvzMbfnJDTMl6WfH8AcZGXjlnTy88sZMigRq0nh8iu/p32bWOb8cp27RPTpZjWeeTTzF6awZuVhktrU4+DuTDKbhuOwa3w1ZQsvvdCPnhc3dB8XGenPT99dzc13ziIuOoAFc2/EYlGEXI3ggkMYGwFAZfEvnZBgH+w2tXLtQaLC5iQgwILFow6LIksUFlXQqFEIjRuHsnr1UTZvSefO2zui63XlGjKMg93upLTUzhNP9mbUqJZug5GZWcKTTy1g6jejMSsSV13/k/tIi1UhMswfXcMrtDsvv5zCwgoaNwqt8YqGRI5OfkE5d93dlbvv6uJVpK2iwomvj/mU48wmiajK6/2T+jkCwX8B4UYTAFUik66SAtnZJZSXO8jIKKZf3yZoEtz/0O+MH7+CzVtP0KljPJIkceklTZnw/irKyh20ahWNJNVNpJWnNtrlw5oz+ZstfDhxHe9/tJZ9+3NwOjWKS238+MNWJn6+gb17c7CaFZYuO8xzYxfz1ZcjadggmMuvmEZGZjGapjPnt300b/MBGzYcB6rcZp7PR5YlRo9syaxf9/Lhx2v44OO1bNmSjskkM3hgIo8/OZ/x761i3IRV5OaWsX7jce558DfGjxtIv34J9Bv4FUeO5AttNMEFh5jZCJAkCYdTIyTUxFNP9qRly0gefaQHLZIjCQvzo3XraN4bP5iPJ64lL6+cCeMuIykxAoBBA5uRnlVM54vi3KoCdeUecrnq7ri9I75+ZvbszQIkKiocJCdF8MGEISxetJ9WrWKZ9s1oomMC2Hcghxee60NSYgRPPdWLaT9sd4to9rq4IaHBvtjtzsoruLQHXNczPl8xqiWyIrNx4zGQoKzcWJ957tne1G8QzL6Uk8iyoV5QXuHg8Ud70L5dLM2ahePnb3JfTxgbwYWElO8QAYAXKk6HgwhfM126defn6dOpXz/+rw+qxPWW7z0cnxtUTfcQzzT4qzWY6pFgfy47wjMvLuLKy1vyyEPdceUT1Xi9WtakThddJiLPzhU6jRpXaqMlJZOQmEhToY32r6LpGkFmmY0ndtH99dZ8c+fP3NTuCnLsQhtNUAOeaw9GwqbuXjh3aXy5or8URa5a6wAcTs1Dj6zuUSpnEa5kVFf/PBMvXe2aZmilVSWqaphMMl27xPPLT2OIjQmsPGvt96Ioco3Xk6v1w2RS0HQd3VNfzql5PT+B4EJBGBuBF66kQ5NbB61qAV2Wa17cNruFOjVM5yixs6ZkyZoSLz1nJJIkuRfsfX3N+Pqeurj/d65XU7siSeCpL3eeBQiomopSy+9VIPg3EQECgn8FSZLOmaGpa3T00/5c19f//xwjDI2grrgwRgfBGeNy9TidmlelSrWyhLLRrnu1O50aGzYc5+nnFgKGvE1d+8NVteY+u+7FtRivaVXuQJc22t/tq1Q527OrdjRdc/8MxkzBrjqwq3YvjTlHZZtTc7rbNF1z76vpVf12ak7sqh2H6nAbCVXXsKt29/Wr2tUaz2Fz2tz7e/bZ1Q9VUyl3lPPCkrEU2gpxak5UXf17D0Ig+BsIN5rAC0/ZfU+qpPOr66MZWmOSBBs3nqibTlZDrabTVqWN5q3zVpUDVKWN9neSTzU0ZGQKKgq459f72Juxm5axrXnrstepH9SA5xY9z5zdvxFoDcKpOZg25juCrUHcMP1Gckvy0dFoF9eWyaO+5IcdP/DWn+MItARSaCvi5UvGMrLlSO785U7WpW3C3+xLoG8g31/zHRPXfsIPW38kMiCSAJ8Avhn9FTEBMYxfNZ4pm74l2BpMqbOMiSM+pEO9Dry/+n2mb5+J1Wzlovrtee+yd3FqTiasnsDC/Usos5dxddsrubvrXWw4vhGzYnYv5OroXsZTIPi3EMZGAIBe+eafmlrAgiUHsZXZadQkjOFDktE0nS1bMnCqKtu2HqdL10a0bxeLLEvs25/DsmWH2L8/B/+AM68H82+iyBJzft9H2pFcGiVEMGxwEgCLFh9k7/6TyDoMHJRIs6bhrFydhqJIdO/aAKeqMXfufrp2aUB0tP8ZqAjoIMErS18lNiiWH66exvhVE3hs7hNMH/MTds3GpNGf0zW+q/uYPdl7SIpO4sNbPvA6V15ZHg/1fJBbO9zibqtwVOBj9mHuLb/SILiBuz2rNIvHej/KnZ3u4J2V73DDjJv45bqZlNnLeHvwmwxOHOzed8PxDfxxcAFbHtyIXXPQ4eP2lDnK+HTDZ2xO38Lyu5a6jUmxvZgIv3B2Ze5my7HNdGnUlfax7f5fvwuBoDaEsREAuD36paU2CgrKUW1Opny7jeIiG9dc1YYrr/mBtm1jqV/Pj48+38TSP26huMTO/Q/+RvPEcDKySnC6XFh1FA/tCkGe9cseVq5JIyLYwqzZe8jLKeOmG9uTn19BSakdW6mDZ59fyMcfDiMzq4SnnlvAknm3sHJVGlO+3Ua7trFeOS812RtN11AkhVJ7KceKjjG27wssObSEH3f8SExALNml2VgVKy8tepWE0CZYLGbG9n2BQJ9AUrJTuHn6rfiYrbSNa8M9ne/Bx+zDd1umseXYVpy6k7u63EGb6DYUVRTx8JxHiQmMJiowkmf6PINFsaDqKrquc0P761l0eDGpBWmE+Ibw7or3mbt3PrIs8cjFD9MyqiXXtLmaW2beSrhfGO8PeR+rycqqtFU82uMRJCScmhNFVjDLZo4WHGXypslYMPPl1q+Yee0MGoY0FDMcwb+OMDYCwB0wRVJiJNN+2sGRtHyOpGSzY2cY142RaNQolHFvXkpiYgS9B0wmM6uEBQsP0qplNO+/O5jde7J5+tkFxknqYIzSddxW4ccZOzmRlkezVrFsXpuK6tS46cb2JCZGMHvWTiR/C6vXHyMnp4wrR7XEalYYcdX3tEiM4Pdfr8fX13TGis9FtiL8zH5M3TqV7JJsnuv7LDN2zaDYVoxZNtM6uiWd4jshyzJWk5WCigKCfILo1rArwT7BxAbFAKBpGo3CGtG7cS9UVCL9I9F1HYtioUNcIs0imhFg9UeRFHR0dDT3mkyobyiyJKGhkRSVRO9GvUCCIGsQdtXO5vQtJIQlcLzoOFszttEquhXF9iIU2YSqqWi6hqwbEYQWk5WHejxIi8gWXPr1INKL02kY0vB0j0Ag+EcIYyMAqhSUn3puAT5WM++PG8xLry7FajWilcJC/YiLC6K8zEFQoAVZligttRMdEwDAzp2ZdVwQzFhzsdmclJXZuefebgwalIjVohAQYCU7u5SHHpnL+HGD8PM1cWh/jvvImJgATMjoGvj6Gv8FJEmipMROeYWDyAj/U64mScaifFRAFOW2cnYV72b+zfPYlbWLElsp0QHR6OgMbTHUGPwrsat24oPjubXjLZiVqtBqHZ3uDbtxZZvR7jab00agTyBXtb2KxPBm7nYZmXDfcBRZIa3gGHmlecQGxOJUnVyaeAkjkoe79521exZH848xacQXACS915weDboR6RtFSk4KvRv1QqksaK3qKtH+kTQKbUS5o5xAiz8W5dy4QgX/fYSxERheL8lYKC8rc5B6tIC1G46xZOkRhg1NQtchI7OY8nIHoaF+pJ8oQlV1LrqoHm+OW0F0pB9Tpm7HodWdG02SjKRNq9XEgH5NmT1nL0pl9c0e3RogSZCTV8aWzcfIybOxZ89JLGaFdRuO8/SzC/hm8ii+/GoT19/0M++Nv4zwcD9mzNrNI4/PZekft9KhQ73KYmiu5FUJVVdRJIURLYez7PAypm6eyq/7fqNv474EWALIKs4iszgTVVNxak6sJitOzUlWidFeL6geDs2Bj8mHEnsJpY4yVM2IAJMlGR2d3LJc0ovSSQhtgoaGWTZTZCvi512zsDvsTNz4CaOajyLUN5SskiwCrUHu2YpJMREdEIPdaWPSxi8pKC8kKSKRllGtuKvznTw8/1HQJUySQvOoZFpGtySjOJMyexmhPqFklGRhc9rO7i9OcMEijI3AsAuVxuGZJ3vxyaQNrF57lBef70vjRiEA3H9fFwICrMgSPPxgD6Kj/GnXNoaTOWVs3HiMF57v467hUlfZ8a5Isocf7IbZLLNiZSpI0LRJGJ07x/PWa5cwf94eWraJ59OPhhEV6c/WHRk8cH832rSJ5pmnevHF5E2UlNiJjPSnb6/GKLJMUbFrwK2mjSYZM4Lr2l6HpumsObKaQc0Gckfn2wG4otUVNAhugCIr7lleTEAM17a9llC/UK/2Xo16uddOXJhlM9e0voam4U2NfSszE8a0voY/9i9g84mtPNrjEa5qZZR6GJY8jBBf47wyMhISPRp255EeD7MgZTF+Zh/eHTyBYJ9gLml6Ca/1f5Vlh5bjVJ34W/1oH9eeuzvfjb/ZH1mSub/rfTQKbQQg1msE/zpSntBGu2BxOhxEVmqjzZwxnfj4M9dGg7/WH6sratId+ytB0OrHLF+RyvOvLGFg3wSefqqXW36mJlwznKpr1e1zcGremlOe1NYXTdeQpQsxrc7QRhsttNHOGp7aaD08tNFOCm00wenQNCMREgnkynIBiiK5NcSgSj/NpRatV+bb6HrtMi5nE1mWcDg8Nclkt06ZpulIlUbD5NJGq+yn617NZpn27WKZ9MkImjYJq9Qxq/16iqTg1JxGQqckY678D6VqqiHr4zGo6+huSRjP2YKma+joXkbLdQ5Zkr0Mhqqp7oRLWZLd/4Frup4kSe6+AZhkE7IkI0uyV7siKSiy4mW4nJoTRVLOixcIwX8PYWwEXsiyhMVyegkTl0ExKkAbo3JVEuW5wWw+1cjVppfmwvNeg4KsBAVZ3dv+arytaWZRk/SLrhshxNXdUrXNMmo6hyIr7kX9v9q3tr7V1u715lnLcQLBv4H46xKcETUN3JL036o8+XfcYZ5SNK5j9GrTIfesQ0wUBAKhjSY4FZd+mKoaGmfl5U7eeGsFxcU2twYZQHp6MTff/gtDhnzNgoUHAM6ZH9zVZ8/kzKr78NZG89zHdY/A33IfuSqSeh7j2eZq33hiE19u+hJN13BqzlMMkkBwoSCMjcALl36YIc9vaJ7Z7SqLlhxCqWx3rWmEhPjw5GMXY7Fa2bkz65z12VPnzFWDB/C4D1c77oV/l8Fx3eOZ4BK/LHOUcevM22n3fjtunnErWaXGvb/656u0//Aienzai84Tu3K08CjZpdmsPbbOvdYi1kMEFyrCjSbwQpIk1m04xuGDuQQG+9KjWwN8fExERfpz8FAe+/Zl0a5dPImJ4fj6mmjRPJLk5Eis1nP3pyTLEsuWH+H4sQLqNwyld89GAKxZe5TDR/KQgF69GlM/PpgtW9MxWxRat4xG03RWrEqldcsYwsN9z6C6p4YiK7yy9FV8LD5se3gb76wcz+PznuDbK6dSUFHAu8Mm0LdxH/cxOzJ3EuEXwfpjG0gvSqd3k16E+YYJORjBBYcwNgIAtEoFga1b0/nww7VER/jilGVaNI+icaMQjh0r4IOP1uKwVfD2u2v4deZ1xNULRNd1ysvPjXvIpY32x4IDzFuQgr9FYvHyVLKzSrlydEtSUnJJOZSDvczBvAUH+GDCEHbtyebl15ayaukdrFiVxkcfr2PKV6MIDfUBag8M0DAMTZmjjIN5h3ih73NsOL6BmbtnEuYTTk5ZDn5mPz5Z8ylLDyzFbDLz6MWPEGAJYPGhJaBLrD+6nnkp85g08ovzJmxcIKgrhLERAFVrLekZxaQczmXw4O5cf21bAEpLHCiKzP33dqF9+3r06vclR48WEB8XhKrpgI6m614lmOukv5XX+nrKFrLTC2neIY7tm45iq3Bw5eiWdOtanzWrjqBZFZatOEJmVgk3XtcOkyIz8uofaFQ/hN9/vZ6QEJ+/Hvwr8zsLKgrws/gya/csDuUd4v5u9zEvZR4FFQUoskK4fzhxwfGYFMUdbhzlH8Hbg94kJTeFu2ffY8xqKuVvxOxGcKEgjI0AAKUy2mzI4CQuuiiOBQsP0r7jx7z+6iUMGphIVKQ/ycmRlJc7CQ62uqPQFFkiIMBKcJBPnSkHGOgoLm20cgdjrmtPr96NefLBbkRHB5KbW8a9D/7GE49eTFCQlZ3bMt2zlpbNoyjMr0CPN9adwHAf2mxOnKqOv9+p5aFdhijKP4oKWwWr09ay+NaFpOSkMH3XDKL9o5EkievaX0vPhhe7j6twVtChXgcAMkuyCPMLPcvPRSA4PxEBAgKgKmw3NTWfnbuyiIz0pVliJLt2G4vfmVkllJbasVgUMjJL0DSNoiIbc+ensGb9URYvOciipYcoKbFXnu/s9tdTG61b1wasXnuUEycKOXA4n6IiG8XFNtIziiktqWDL1gz27cvBYlLYuSuLx576gymTRxEW6sM9988hP78cTdP5YfpOmrZ41x3s4FmRVEJC1VRMsolLEy8hIawJ8/bN46UlL9M1riuB1kCyirNILzqBU3NS4awADCHO9OJ0Q7dZ08gqOXeBFALBuUQYGwE6uKOzDh3KY8p3W/lu2jZatoriwfu6oao6N97QHj8/C5IEt9zQgYYNQyksrGD2nL00Sw7Hx8/MvD9S3MamqkLO2cOVRPrsU71ISorgy6828dXXmzlwMJdGjUJ54dk+zJq1k+JSO2++egkREX5s3Z7B9de1pXPneJ5+sic+vmZyc8uQZYm+vRpTVuwg+2SJcQfVLKYrifL2jrfTLrY93275lo71OvJsn2cAGJQ4iJZRLTHJJrd6clJEIkOThiIh0SCkATe0u+GsPxeB4HxEaKNdwPx/tdHOFzRdR6623vJX2mjV12hWrz7Ki28spXP7OF4a2xeTSanVLVhdZ0ysvZzPCG20s43QRhP8I1RVd9e2kSQwmRQkCS9tNIdDw2SS3J9deO5fl8iShMOhugePU7TRKjtkMsmomgY1aKMlJUXw+ksDaNs6BovFdNqByFNnTEJy16mpSatM042iZybZKNCm6qqQhRFckIi/eoEXiiKhKKdK0HjK1XjqkP2VjlpdUZNsTk0SO6ZatNEiIvyIiPAD/npWBGeujeYSwQRjnckkif9yggsT8ZcvEGAYGJdrTaS/CAT/PsLYCLww3E6VZZD1Kvka1zbAvR2M7VXaYn9PX+zf7rcLz7WW6u2u/nrekyxLf7vvmq67YyBc56rpWdR0PWHQBBciwtgIvPAcOKsLTXoO4p7bPQfOM3FB/dtUL4Tm6ltNRdVc/XVt+ye5Qe7zSq7rVRkX72dRZViMyLZ/dj2B4L+AMDYCL7btyKBebBBRkf5UVDjZvSebtq1jMJllVqxKxV7hpF27ekRE+FFaaqeszEF6RjE5J4tJaBpJo4YhdW5wZFli85Z0sjKLiK0XRPt29dzt+/af5PjxQswWE107xZN2rBCzWaZxIyO5cuu2DJo0DiM42HrGEjKyLLFrdxZH0/IJi/Cna+f6AOzdd5Ijqfmg6bRpG0t8XBBHUvNxOFQSm0UAsGNnJvXqBRER7ickawQXFMLYCPDwNDHl221s2nyCpX/cwrjxK9myLYNp31zJO++tYsHig4T6m7FrMOnTERQWVnDXPXOIjQukoqSc7Dw7v868lshIfzRNQj7LWVyaqiErMitWpPLTzF0ompPCco0rR7Zk6JAk5s3fzzsTVhMSbMHH30LrFtGsWJXK2xNWsm75naxac5Q33lzOd1NGExRkOeNS0lu2ZPD1t1uQnA4KKzSOHM5nzDVt2LDxBJu3nUCyq3z343bGv30ZGzef4MlnFrD0j1vIzi7l7vt/Y/IXlxMe5oemQQ2xGALBfxKTCDW/cHH97iWp6of33rmM519czGWXT6VFs0imf381a9YcZf78FFb8eTsAd983h6V/HubiHg0JCLTw8ftDiYz0Z+3ao5XnO/tv6x5LJnzy+Qbyc4pp27kBa9fv5zubSr++TXhz3ErefOUSLu7Z0H3c7bdchK7pXHX9T0SH+zN75rXExgZ6rU3Ver1KV9hXU7awbfMxuvdNYNfqVL5IK2TMNW0YMjiRHTszIMDE8t/3k5KSw1VXtEJG4o775hAcYGHWjDE0aRyKrnNOK5teiOg1fAn+/1R/nnq1dhdCQUAAeL/R9+jWkA3rThAdHYjFonD4SB5NGldpejVrGoGm6ZSXOWmeHImiSNjtKt26NSAqKuCU850ddBRFNrTRKhwMuiyZYZcl8uknl/PJh0MpL3eCDs0Sw91HuIIFevZoxOFD+WgaxMYGVvZXQtUMQdHaUBQjN6ewsJz+A5oy7LJE3nxjED9NuwqHQ+P2u2aTkBDGoEsSiI8Lcpeg7ta1PiezSikstLmfo/CeCS40hLERALgH2UVLDvHp5xtYsuBWlq9MY/LXmxkyOInUowV8M3ULK1YcYe4f+2ncJBxV08jKKkFVdSwWBadTPW0y5L+JSxvNYjHRtlUMBw/lERLkg9lqRpYkgoOt1IsJ5IWXlrJiVSrLVqTicGjs25/Do0/O45tJowgIsPDUMwsoLrahaTrTfthOYqv32bvvpPFMPPyLkmSUNJBliYs6xHEktYCQQCu+/sb1CgvLOXgol7iYQGzlKikpuciyxLHjhdzzwG+89cYldGhXjzvv/ZW8PEOLTWSwCy4khLEReIXmLl+Vyh23daRTp3o88XgPNm1JJzjIh4kfDuOXX/fwzvgVPPV4T3r2aEBAoJUB/Zvi62tk0CuKXOeBAZIEr77cn4AgK08/t4BnX1jIli3pmEwyX305EpNZ5p13V/LppA2UFNtYuSqVywYl0rt3I558/GJO5paRnlGMLEv07N6Q9ONFHDtWCHgbG+N6xn+Xhx/sRlLzSJ5+biHPPL+QFStTiYjw57mnejN58gaWrUzliUd60KB+MOs2HKdLl3gGD0rk0Ue6o6oaR1LzvaqFCgQXAlKu0Ea7YHE6HET5muncrTu/zJhOnIc22l9FSp2LEOfa+Cd9qX5/6zcc5/Vxy2nSMJQ3X7sEq9VUaz7MP4kiE5Fn54oqbbRmQhvtrOCpjXbx6635+s6fubndFWQLbTTB6XA4NGTZmKWoqiGLbzYrbh0xMLYpipGwqKp6jbIwdYkkUaM2mq7j5dozm5VatdHq1w/m3rs6c3G3hvj6miuNQ23Xk3A4NfTKmYnreVRpsQFImEzG7EXTwWyS0XW9UldOFvk2ggsOYWwEXnjqnnnqpHnqiLmQJMktyHmuqUkbTZJOba9NG61ebCD1KoMFjJnS6e/LXJPuWg1tiiLh6oEknfoMBYILBWFsBAIMA2OUKjh3kjsCwX8ZYWwEXhguJ09ndtW6RVUxMZcES+VP1WRbzgWehc6qdNvAI5vIo886ntpurrUZ5W903vPcnsapentt1xMILjSEsRF44Vpv8KQmnbSaBs1zNYbWpo1W/V6qjKFU4z39/etVGTVPvTXPa3pezzB4wtAILkyEsREAlYvsTg1bhZPs7BJ8fM04nUZeSXxcEAA7d2VhtzlJSookIMBCekYxgYEWAvwNXbHc3DKsVhNBQdY6neXIskTKgRxyc8uIiPCnWVMjkfPQ4Tyys0uQJGjRPJqgICtHjxXi42MiKtLfvU9MdAD+/n8tV+N5vSOp+WRmFhMc4kuL5Eh3e2ZWCSdOFCHJEs2TIiksqkDTdPd60JHUfMJCfQkO9jmvIvoEgrONMDYCNN1IyszNsXP/Q7PJyy8nL6+MgAArIaE+TJk0ih9m7OTbH7YR7GMiONyfzyaO4M23l2O1mhj/9iDy8iq47c7ZjH2+Lx0vqoem6WddjsU1k9i46QSTv9mCo6wcu6Rw2w0d6NOnMb/O2cfufVmo5U58g6y8/fpAfv19L59+voH1K+9izdpjPPfCYr6bMpqkpPC/DAxwXW/PnpN8OmkDZYWl2FC46vKWDB+ezJat6Tz17EIkdFAUJk0czrqNx3nmhUWsWHwbOSdLufG2WXz52Qg6dYyvk2ckEJwvCGMjAIyB1MfXREZmMa+82I8PJ67jylGtOHQwjx+n72TO7/tYv+IuAG65/ReWLDnELTd14KWX/6SszMGatWmEhvrS8aJ6qKrmlmo5W3hqlb33wRpKCsvo2L0RC37bw0efrqNPn8Zcc3VrPv+sDDswbdo27ru7Kw/c0xWnXeO6W34myM/C9B+upkmT0BrLEdR2vc8mbWD39gz6XNqMtcsPM+HD1QwZnMjzLy7m5hvbc92Ytu7jGjYMobzMyd0P/Ia/j4lpU0bTulW0MDSCCw6hICAAqnJH4usFYbWY8PezEBnpj83uJDOzmKSEKo2x9m1jyc0to0XzKGJjA9iw8QQrVqQx5urW7uJgZx8PbbRyO50616dV80ief74v740fTFGRjbvvnUNomC+tmkcSGeHvdlkNG5LEpo0ncKo6TZqE/qUIpwuXNlpBQQUXdYyjVYtI7r23K19PGoWm6ZSVOenU0TsxFmDIoGYcOpDLyZOltG4VDSDybAQXHMLYCKrQISenFJvNSUFBBeXlDvLzK7i4R0NSDucya/Yedu7M5Pf5+6gXF4SPj4luXRswafJGMrKK6de3yT8uSPZ3qdJGU2iaEE5JqYPuXerTpm0c0VH+ZGeXsv9ADv37JRAc4ENaWgFmk0x6RjFPPL2AyZ+PxGox8fqbyykvd6JpOt//uIN2nSdy8GAeULs2WvPkSIpK7HTvXJ+LOsYTHeWP2aJQPy6Yt95ewc5dWWzdnoHNpnLyZCn3P/I7r70ygNYtY3j8qT/cWmwig11wISGMjQAJY2C1WmX69GlCdHQAvXo2JD4+mDZtY+jYKY7XX72EiZ+u5aGHf+e+e7owYlgyAFdf1QrfADOjR7XAYlHqdAA1tNEkxr05kOISO1df/xPX3jSdFStSado0jLtu78SDD85m4Z+HuP2WiwgN8WXWr3vo1DmeywY147FHu7NtRwZpRwuQZYnOHePZszubg4dygdq10Z55qhehYb5cfe1PjLnhJ36fux+ASZ+NwGI18dDjc3ny2QVkZpawaOkhGjcO5YqRLXj0ke6kHS1g794coY0muOAQ2mgXMJ7aaLOmTye+fvxfH1TJ/3okVfX+b9mazjvvrybI38KEcYPw87OcRhvtn2ix/W8/r/9dhDba2UZoown+Fq6B0OnUUBQJVdUr9cV0ZNnQ9XJro5lkFA9XmaGnJp3TBW9PrTKX9phLq8zl1jPWXDT0GrTRwsL8GD4kmYGXNCUgwFUiuuZrSRLuc7vO67p3h0Nzr9W4NOV03dCPcz1DRRHaaIILD2FsBF649L2qNM+M766aNTXhqad2rjhzrbKatdEaNQyhUcMQ4My00WoTH63+LCRZd0stSJJUo4abQHAhIIyN4Iw418rOZxtd192zoDOJplM1FVVXMckmZEl2n8OpOdHRUWQFRVKMbWISI/iPcyYeSbmmutzi68L6qo6RU4Lbp223q8z4eTflFU6v9ur7n0uq97l6e/W26p8lSaos/vbXlsFlTCyKxW1oXOcwK2YsigVFMmYwB3MPsvDgIsDwbQvODXq1z+Lr7I0ltW37b7+uCv42roVs1xdAebmTDyeuw1bhdLd7Dtie+54Lo+NaXznTvhn76O7PfwdN15CQ+HrLN1z9/TVsz9zh3nYo7zBXfn8Vl345iFm7ZwGwLXM732//HsDLMAkEFxrCjSbwQpLgZE4p+XnlWH1MxEQHoCgS9WIDKa9wkHe4lOjoIPz9ze6CZfkF5ZSW2IiKDiTA33IO+iyRnl5MUVE5wSG+xMYYOmSZmcUUFFYgAQ0bhuLjYyInpwwfHxMBAUY/s7NLCQqy4uPz1/8VVE1FlmW+2DSJ9KJ0Cu2FpOYfoW1MG1RN5dvt3/LoxY+QVZLFO6vG06V+F0J8QogOjOZkaQ6l9hLqh9R3z3oEggsJYWwEQFVOSVpaAc+9uJiivFKcssw7bwykeXIkOSdLeeW1P9m57Sg+AQH8OvNajh4t5OlnFyIpEiczCjD7+fDrz9cSGGitNWz43+6zLEvs2p3FhxPXU5xXjMnfhwfu7ELnLvF8M3UrO3ZnopY7qdcghNdeHsDU77cxddpW1i2/i/UbjvPoE/P59uvRNG8e4Y68qw1FNozE7RfdhizJ3DLrVsyyYbQkSeKFPs+7Dck7q8ZTWFGIr9mHzSc288KiF1l5ZCVXtBnJK/1fRtVVYXQEFxRiXi8AqozNxk3HSTtawGOP92Le7Bto2SKKigqVohIbQy9LYtWq+ykoKOfgoVz8/MwUFlbw3juXsXr1vTx4TxeKi22VYb1n35+mVbrC3hq3kvyTxXTs0ZjjR/J4a8JKAG67pSMdWsXQ6qI4fpmzl9S0Ah59sDujhrfk1rt/YfLXm/nmy1G0aBFZ6T6UzyjRUpZkdHRsqg298j51XUeqjAT4dP1nJEcmkxiRiF11UFhRxPjBb/P9mG9ZfniZcQ5k97ECwYWAMDYCAHeeyNDBSTzyUHcWLDzIsMu/ZevWdMxmmfrxwVxySVMqKpxERvpjtZooK3fQoUM9QkJ8cDhURo1qSXx8MHD2q13quo5JkbHbnZSW2WnSJIwAfwu33NyB118ZQEmJnXsfmENhsY2wYB9CQnzcx954XVsWLjiIw67SunW0RxTamWuWSUiYZSMYAAwDJEsyX2z8guVHlvPmpW9gkk0U2wq5tOkAAiwBFNmKCfcPN4yMiFATXGAIYyMAqoyDpusMuqQZd97RCUWRmT1nL2azTF5eOYWFFZjNCgUF5TidRnJkbm5ZZWKkUrmGUzdv6y5tNJNJIa5eEAFBvtx6fXuuurodzZMjycgoZseuLO66szNtWsSQkV6CSZHJLyjn6ecX8cXEESiKzEcT1+GoTNCc/vMuevb/ktS0AuNZ1DLLKbYVc6zgGCdLT5JWcJSTpTmousrbK8bx4ZqPeb7v86iqSqm9FB2J7NJsdN1I7iysKKyT5yMQnG8IYyMADJFJgAULDzFg8Ddcf9N0IqL9ufeuztjtGp06xuHjY0KSoHOneAL8Lfj7W2jVKtqdGGkynVno8L+FS/RzwrhBpBzMoUffSfTqP4n5f6TQrFk4141pyxVXTGXKD9u44vIWhAT7MOW7bTRpEsqoUS146IGuzFuQwsGDuciyRJtWMaxencaePdnAqcZG1VQAft8/lzE/XoesKkzZNJV3VownoziDHRk7iPaL5pn5z3Ll99ewPHUFsQExtIhqiSRJhPiGcFG9i+rs+QgE5xNSjtBGu2BxaaN16dadX2ZMJy7+zLXR/tfR8fZk7dyVxUefrsdW5uDD94fUWZCD4GxjaKNdce31JFZqoyUIbbR/FU3XCDTLbDqxi56vt+YroY0mOBM0TUfVdKjMtzESHfEqiOZUNZTKqK3zpQiYy60HxvqTLBtuNk3TkWQJ9Kp6NGDUwnFplZlMClaribZtYhh9eYvKks21a6Npuoaqq0hI6OjIyMiyjKqp6OjudkVSkJDQ0FAkxVAp0DV3VJtAcCEhjI3Ai9rq0Xhqipk8Pp8PhgZq10FTlOptEq45jadWWWKzcBKbGQXi/kobzRUMcEof5Jr/Oyko7uuJcGfBhYpYsxEIwD3LMSqNnuveCAT/PcTMRiDAmHVUKV0LBIJ/GzGzEdTI6cQra/r5XFI93PpM+vb/6X9t1ztd2Pf5IFYqEJxLhLEReFFcbDM+VL7kF5fY3K6l/IJycnJK3WKdqmqMniUldnJySt3F1eoaSZIoLKwgI6OYomKb2w1WWFRBRmYxmZnF7jDmklI7TlVz71Naav/b/ZYkiZISOxkZxRQUlLvPJUkSdrtKTk4ZubllqKpGebkDu0N1C4KWlzuw29V/69YFgv8ZhBtNYLx1V35+6Il5lBTbmT7tar74chMzZ+3mlxnXMveP/bz29nJ8JGjdLo73Jwzm6LECXn1tOWU2BxlHcwiNDGbmT2Pw8zPXqTbaoUN5vDV+JTkZBQSEB/DkQxfTuk00H360ji070tEqnLRoHcPY5/vxyecbmDV7N6uW3sGmzSd44KG5fDPZJVlzem00TQNZhoz0Yt54ZwXHj+RgDfbjwbu60L17A1JT83nw0XlkZRUhKQrff3Mlq9YeZfx7K1mx+DZyc8u5csxPfPz+ELp1a4CmaV6BFwLBfxlhbASGUaj08Xz6wXDuuGc2jzwxj6ICG19+fjkHDubyzoRVrFh0O8HBVkZf8yPz5qfQpXM8R4/mM3nSSJKTI/lm6hZyc8sICAipdCmdXWuj6ToyEq+8vgzV4eDSoS34deYuXnr9T2b+dA333tOF6T9up8yp8ckn67j+2nY8+ejF5Jws476Hf8NeofLh+0No2TKqcvYmucO6azKUmqYhyzLj31/NsSN5DBzaguVLDvLs2EUsXXArjz35B5f0T+CB+7q6j2nSJJTjx4t45Mk/kHV4641L6d69QWXIuDA0ggsHYWwEQFWor9WqcPvNF9G79+eMHz+E+vWD+X3uftq3iSU42ApAv95NKC+3U1pqp0uX+sTEBKCqGjff2OGU850tqrTRVIpLKoiJ8CM/v5xLBiTQq08CZWUOHn50LkEBFmLrB+PvUfrggXu60Oqijxl8aTO6da3vniEBmGoJ5dZ1I7xa13Xy8soIDvEhP7+cDu3q0b1nI5yqRn5BOYMvS3QdUTkTkrjvrk606fgJjRsGc+mABODMNdgEgv8K4tVKAFRJsxw+nM+nX2xg+vTrWbz0CKvXHGXgpU3ZtjODLdsyKCysYPbve4mMCkSSJPLzy3E4DHfQudBGUxSZsFA/miVF8ewTvXjssV50uiiOEyeK2LDpBG+9OZBhA5PIyS1HUWTKK5yMfWUJH783FICp325F04yS0L/8upehI7/lxIkir2diXM8l6SMRFRVAfP0Qnn2iF08+1ZuLuzfEYlEI8LfyxaRNFBZWkJtbjq7r2GxOnh27mOee7kXTJuF88NFad4i1QHAhIcpCiy90HeTKN/q33l1Jt64NuPLKlowa1YK3xq8gNiaQl8b25/Y7ZzLgkslccXkLBl3aFEmCJk3C3ImR50IbTVEk3ht/GStXp9Gu00TadZ7I3Hn7SUgI4/JhzenV6xPGvb+Kfr0aExxo5ZPP1xMYZOWG69tyz92dmTxlC/v25yDLEk2bhDH3t31s354JnKqNJle6115/eQAnMopp1/Fj2nX6mKnfbgXgy88vJ+VALgOGfM3gkd+SllbID9N3UlJm587bO/Lww935+ZfdbNh4wq1wIKg7zvn/s//41189a+mk0Ea7YHFpo3WtQRvNFXF2obA/JYdJX2/maGoBn348jLAwX+DsuwMFZ5sqbbRmQhvtrODSRtvsoY12k9BGE/wVrrd5WZbQNB1dNyRedF13b5MkQ9LGyB3Rz4v1ByMMu6rvkuTqv7Hw77oPz/vTdR1V1StdgBohIT48+PYgwsP9vNZxasJ1bs/rndoPGTCeoet5edbOEQguJISxEXjhOcB6fpYk6RQdNCN35PwZNV2zMVefjP5796/6PblUA1q1jKJVy6jK81QZGtd6Dnjrr9V0bvDWXqu8ikcezvmjJScQ1DXC2Aj+E5w6yP89PGcynga0NmFSgUDw9xDGRvA/jWs2s2nzCTZuOEpwmD8jhibj72/5W+tOsiyRnV3Cjp1ZdO/aAD9/MwDrNx5n3Zoj1G8YzuCBifj4iv8yAsE/QYQ+C86I83Ux1bVu8t77a1i46CAnPWRzzjQM27Xb6jVHGTR8CsdPGKWbNU2nuNhGWloBY19awrHK9rPxLM7X5ysQ/FuI1zTBKXi6lHQM55QkgcOpoakaVqvxZ+NafK/t2LokMsKfO57pQ8sWke42WZYoK3Og67pXUidAWbkDRZYxmWWUyjDkiy9uyNb199GoUah7vwH9EhjQL4G7753z/8qNKS21I8sSvr7GjElVNWw2Iy/J19fsDsio/uw8i9YJBP/LmE4JkBZccGiajsWikJVVwVvjlrJ770l0TUdWJEJCfZj65RUs/vMQz4xdjFnT6NU3gbdev5Snn1tIbEwgTz7ek6IiGw8/Oo87bu9It67163yQdDo1TpwoJCkx3D1gL1hwgI+/2IDkcNKzTxMefrAHuqbz6hvLWLf6MMV2neee6M2I4cl8/8MO3v9gFVGxQXwxcQT16wdXRqsZ4pklJba/3SdN06mocPLZFxtYsnA/sp+VW65rx4jhzfn99/18OXULus1BYLg/E94YyLH0Ym67+xcmfTycbt0acOllU7jyipbccXvHc2bE/zPoHt9rSw4R/DM8n61Urd3jGYtXJgFgzFKsVoUVq9O47RZDdmbQJc1o0iCMn2fuZvy7q5n/641s3vwAhw7ns3DRIYZclsTq1UdxODS2bc+gqNjmIf9S939aJpOMySQjyxI5OWU8O3YxAwckMPKqNrz30TpWrEjlyJF81qw7yl33dmfDyrsYMTwZXYcbrm/Hr7/cCJXGxYWiGNU8q8/gdB0cjtqVAFzGYeGiQ/w8Yxejx7SnS4c4Hn1qAdnZZYwY0ZxbbmzP5aNbk3msgO9+2EGXTnE881hP3pu4lqeeXciAfgnccXtHQMjbCP73EcZGABgRWA5Vp0mDEOLrBRMR4U/LltFIEuzanUW7VjHE1QtE12HwwEQyMoro0jmekBAftm3PZOGig4wYlgy43Gvn9n4OH85DkuF4ehE7dmbxwH1daNEikmZNw7nm6tYsW3aEex78jZUrU5Ekw2A4nRoWi+mMBnZJArNZrnVfV3va0Xxkk8Tuvdnk5Jby7NO9CAvzYdLkzXw2aSO79mRjszmx+hgqDNdd2xaHTeOjiet48omLgTNfexIIzmeEsRG4kYDSMqPeSnm5g4oKB2VlTjq0r8e23VmkHMhF0zTmzt+Hr6+ZwEArHdrXY/qMnaQdLWTU5S0Azos1hpjYQPz9zDz1aE8+eOcynnuyN3H1gjCZZe66rROffDQMSZKY8P5qwFgvcTpVbDbnaWcsLlJScrnyuh/ZsOE4cKpBcP0cEeFPbGwQ498YyPsThnDnrR2xWk1M+2Ebd93akffHXYZitVBR4UTX4YvJm0hqFsEjD3TnyacX1LguJhD8LyICBASA4RZSZIl6sYH4+ZmJjQ0kMNBKUJCF7t0bYLIojLpqGlZF4oabOnL1Va3RdRhzTRuuvXkGI4c1xz/g74Ub/9s4HBoOh4qiyDRqGMJTj/eiS+8v8PU1US8qkNk/X8f+/Tnc/eBv2B0OYmICefyhHgBMeHc1037ahs2pMWbM99x0S0ceeagHqqphtzsN4+GRnNmkcShLlhyiacMwOneOR1V1r7LSLgWDMVe3JiXlJC1bvovsY+GSvgm8O/4ybr+lI8+/vJhPv9pISKCVJo1C2botne9/2s63X11JeKgvl42YypeTt3DH7ReJNRvB/zzSSbuYo1+oOJ21a6P9r+AahB9+ZB533tmJFs0j//qgM8RzVnH3PXN4+KFuJCdHUpBfzu8LUvjii028+84gOl4UJ2Yg5y2V2mhjrqdZcjIJzYQ22r+NpmsEWmQ2H99Fzzdb89UdldpoNm9ttHPv7xCcV7jcP1XfcX/3/Kp+zLn+j5uTW8YjD8/h9beXU1BQDuDWdqve59ruxaX15qpcKkkSc+encPvtM1ixOtXtHiwvd7JnTzZjn+tTaWhOL9vzl9fyeH6e7jixViP4LyHcaAIvXINm1Xe8voNLrNNT88tbZLIucfXzmad7sX1bOoEhvlgsJve2mmyAUZtGR5a9jYTx0fuA+LggevZszNVjOtCgQQgAsfUCeeOVS4Azu+fa+lB1LW/3W02fBYL/dYSxEfxtahpcz5Uop+uSLVtE0bJFVI3bauJMBTHbtomhbZsYrzZd13E6NXR0JFlHwoR0lktgCwT/6wg3muBvoes6W7amU1RUUfmz0Z6XV8bWbRlG2znolxFNplVK/P/1vlu2ppOeXvw3zltV6MxQi5axmE2YFbMwNALBGSCMjeAUjDUE3WstQdM0dF3H4dC4+7457NqV7dW+bt0xHnx4rsfxddtnl3y/LFdfZ9K91kYAbDaVAZd9zeSvN7v7WxuybBgWz3BuVzDA9oztfLx2InnleUa7SEkXCGrFJP57XLjUpthRU7a8SxHAbFaIigrAYjF+dg3C/v4WIiL8zmZ3T0tNLrxT12CMz76+JpYsuJXoqIBaj60Nl6HJLMnk/t8e4GRpDn0S+hDmGyYi0s5jzqSUseCfUf151vaMxZqNAMDtJlq2/AgTPlyDo8xGcEQAr77Qj8TECBYvOcQjT87D6msm9Ug+VqsZVdV4/sUlLJy/j5JyJwnNIoyTVddIOku4BvecnDKee3ExqQeziGscwYvP9KVhwxCWLD3Eq28vp7Sogl49mzBh3CAOH87nwcfmkpVeyItj+1NvSPIZGwkdHU3XQIfnFj3PgKYDOJh3EKfmFJFjAsFfINxoAqBqhtKnd2Mevr8r19/YAUeZnW+mbqW01M7Tzy3ks4+Gs2rJ7bRqHoXZqvDTz7vZsSODtWvu5YP3hlbZlzp6uXetzzz/4mJkXefm27tSlFfOs2MXA/D9Dzvo2K4eq5bdyYRxg9A0nQYNQpg941patoglLa3Q63yapuNwqLW6ADVNQ5EVft07m9axrXmx31icukp8UJyY0QgEf4EwNgKgambz+9z9vP7WChYvPUR2dgl+/hYOHMglOjqAHt0b4mM1ERxkpbzMwf59OfTtnYDZqhAYaMFUhyWPdV3HZJJxOFRyckvJzipm6fLDhIf6cM1VrdF1nauvbk1eXhmPP/UHk7/ZUll10zCs/v5mzGYZzcOyyLJLdPPU62m6YWiOFh7lhcUvsid9D88ueI6dJ3by7ILnOZJ/xFAN0LVTDxYIBMKNJvD2q07+ZjNXj27FXXd04sox0ykptREVFcCx40UUFtrYti2DVWuPERhoITDQzM7dmUjAN1O2UVRirzrhWbY7kiShqob7y6QoDB3Wguuva+u1z6UDmnLpgKYsWHyQu++dQ//ejWnU2KhV45LnkSXJHUCweOkhfpmzh1fH9ic83M/Lveb67mf249UBr5JfVkBuWS5Wk5XYoFh8TD6gIyLTBIJaEMZG4DU8Xn9NW559ZTHTZuzAKitEhsURGxvA6JEt6NnzI7r0aEbni+JwODRuuK4dt9z5Cx07T6Rzp/o0aRRmnK+OxlsjAk1mwrhBXHfTDMa9uwIdiTdfvoShQ5O45fZf2Lz9BBGBVm66oR3RMQFs2ZLOw0/M53hGEYv/PMAffx7ig3GXUa9eEP5+Zj79cA1DBiYxZHCil96Zy4hE+EUwquVIwJjt7M3by/3d7iPSLwJN15Al4SwQCGpCGBsBULVmc8UVLRkxojlOVcPHWvXnMfb5vjz1RE8sFhOShFtwc96vN1BR4cTHp2rfulq/cCWXxsUFsWzxbYZyMmAxG/fy+SfDUTUdTdXclTrbtYtl4dybMJsVNE1H1TQsZoUT6UVs2pLOpYOTadc2Bl2vWRlAR0fVVOM+kfh65GRUTUVHF4ZGIDgNwtgITsFVhKw6VqunQalq9zQ05wKX4aveD4tFOWVfWZbc+ymKhLly2fLE8SJ27s5i/NuDiIsLqlWGRkLyEhcEUORTryMQCLwRxkbghWfyY23aYucb/0YfO3eOp3NnQ/XayCs6/Uk9E1dPt6+xz387/+ZMn4XgwkYYG4EX50rj7FzjkqVxlZX+K87UENck7nk+oema2y2oyAqyJLtdhZ4vHa7ZnCunSJZk94zuf+WlRHBuEcZGAFTNZrKyS9iyLYOQEB9at4gmIMByjntWN8iyVKPbrToul92JE0Xs3ZuNYlbo3DEOf/+aC8cVFFRQWFhBw4YhZ9wXI39IP+sVT13rTLKnFA96ja5CAF3XvNpVTUORZQ4fyWfvnkwiowJp1yYGi1UMK4JTEX8VAgC0yvSQ48cL+Xbadv5cdojvvhpN//4JaJpeWXnS2EmSJPfbv2tgBGPAPlezoqp+SG5FZ6OeTdXbuSxL7ho3iuIqi6Ahy/IZv5lrmoaiyIwbv4o1q47QrVcjkppFVBob3V1OWteNta8lSw/z+9x9TJ40ElU1jnX1w9jP9eyq+mD0v6pDmq4hUfVsNV0zPuu483okSXIHKLjaXNVFFelUI+oyKlklWUzaMBlN17izy23EBMRSWFHInL2/cTT/GA7NQbPIplzX9lokSWbqlm85cDKFPgl96d+0H7oOu/dm8+2UzWzdlcMvM66lVcsoId0jOAURPiMAqiT3L+oQx/dTRnNp32Ze211hxq7B0vM4V/u5HFyq+lHVB1mWTumz0VZVq8fo99+/np+fmXffH8aHE4ZQr17gKddzBVhYrQohIb7uhFHPfnjub9TY0dA0nT8WHGTu3P1ommG8ZMn72cqS7DY+iqy43V+e211urtMZmpyyXJ5Z+AyarmJzVvDC4rEU24o5XnScrzZ/hSRJhPgEY1WsAExY/S7Td88gyBrEN1u+YdmRZUgSDBucxPTp13PpgKY4nK6kVmFoBN6ImY3AC03TKS93Ulxic7dJksTmLemMfXUJzlI7g4e14IH7unLiRBFPv7CQnOxSFKvCs4/34uIeDeusiJrr7bm42MZTzy3k4L5MGiVG89oL/YiKDuClV5ayZsNRsKsMv7wl997dhfHvr2br9nR+mHIVBw/lcd8DvzFh3GW0ahXlnuWcCZqmk55ehN2hYqo0Zrt2ZfPsS4uwFVXQ79JEnnj0YmRFIjOzhLsemMOmNak88FBPbr6xPa+9sZys7BI2bjtBaLAvH44fTLNm4QDs3XcSu83BkCFJ6Dh5eO4T9Grck1EtRnGy9CRvrHiTB7s+wPrj6/l+yw/YVQed6ndkbL8XKLYV8/H6iZwoPMG2EzuID41jyuivCbAEuI2MK+n2QO4Biu2ljO3/AgDDvh3OphObiA+Op129tjzQ/T4CrYYhLawoZO6+uXw1ajKNQhsx4MtLmLbtB/o07o2q6tjtKsXFNmFiBLUiZjYCL1xrF7IsuZUFiovtPP7UAoYPSea2u7rw+eSN/DxrN/XrB/P4Ixdz680daNsimjfHrTAOkE4tHX02cGmjPTd2MWZZ4s57ulOcX87jzywA4N67u3DXLR257sYOfDF5EykHcrn/7i7YKlTe/WA1H368ljFXtyE5OaKyVIKE/TTaaNUxatoYz8rh0Hjk8flc0q8Jt9/VhWnfb+eXX/cSEuzL2nVHuee2Tnw8cSQffryWkhIHBw/lcvBALvNn30BiQjgff7qeEyeKWLT0EAcP5XE4rYBFSw5y/Gg5TSMaM2//fHRgc/pmckpP0iC4AUMTh3Bn5zu5o/Pt/Hn4TxYfXkKANYCFBxfQqX4n/rh1Lq1iWrL35D7g1FIKARZ/ckty+HXPHL7fPo0juUewO+1YFQvrjm7gki8H0XliN8atfIf04nQiAyLILMnkmp/GEBEYjiRDfnkBiiK7/2YEgtoQMxuBF66oLF3XUVWjGNmRI3nk5ZeyfGUqDlWlfftYmidHcuxYIS+99icmTaPcriK5FprrQK5G10ExyTidGhmZxZQUlpNdUI7mdDJoeHOcTo33P1zDhnVHiWkYTHm5A1XV8fMz88H4wSS2ep8RQ5tz803tvWZiivLPcmZSU/PJzS9lzdpjqOi0bhVF8+RIUlMLuHxEc9q1i6W42E6DuBBOnCgkJMSHa69pQ2iIL317NWb+ghS2bc/g62lbOXAgD13XOZlTzJ039uDK/lewNm0Dh/MPs/TwUoYkDUGRFb7d/h0zd/xCw5CG5JXmYZIVyp3ltI1px8CEgYT6hvJyv5fcfXS52iRJQkendXRrnuv7LB+u/JDuTS4mNjiGQJ9AyhzldKnfiXGDxmFRjACRA7kpFFUU8+LSl3io24OE+YUzcd3HWE0+/59fo+ACQhgbgReyLOHra8JkUggKsqIoEoFBVvx8LUz98gpM5qrJ8LjxqwjwNTNt6pV88eUmfvx5Z531U5JAq5zZaJrObbd3ZvSolu7tBw7kMnvOXvbseJCi/Ao69fwc14v3l19t5pnHe7N9RwYbNhync+d4dB1Wrk7lj0UHeOqRngSH+PytRe6gIB+sVhOffzyCoGCrVz9cE4qUAzkczyiiXr0gysud7iTZVeuO4uNrZsjgJIYMTuKrr7fgsDu5667O7vM0Dm/MrN2zyC3NZWSLkZQ7ypm86WtmXjedhsGN6PZZD5yqE1mSsat2KpxGJVWn5kSRlVM02yQMg9M/oT/9E/qzN2cviw4tolV0K44XHseu2ikoLyDMLwwdnSZhTSi3l3Nt+zEMThzM3XPuoWlYU/zMvsZzEg40wV8gjI0AqFJ9/mX2Ht6asJLj6UXsvPUEg4Y2Z8Jbg3j4wW40bfUeoWG+RIT4Mf37qxl0aVN+/HkH7btMJCo8gJhIw79fZ3ECEpgUmbffuJQbb5nJ628tAyRee6k//fo2oU3rGNq2fZcGCdEEB/rg72fh3Q/XsGNXJjN+uIaZs3Zz+z2z+eHbq2jZIgrVqfPmK0u4uGtDBl/mrY1WE6qq4XRqKIpEdLQ/Tz7Wk/bdPiEo2EqQv5WffxhDRIQfM37Zxbqtxykvc/DSs30JDLSgazp33zOboCArMfFBfP7hcJxOI0CgoLACh92J3a6io2GxmLim9VXcNuNObut8K1bFilNyMihxIIMnDyc5KhEVFV+zL5qmYZbN7lmMLMmgg0N3eBkEHR1FUnjsjyf4c/8SmkUn8d6QCQRZg3BoDswmC4qsYJJNqLqKIil8POIjnl8wli/WfEGLmJbcN+A+I6JP13E69FPcdAKBJ1K2XfyFXKg4nQ6ifM1069adX2ZMJy4+nvJyByUldnx8zTjsThRFJijIB0mC/IJyHA4NRZYIDTUirMrKHJSU2gkJ9nGXUD4XlJc7KK5UnQ4KtOLjY0JVNfLyyvHzM2O1mlAUidJSBz6+JkyVLr/iYhtWHxOFBRXM/SOFb6ZsYcrkUTRoEFqjPporfPnZ5xczcGAzevdsCFTl3xQUVmC3q8iyRFiorzuAocLmxGpVCA7yQdfh3vt/o3+/JvTq2YiQECsWS9V7n7Myoqv6syxzlOFn9qta6EcntywPk2zG3+KHLElIkoxDdWKWTWc0KyusKMLmrCDIJwgfkw86htFQNRWTYjplxlJYUYjNaSPMLwyTbPLKLbrvwd+547aOldpydfjScVp0GjVuwqgx19MsOZmEZokkNEskOCS4zkuX/1fRdI1Ai8zm47vo9WZrJt/xMze1u4Jsm9MrL0vMbC5wqv9/8/U14+trrvzJ4rVfaIjvKcf7+Znx8zOf0l6X6Lperd8GiiITGenv1eZKUnUNhoGBhssr5UAu8xce4J23BtGwYehfRtQVFlbw8Udr2J+SzeiRrQgL80XTdEKCT13DCAqyEoRxHYdDxWxWyMktw9/fQlSUv1d/4FQj48LPbJTdrjIAEuF+4afsZ1HM7uciSRIHcg/w6545WGSLu82m2ujftB8d6nUAgrz2lyTJK9HTha7rBPsEe/0MEhs3nWDJ4hRWrUnjzts61vrMBBc2JmHcL1z+Ti328+IltRb+WX6Pjq5Xyaz06N6AHt0buLfWZmhc7Tfe0I5FC1MoKXW4EzTPpBsuVYB77+5M0wSjJMPZSoB0zYCcmpNiWzEW2Wq0SRI2ZwV21eG131/14dTtxvOz252UlNi5567ONK6sFyRJdVQb/B/wd/7uBX9N9eep19AGYmYjuECpPnCeqTaa67gunePpUincWds5a8J17r59Gv+t4/4JrnWb5pHNeXnAS7Xu908X96sMdUN6dG94ylkFAk+EsRFccOg6ZGYVE+BvcbvRzlQbzYWq6oZ8jyRh+gcqBKqq1Zm8j6fYpifVlQf+8fk1vTLAxFizOz/WagTnGyKpU3AKmqbjcGg4HKpbX8wVeeX67mp3Oo2fXfueK1x9MHKEjDZdr7oPVdXcUvilpXZad/iYDz9e597v76JXOgg8x1VV9b4eVM2YPPup63qdyvvIkoxZMZ/y9W8Ve3NJ8ZjNwtAIakfMbASn4NLt8sRTc8yT04UG1yU1LapLkoTZfGr/AgIszPjhGuLrBbn3+9vXU2SoNhEy9Nm8z1X9WZ6raD2B4FwjjI3gFL77fjtffL0JtczGffdfTGKzcGbP2cfO3ZkkNo1gd0o2D97dldAQX374aQc5BWUcOZjLs0/3ZcjgxL+lMfb/wR1ZZXPy5LML2b8rnWYtYnj5hf6EhfmycdMJnn9lCaVFFfTq2YQ3Xh1AamoBjz39B44KO48/1pNmzcLPeIHeFTGm6/DCy4vZtDaVeo3DefWF/sTFBfH+h2v5Y3EK2FUGDk7ikQd78M23W1m45CDffTWakhI7N98+iycevZhuXeu7w6gFggsB8ZcuAKpyO2b8vIupU7fyxcThTJs2hqFDkti77yRLlx2ie9cG/LnsCB1a12P37myyTpYy7YftPHRvV554rCdvvL2cvLxyZFmuE5eaSxvt+bFLMMlw5z3dKMyv4OnnFwGGUsBFbWP58bureemFvmiaTkxMAB9MGIwsK2zfnul1PsN9WLs2mss19ta4lZzMLOHOe7oR4GPmwUfmAnD9tW25+/ZO3H5HZ6b9sIM1644ycnhzbOVO3vtwDe+9v5r2bWNp1zYGTTv79WoEgvMJMbMRVGKMsCtXpTF8eHOSEyPdb/KKItG1U32SkyLp3DmOjhfV4/DhfBx2lVtuuohOHeNp2qScKVO3cfRoAWFhp+bj/Ou99dBGSzuWT05mMYeOFmIvLmfk6DYA9Ly4AdN+2M7XU7fS8+KG9OnVGItFIT4uiPrxIZjNCk6na6He5fKqOUjAqIEjo+uQmpbHrp0ZZOWXuxWeAX6csZPvvt9KXIMQsnNK0VSd4GAfJn16Oa06fEyzhDCWL7ntrD8bgeB8RBgbgReBgVZWrkzl/nu7uBd7Nc2Y+djtqvu7JBkzAVcE18HDeWSdLKV+/WB3st/ZRJJ0NM1wpdlsKg8/2pPhQ5Pd23Vd5/pr23H9te2Y+esebrx1Jmv+vIP4+kZSosUsExLs47WGsn7jcVasSuWeOzoTEOBdedN1v5IENpvKjTd15K47O7mPzcsr55PPNrBj8/2YTBJtO050z+6mz9jFmCtbk5qaz/oNx+nSOb7OyjAIBOcLwtgIgKoAgPvv7cJDj8yjR/8vURwO7r2vB74+JiPaTDdUoHVdx2ZXCQy08s3UzaxYm0pxsY2xz/QlPNyvUublbPfYkGsxmxVee3kAt935C2+8vQyQePG5vlw2KJF77vuNrbvSiQ7xZeTwFgQGWdm+PZOnnlvIjj1Z/Dp3D/MWH+DtVy8lNjaQ/Pxynnz0N1q3iGbQwGaoqnbKgr4kSbw8th833TaTr6dsBhnuv6cbo0e15KL2sXTq9AH1m0RirzCez3c/bGfa9O3Mm30DK1amccMtPzP1q9F06Rwv1mwEFxTC2AgAkCrDYGNjA/l26miOHS9EVzUiIv3x97MwcGAzzGaZwZclYaosqTzvjxSGXpbMY4/3wNfHTHxcUOVsoI5CeitnBq1bRTP/9xvJyysHICY6AIDnnu1NeYUD1aHRqFEoPj4mEhPDmfjhUHx8TagODR2IiPCjsLCCsjIH3S5OoFnTMHT9VBUB188NG4bw68zryD5ZCkBkhD8+PiYmfXY5J04U4h9gJcDfgo+PiUYNQxg+JJnAQCtDBifS8aJ6BAZaK912wtAILhyEsRF4oes6VotC0yZhXu0ud5m1Sj2foiIbJpNMs4TwymPPjfiiruuEh/kRHubn1R4fF1RtP0P7LaHavQFs33GMr6Zu4e03LiUhIfy0bi5NN9ZigqvpoPn4mEhI8NYqCw31dfdRkiSiKw0hnC9ClQJB3SCMjcAL16zElQDpGnA9w4Ndnzt3iqdBvKGeW5NCcl322TOCzDWIe64dSZJn+6n79urZiF49G7nbT3cvcq3Xcz0bcOmGudqrnp0wMoILE2FsBDViqP96/1z9c6uWUbRqGXXK9nNBTZevrU81NWuajlPVMCne2mi1GdKar1fzNb2fY839PxN0Xa+cccnufB9N0yrPK3m8GBjtnm2e7dVlclxqEJ7rR0ZYuWFRXdcTCP4/CKexoEYcDpWCworKgQjy88tPyZ2p0sQ6/9A0nfz88jOWopFlCYtZqdGonOmMLSu7hAMHcsjJLUP/l/OMXLMjxUuHzTAQSqWBdBkNI1z9VEFRV7unoXHNXqsHKhhqCHK16wkE/xxhbAReqKoR2jxr9h7iGo8jLa0Au0NlzPUzyMsrw25XcTgMA1PTIHWucDi0yr6p6LpOXl451984k+Jim1efAZyq975gvMk7nRp2h4rdrqJqxiwiK7uEbdsyKCt3eO3vicvlOHPmHq688juuuvYnCgqMYAWXQbbbVezV9OPc7fbT68q5C7MVVLBk2WGKiircxmfeHylMmbKZlAM57hmLqurM+nUPKQdzvc5TVuZg3oIUsrNL3f2WJEg5mMvSZYfdib3FxTZmz9nL1G+3MG9Byj/8jQgE3pwfI4XgvEFRZCwWhaGDk/jy08uJjPRHdRqliYODfbBYDMHF8w2zWa7sm+JewzGbjSqjnn3WdUPXzHNfMN7kTSYZi1nBYlFQKjXN0tIKeenlpfj5mr3298S4ns6993Tmx5+uJyLUD5ftcLmnLBbFa+bkShK1WIzr1TZ7crnxnE6NBx76jZFXfs/OnVlIEkx4bzVvvL2cNWtSefm1P0lLK+REejEvvLiYZ55dxEcfrwVwG7IFCw/ywMNz+XzSRve5y8sdTPx0A7ffNZvde7IBKC11sHFzOitXpfHq68uY+On6yvOcn7NYwf8GYs1GAFRJsfw+dz8ffbYOsyLR4aJ4Bl7ixMfHgkmR+HzSRmbP2saAgS156vGe59y94gpUcDhUnh27mJ1bTxAc4c9br15KRIQ/kgQfTlzLnF+2MWRYOx5+sCuSJPHRJ+v4ddYOgqOCeP3F/iQnRfLL7L0cSc3jz5VHqCiy8dobA8nIKOa115aSXVBBn0snExnpz/g3B9GwQUiNemqqqpGVVWK4syrbFEXmu++38c1XG/EJ9uXV5/vRvn09JAmmTN3Ktz9tB5uThx7pybAhSWi6juxxXleuzzsTVmE2m7isfzMURaagoILvf9zB/N9vJCrSn/ZdPuHrbzfz4H3dGDI4iUYNQjl6vACoWifatOk4418fyPyFBygtc+DvZyY1tYDIMF/uv7srq1cfpW2bGGJiAnj95f4AfP75RjZsOg4Yyb0iWlvwTxF/OgKgal2ia5d4xr0xkDtu68Qf8w6Qm1eOr6+JAwdzycosYfz44fwyew/z5u8HvCO76hqXNtrPM/dwNK2A557ry4fvDiEuLghJgn37T1JW6uC11wbz2ZcbOH68iE8+28Dq1WlMmDCUvj0b8/Bj89F1nR07Mpk5azdvvHIJAwcmsXTpIS7u3pC77+pKi2YRvPbSAF56rh/RlWWca5rhKIpclQRa+WCmfreNn2bsYsKEoVwzujUPPz6P8nIn077fzk/TdzLhrUFMmDCE7l3rn3JeTTMMzdZtGaSlFvDhe0MwmxSiowM4eqyApk3CyM8v54qrfiAi1I/ck+UEBFjp0b0BeQXlHqUNJA4fziMwyIcRlzenUaNQ1q8/jq7Djp1ZtGkTw403tOPgwTwKCw0X3ZeTN9O69QRm/baHl1/s574/geCfIspCX8B4lm11DXIREf5ERPgTEx1IfFwQiizhcGg0bBDMA/d3IyrKn769GrNvXw5DBieds75DlYFsnhzJ1B/s/DB9F1eMbEGvixvhcGg0TQjnsUd6YDYrNG4YQmZmMRs3Hufaa9rQtm09GjQMZdfOTE6cKCY01IdbbupA65bRtG4ZjaaDLEHz5pFEhPvTqUMcVh8TpysmbNTU0dBUrXKtRmfVyjRGDmtB27axtGgexdo1Rzl6NJ+Vq9K4bkw72raO8TqHy9QYC/cyJSV2nnluIUnJEfyx5AC79mczY9YuEptGUFhcwUOPzOXWmzsQ4G9l5i970DWNigqjZo7q1LHbVSwWhe9/3MmK5Ydo2iyM3bsycDhV+vVpzEefrKN713gqHE5WrEnl2PEiWjS3cu2YNlw7pg2Llx7iljtnM3f29ZjNyv9s6PZflSwW/HNqep5aDW3iVUXghbHYrVNSYnO/Ges6mC0moirf6nfsyiI+Puh0p6kTXMamXbsY5v96Ay++0I+HHpnLpMmbCAqygmQEDpSW2tE0ncBAK/4BFvbsPQlAfl45KQdyCQ62oqpVBeE0DffMRFM1ysocWKwuj3PtI63JJFOvXiAB/haiogJQFInQMF927zPWQsrKHezak01wsC+yLLNx8/HT3J1x/bIyB1261MdmV5nz+z6KSmwsW5lKQICVtOOF3HZLR666sjU/zthFUlIEVqsJHx8T4aF+BIf4uJNxd+3OIjDAwsKlh1CdKvn55axYkYrN7qSw2MaCRQcIi/Bl0+Z0ZFnCz8+Mn5+ZRg1Dsds8gynEEC34Z4g1G4EXrsVkI8/GtdAusf9ADv0Hf4OzzE5Si2iGDEk652+5qqqjKBKzZu1h4qQNBPoqNEuOpHWraMrKHJSXOwEjCbOwyIYkSTz6cA9uv2c2fy7Zj0NSuOnGDgQGWikqtuHjY/JwYxmL/u3b1yMg0EKPHp/QKDGSt165hAbV1mxckWGvvr6MX3/by5FjBfTpP4mHHujB/fd14Z4Hf2PgwEnYULhqdCtiYgJ4+MFu3HPfHAYOnwo2Bw8+1JPLBjVD1TzXbHSiovx5eWw/9z2PvOJ73nr9EpKSI3lt7AD+j72zjpPaeP/4e5Ls7rlxxmF3uBf3QoVSR0rd3d2durffulL9taW0tNShpUIp7l4cDk4499vb3STz+yObvT3uoNACtbxfL7jdbHbyZJKdyTzzPJ954+3FvP7aXGKbxXDuOb3Izi7n6hu+4bf1hXhr/GzYUsygvi0J+AwmTz4z5OY745xPuOLar7jq8gFcecVAAJYuzeeWO6aT2SaeR5+aBUgiXC6eeuxooqPde73uj4NDU4id/r/S6+7wV6LrAVIiXQwdPITPP/mYFi1bhj7Ly6/iwoum8vKLJ9C2bRJbt5VRUupFSEn37ml4PH/9c4rd2RUUVLMjtwJDN2nWLJr27ZIwDElRUQ1padZobOfOapKSIvF4NAoKq9meXUZcfCSdOiYjJVRUeFFVhdhYT6PjlJV72bqlFFVT6dQxmYiIps990+ZSqqt8REa7qK700bJlPGlpMZSWedm8qZjIaA/du6aG9i8t9bJ5aymYkjaZiaSmRDdZrmHUC6CWlnqJiXUTFelGVQWr1hRQV+unU6dU4uI8eL0B1v5WhCdCQwS/m5ISjdulEh8XYQUgKIKi4hpqawNk+mWziwAAf9JJREFUNI8NzcXohklJSS3RUW7LLiC5WRRZmYl/5jL9xUgys9oy7oyz6di5M207dKRth47EJ8T/pfON/yZMaRLrVliSs5rDHu3BxEumcE6v8RT5dDSl/rfy17cYDn8L7B/e0mV5bNtayrQfNpOeEUPbtkmYpiQrM7FBo/NXj2qg/vhpaTENNMessGJBenr9tubNYwFr5JaWGkNaakxwX+tpPSGh6TV4pITEhEgS+7T4XXvat2usuWaakqTESJL6twqVZy9XkJQUSVJSfbmzft1GcXENItj4S9MkJtbDoUMyiYzUGpyHbXuPbmkN3kdGuujbJ+N3bW2eHttomxuVqJbWEgzhdjnLITjsD5zOxgGwdcRg2Yp8fv5hA82ax3NHmPvGTlyE3cuy/FWE2wYN9d3CX4M1z7PruYR/vut5WbIwe3fuje3Y3fHELtstO2fNzmbdbwUowXkWM2CQnhFHv94tiIzUQuvphNtZ7/asz/fZ9Yl91++E2xp+PuEJq+H2Oh2Nw/7A6WwcUBSFiAjLfXTR+X256Py+u3xeL2b5d2RXHbfw7bt7vev+e+o8d1f+vtix5+3Wh3ffMWKP5TeWn2n6PP6orQ3r6PfL+Gcg9nhtHQ4eTmfzH0cANdXV7NiejWHoBHQTaUoURcXt0dBUFYQ4wOtu/nuQQqArCqppouzjpEBAN5CmQJMahtAxscQ0XZr6L2r8DzYSv8/ndDh/A5zO5j+MQKBLOKRvPy69+loURcE0TUzDwOfzUVdXh6/Oix7QnYDX30EAUoBmGCTU1FIRFYlfc6FIuZd1J1FQ0EWAUlcJcXoCEWYEJiYHeontfyu2WzEiMgJVU/dalNXhwOB0Nv9hVE2jQoeJb00MJVwJoBbYsnUHm9atY+vmTVRWVPyFVv4zEFIScGmklpRw1C+/8vPQweSmp+P2B5B78VQtkXjwkC9yeU19hpHGCRwi+1JDNYqTDvensOadVNxuD6qmOSuk/kU4nc1/HAGU1e2iZiwlpmHidrtJTkklPj7Bebj+HYSU6G4XcRGRyLhYUjJaoLVqheb372VnYxKhRCK9JmyEZm2akZmQRaVegSLUg3AG/25cLjdJycnEJyQSGRXlhD3/BTidjQOq2rAxEwKaZ2SgqioJSUnouv4XWfYPQkpMj4fIqBgSE+Jpk9WW5A4dULzevVKvNKVJtCsGs1TCWkhrnkHHrG6U+UpQhfMz/bOoqkpcXDwp6elomup0Nn8Bzl3s0AgpQXO7aN6iBYlJSY60/N4gJTLCg6aqxMbF0yozk0D7Doh96GxiPNFU5VWCH1LT02nfsS3FtUkNEuMc/hhCCCIiI1FUxelo/iKcu9ihaYISLFHRUX+1Jf8MTIl0C9ToGFwuD9HR0ehRLoSmWYqev/t1SaxLEB0dDSZEREQSFwl1aiya4rjR9geOtNtfi9PZOOwR5ylwL5ESGdRTA0taRga3I/dizqbB9wl9v6kkTQeHfyJOWIaDg4ODwwHH6WwcHBwcHA44Tmfj4ODg4HDAceZsHPaOkGrjX23I35R6tcv9IiwmsCSC9lbrzMHhryJ0r/5O4+AsC+2wd7hE/VqvDk0SCnbSdaS5tzI1Db9rhtSp1eD3nZ7G4e9OUKhXURBCYEqzyaWinZGNw56RElwCZfM2Il95BRkdBU7eTWOstbNRCgoQNTXImKh9DuULxrFBFFz+8RlcPUWzotOc/sbh74y0FcMFUpNhD0oNcTobhz0TdJ1FTpyIqK4mMHQwos6/V7kj/zkUBSMzE73/AIw2LRE+c68SOsFyQdTpkNWsPRNOeJqVuUvxaB4nodbhH4EQgoARoHWzTAZnDqfaAHUXmSWR7ywL7fB7aBD1wCPoXbtQd8o450H7dxAAfv7QiEQAcS7wYI10nLp2+Cdg36s6UKGD3sSA3BnZOOwejfo7RoCoq7MmAv0mCAUM4y807m+MJTP8h74qgRKfjpTOiMbhn4hAU7UmgwWczsahMVIiXQLXvMVEfPQRMi4W7dfZaAnLUDdsRPh8eK+5BrNFOjj9zX7H0UJz+Dfi3NUOTSJMcP/0M9Ev/A8ZmRqUXjGJmDYTAj78I0ditEpH6PLftIawg4PDAcJJ6nRojGkiVfAfcxRGemukywUuDTwepNuN3rcn+tChCInT0Tg4OOwVTmfj0BhVRfhN9B5d8J1wAqKyFFQVFAVRU0ntFZdiRmgQcOYVHBwc9g6ns3FoGt1AejwEBg9ExsRaOSO6idEinUD//qAqToKng4PDXuN0Ng5No2kI3aRu9PHoPXsgvF5EVTm+8Sehd+oYjEhzXGgODg57RyhAQDrpNg674jMwkxPxD+iDumQ5MjYK/9BBmB4FpSYALpez4I1DA4TzAOKwG0SeX0pVAbfqDHMcmkbZWUxMjwHQtw+V06Y4mYYOTWIAft15/nBoGk0FvLV1bM3Pp6bGi2GET/r+/l3jcql77U2xs0ylBF1KVCFQRP12Q4K56yHlHuyQoKmOKu6BRrpVkmrKCQRqqdywDqXab0WnOTgAwV81MTExNG/RElVRnOk8h0YIQ0r5+Asv8fLjjzFoUA8iIhQUEZY2HkTar20ZAgH+gElBYfVeP8lYt6S1c7MoN5V1OgHDRAiBBGJUiNTAFMH806Aul6QpaXtrW3mtjuEERR1YpASPxxLgDAScuRqHBkjTRFVVFi1exDdzF9Gze2dq/dJxqTk0QFOAkuIy7rrzZnr1v4YZ361BjXJbczjS0pQXmAgkQpFIIZFIDBMyUqK56NyOf+jA0/N0jslo+HS8EVhbAy4dpA5CxxLbMev/iaDMvQBMHY7r/CfO3sHBYb8xZsxoKisqUH9/V4f/IMHWXuD313DnA79wRH+TpIQETNNEBschAQR+HQLVEqVO4vFJIiN0brl+Kkccdh0t0mNDa2vtHglCo87v5fEZy2iV2pxXtmuc0CmZlGg3CvDMap15LpMkI0BdmR+90k+gIkCg0o9RFSBQ5Uev0glUBaDExOeGeS/2pk0zz14c38HB4UAQCARwuVx4vV6UP6gJ5/DvR4PgnIkQpKZFc9vVabiSVuFF5TegihZAV0y/hrECmpdDZx3U1DqmfrsMoblxu92/09ibSBSErCZ38RUszT+Tvu2jmbutmLjeLfG4NQSQoBj0T9CoW6TgrTTQq1XQdTRDoS6gogs3apyKluxGV6DAb+KJ2JvjOzg4HEjcbrfV0dhudmfSxmEXgiMb684wDMjPzicjMIc1zdz8bJiUiG4IkYJcl4b5q06nQoFbSrLid1BbXIXQ6lt4XZeYZkNtaYGJpmkIswLzt4tp3bw9hy9YwftTd/L81acR71bxGRKPKvB5dW6JiaLlUSoRMVGhJVN2lkJ6kvW6DsgtgXbN4IFJmykpCdA60XMQqsrBwWFPCARlpaXUBHSkVFAU4USmOYRoOGkiTFTTi2ZspVaLJBeDQiUFRerodQqBPEF8DuhCRVMrkDXeBotoaZq1WltDFKAcY83FiJQeBDY341bXTLjrRVCiABkKSFB0g6pqk1nr4JijVN74SNL5EJP1G+rokBXN5PdNLrpGMm9hLd0yY/lqusG5Iw9k9Tg4OOwtiqqwPXsbmzdtIyY2luSUVIQdburwn6dhZyMBfy34tlNJDDvwU0ArFHz4qqF2B6RuA7+mgL+EQE29j1YIePx/ucz8tRhPjATq8AUgPaGcx057idTO/anbkMB7tz/DJ0lX4Vr+A1HCy1tPn0NsTIRVRsDE7zPZkhcAomiZDrdMCJCXn8cRQ9ozIEtyw20+tm7L49SjO9IuC7x1B7W+HBwcdoMiFHZs3cr2bVtJTE4mIiqKmJjYv9osh78JYZ2NAExkVREysYxKabBTeimThaimj6oqSWmeSVaJwOcCWVVKwOdFhE0IfjatkFuubklKqkKNX8UlKmiWfw8JWUOo/i2WLZ9/QY9nviPWG02LGD8X3/kOuTtL6NqhhWWBbuDzG2wvrqW4NIpjDxNExAvufVvlpccF0aj0ODaKO5/28Midgoc/lE5n4+DwN0EIQV5uDiVFRbg9Hrw1tcRExziTqQ7ALiMbIQ3KC/KpMevId2t46/zUKeUoZOPLc+OvCVBZBzmmm0jfDmqkDyXMbdYsCdp18nDdyxtw6ZU8ctgT9Dn2cOpWxPDV4+/wcMX11K7aRuHmfJ575hh6H5JCIBC2+pZuUlNrIj3VrFifzI8LDR65zs3nSjx5M4oo9QWIiQpw35g6zPISautcqIozRndw+FsgwO/zYRgG0gjmKDg4BNklDdxgZ34B1VV15BuCWl8Ar1KOwlb8OQamN0C1D7YZbny+7Xilv0FMvWn6qK72sS3XxRU9pjDwiIF4l8Xw+SNv82DZDRTJZkSWl1Jb5qW83ItP99LghtRNIjwG706pIkGH1z+E/FV1XP7pMySM2Izi1amODLB8RQ7lp11FwuAx6H79YNSTg4ODg8OfINTZCARIk+zcAordPvLqoNavUycqUORW/Lm1mF6dah9k6y4q/Ln4zMgwtQEQwoc34CYrLpujm62h5qsYPvnMy1MV11GqJBNZV4UpBYppBuOtA8EsTQtfrUFKosbTt7RhRxF4NJOUdm6iLunCunnL8CoKtaaPjWY1qS5/cPGug1ldDg4ODg5/hPqRjRAgDTbmFJNveskvk3gNkzpRhcJ29NxKzFqDGj9sVzQK9Z341FYN2noTH6Zws2TBAu5YkIs7/ixml2RRK2LQvIX4/BJVGpg1lVRW1iHVAOEjG6GbJEZ6OOt4jak/wYQbXVx6MtRxNrGrRxPQTAKmTjfhY2D7BO75v0JULfng1ZaDg4ODwx+i4ZyNYpJdupNy6aesyo/ht3XLBEpZJG5d4hewQ6q41GzQMlBkfYCAUA3atBCcd86ZeGtOx8DDiQEfwu/H75eYfsuPW55TwaAB7VjzrUBQP7KprdWZs66c1kluEhIFrVpJ5v8GQhW4E10IE4SIwBWIZUm2zrrtlWhKykGrLAcHBweHP0aYGw2KC6v5eWYUnpj+1FVXYqVQ2rMyXsCgEEkhEnCBvw5D92EYVlJlQWE5jz7xE126xlIXbWDiRwodEwNT0QEDU+i07BNg1tp3+PqHn3nkkrOtCUUpOaF3HJ/MKUaREiEl0pCWRptp/wWQCGFpQrbPiCAj2YWuW0EGTtCLg8PBxzCM0G/YwWF3aGA10gFd8L8nRrHm3F64IiJQgvL/lpvLRAgJQRFOiUSa4HEFSEmOChX25v+OY8nSHALCIF5YnYuw1TSFEfynIxTr9aTH7qVTVlbo+6P7JzO6v+MWc3D4JxEZGQmAy+WizulwHHaDpgNpaak88eD9TPvuG1TFCLrOZHA6pfFyAzZSCh6YUIsZvMHiYt3ERHvq95e2ooBocltA13n8jlstiRvAMK2l7S1p8vCbdpf3lpgbumGiKs5wxsHhr0RKiaIobNy4kWPHnoRhOBGiDo3RNKCkpJQLzj+XG2++Fb/Pj+Zyhe2y+4XLhABNqw9+NgwZ6nj2+N2wz13aLiIG+/Bg5LjNHBz+evx+P263mzPOOJ3KyipU1VlYz6ExluqzaRIVFUWzpESkdBY9cnBw2HtM00RRFNxuN7rjRnPYDaFQMtO0osJ03RkC/1OQSExphv45E7QOfwV2m+Hcfw574j+90tGf+W1ICbXeAGVlXnw+Y4/76vq+rVstJRhha11LJLrZ+CFAIFCEEvq364hUhrkxpZRU+aqo9lVjyN+3x+83KCvzUlsbcGTiHRwc/jSNOhvDkAQCJn6/QUC3/tpPLIGAYW0P6pmZprVv/XfNBo3kwcQwLFv9fiMUcAD1NvsD1nmYpkTXTW64dRrDj3gj1BHsbYNqGNaO8+btoN+gVxl13NtM/25jsIywugsYSAl1dTpnnv0JO3dW4/frofqy6862zy4XrLkoVa2/NDmVOVzw6QXUGT78up+AGQCgTq9j1c5VzN42m5lbZrK+eD1SSgzT4P+Wf0DnZ7qQW5kLQHldGbdOv40e/+vBY7Meb3BOATOA3/ATMAKhObeZs7Zy9LFv07Pvi8yZkx2y2cHBweGP0GgmLyLC3eSOhiFxueqDASSgKAIlLBosvIE8mEgpUVUFtYnFz8NtDu6NpimcfmpPunVOaWD/vlBe4eX4Yzrx5OOjgjZY/1yuhnUgJXi9AeJiPbjdWsjeXevO3lcIqKr2s2RJLiOGZ1k5RdLEG/ASoTZcJG5R7kKu/fIGshKy8JsBjul0FJ2SO6EKlaPaj6TMW0pcRBwAsZ44XhnzMs+mPEthTXHYMSUuxdXIjlEj2zNqZHtuunk6FVW+P1RHDg4ODjYNkjoBfvppEytXF5GbV0FWmyTWbynmxquH0KZNAg8/PouVS7fTsWtzHrj3SOYv2MHCxTlce/VgAH78aQslJbWcekr3gxZoYB/n+x828c5bi/DEerj9puF06piMaUgefuIX1qzIIyktlttvGk7r1vE8/+J81q3N5ahjumKaVsO/r6YqikDXrRGMpimhbc88N5fFC7bRpn0K99x+GG63SoRH49Mv1vL1FysYcURnrrxsAGvWFvLrr9vIzq0ge3Mp1103jIEDrKUWCotqeOjhXzhsRFboHD2uCN5b9n98u/obxvcezyndT8Gn+zm553juGnFnA9s+W/sZ36ydxrDMYZbmXbAMU5rU6XUoIkz1QQie+vVpluYsoWt6d24ZfhMe1YNuGAgEAd1ooH/n4ODg8EcItTq2g2TS5JX8NHMLW7eWMXnKKooLali4MIdHHp/F1i2lnHtuX7ZvL+ee+34gLT2Wt95ZyuYtpQC8+toiXG57JHHgGyjLrSNYtCiX995bxujRXenbuwVXXfs1NTUBpn65lrVrCjnrrN5ccE4fkpIiMQyTQ4e1wePx8MbExeiBhm40XTf32l0khEBVleCIRPDKawvZnl3O6DHdqK32c+sd36GqCtt2lDF/3nbOOacfE99czK9zstm5s5obb51O104p9O/fktvv+o7SEmuOpLY6QGJiBBWVdXi9OhFqJMvylpNXlc+J3U7kwZ8fpryunISIBD5d9SnDXhnOoJeH8PKCVwDomdaTnhk9eHXxq5TWWtdGIkNzO+Eh6c/NfZ4SbzFjuo6lsKaAe3+YAICqKKhq43kgBwcHhz9Co5FNTLSbAf1bU1ZRh4IgOTmK39YVsWZtEffecxjduqaS0SKRNyYuokVGLEcd2Z7Zc7ZT5w1gmibHHt3BKu8gtFFCWP/WbSjm19nbKKrwUlNRh+bWMAyTFhlxbMupYO78HC65qC/RUW5MadK7V3MKCjpTPnkl/oCB26OGGlV7lLJPdgTXWl+2PI9F87ezbksJxTkVDDu8Lb46nbSUWG68fgjt2jVjztxcVq8qoG3bJM49qxfnnNULr1dnztwdzPp1K5OnrmH18jwKK3wcOfJNhg5pxxW3daBLWkduG34LEpi49E0MaVCn1zEkczA3D70ZjxZBtDsKKSXtm7VnTNfRzNkxB8M0MEwDiSRgBELv/YYfVVFZkbecVTvXsL5wE9vLszm20zH2We2/C+Xg4PCfx8qzCdtgP6n7fDrRUS6qa/zEx0eiGwYlJbUAFBZVU1buRVEE48Z2YerUtRTsrOKYYzoSEaGF5h4OPNZBKit9HHZYW959a3yDTwcNbMW8mZewfmMJRx//LnfcOpwLL+gLQFSURkyMm7g4ax5ESqipDfDjz5vp2yuDFi3i9soCKUFIiWlCRaWfG28ezjln9Qp97vXqREe7adeuGQCbt5bSt28Ghi5JSY4GoKSklvyCavr0zWDs2K7k5VVx863T+fD9UwDYXrGdCCXS0q+rKcGluqwRioRYdyyt4luhKmrQHutqxrhj8GhuMpMyLVeaCaqikhydjKa6cKvW3FyFv4K7R97FmM6jG5yTg8Mfwb51zF3eOzg0ChCorKyjpjZAdbUfJNRUB2jdOoFLLurHzXd+R4fWsZRW61x6YX80TaF79zRefWMRM2dnM2XSqQAHbb4GJFLCySd15cefNzN69LtEJ0TSu2dzbr35UL76ej0ffLyS2EiV7j3SSUuLQUrJgw/P5NvpG9i6o5yi8lquuXwQQ4e0xufVufDSqYw7sQtvvDo2NJ+z26NL2waBqgquv2YwN906jW+nrQcB557Vm1FHtWf12gJOPmMSBAwMoTDqqPYsWpzLx5+tZktOGdu2lTN2bBdat0rANCVV1X6KimsIBExUVaCbOiXekmAos6CktgRTmvgNP+V15fh0H1HuKAxpoAqVN5e8yRdrvmJJ3lJOeu9kLhpwAQNbD+SJX55kxsYf8Bt+tpft4Pqh13LTsJu4dfrtfLpyKkJIzu93HodnHY5hGCiK4nQ8Dg4O+4VGnc0ttxxKbEykNTGsWIs+q5pCWmo08QkR7MyrIKtdMr16pgMQF+vhgQlHUlFZR5s2iQB/OMJrXxHCcl+lpcXw2kujmTs3GxNIT48FoFOnZE47uTtGwKBlq3gGDWgFEkaMyKJfvxZERGpUVPho3Soe05REx7jo1SOdtpmJwfL3fPyICC0UgSclDB7UitdfGcPGjSUgoGPHZFRV4b23x7MjtwIMk6HDMomL8+D16nTqmMzJY7sRG+tm5OHtQlFqbVrH88JzJ4Qi21rEtuC5459DoJAYGc+7J79LvCeefi370TapLRGuCIDQxH+fjD6kRzcnPiKe0tpSOiZ3ItYdy6gOozimwzEIIfAbfhIjE2mX1I6XTnyRbWXbQEDbxLZICWowtC8yQnM8ag4ODn+aRp1Nh/bJNNW6GKZk8MBWQCvrvSFRVauxz2yTAHAQ3Wf1CGGNpFJSohkzpmuDzzp2aEbHDs1C7237Rhya2aickpJaLr/2K9p3SOb224YHy979yZiGZMPGYhYs3EHbrCSSk6MxDJPu3dLo3i2twb59+2TQt09GAzuqq320aZXAuNFdrG1hx4uI0OjcqV792qN56JTcCQBN0eie1g2AOE8ccZ56d58deda7eW96N+/dyOaj2o9stM0wDQ5p3pNDmvdsYF9JiZfNW0pYt6GYQ5uoLwcHB4d9oVFn4/cHcLlcjXZUFYEZXFfGisKyGjZrbRnL13KwRjS7Yo1wrHkT2yZFaXobEDyP+u8rCjRrFsUnH5y2F8ey/rZv1wxPhMqE+3/k+muHcszRHVBCdVRfrhCi0fFUVZCVlUhNjR8juGaPuktgwq4uPFOaoZGL/VpifTc8lNn+PFw9QMGKKgvfLhDWdVTUXbYrKEKwas1OHntsJrEJkbRvt3cjPQcHB4fd0aizEULs9oneavwaf/ZXdTLhWB3g72+D3dtrSmtZhT2dj/1Zx07N+PC9Uxodr6mqa6q8gQNaMnBAS/ubv/sdEbaPfX3sDqPRd0XTEXX7sv2w4VkcNjyrwbaGS0/seeQHu2hliYbn0OT+yN/dZ1+++0fL211Z8Pvn4ODg0DRNaoEbhqXi+l97klWE2Kf5iUDAwB8w8bjVfQ6ZtkeJTakuSCw3nT16hIYN+8Fo8GxZH7BUEezRo/idOtJNHYE1YtrXIJE/c15NffePlrc/y7Kx9e5UdfcPcw4O/2bCVJ+tJ7eK8jouufwLOnZ8nMef/LXBzrvqfoGVBGlrkv1VumjQtDaaacrQNlvPTUoZ0kkDCOj7pudma5gtXJBDv8GvMvzw1/n6m/Whsu36sOvI59M59/xPKSioDm4PE9iU9dptRlgiqYAGHY1X95JbmYff8CORlNSWUBuoxZQmhhnUqZMmuqlbNpg6ASOAbur4dT+GabAwZxHXf3M9uqlTp9ehy3phz4Cph7TR7Cd4iYmiSVANAsFyhRBU+2tYnrecjcUbQ8cNGAFyK3MZ9fbR9Hl+ALd+dxu1ei3Z5dms3LmKNQVr8BuB4LECmNJOpLVsNaSBT/dRWF1Irb8Wv+EP7WPnBIVvAwgYgQY2V/oqqdPrQp/X6XWUecsa1Iff8IfqyJAGX637hkOe7822Ckv7TTd1qv3VFNUU4dN9Qa04q15LaksorysPlRG6l4K26btch9DxDGv7jh0VHHfS/9GlyzM88+wc63j7KNDq4PBPJtTZ2G6b6Bg3b70xjgsuGkxZaW1oR9OUuFwKbreKy6WGRj2aZm1zu9Vgjs7Bj5U1TWuEYNuhBJMsFUWEtrlcaijT3+1SQ3MpLk35Q5puxaW1HD68LUsWXMXYMV1C2mh2fdh1ZJpW8EFMjCe4XQnNx2iagssVrLugzQC1tQEWL8kNdZqztv5Kp6c788maKQgEV351FZ+tmYoilFB+jSIUNEVDCIGmaLhUF5qi4dbcqIqKz/BRXleOpmhEaBFowhrUmtLEpWi4VTcu1RV6glcV1fq+6satuhBCUFxbzEWfXczN39zMpVOv4IX5L6EIBZfqYu6OuXRN68rK65fy9LFPsbNqJ0e8eRS3T7uDi6Zcwh3f3YHf8ONSXCG3nW2rKlQ8mofLv7qSYm8JbtVtzUlJiaqoQRvcDdx9rmCukG3zo788yjvL3rU6YGkwb/s8bvnu5gb14VbdaIqGRKIKlQGt+jOu21hi3TFIJJqisaFkPTdOvwmP5gnlM2mKxlNznmbq2qmhMmz7bdu04NyXvX/oeEE/buvW8Xz/5Xncfc+RFBfXBr+/z7edg8M/libdaHbUVngjrCiC51+az+oVOXToks6N1wxB1RTefmcpcxfuQBgmp57Wk5FHtDtoxlu2Wg33rNnbeP+9JbhjPNx49RDatk1i/vwd/N/kFQRq/HTr2Zzrrh7Mxk0lvPfhcq67chDJydG88dYSUppFBTuMvc8PsoU0LdeIJQGjKIJX31jE0kXZtGmXwi03DEPTBNFRbqZ/v5Hp365hxOEdOfvMQ9iwsYQli3PZmlNOzrYyrrh8ED16WFFsuXmV3H7HDL6bdi4gcCsaWcmZZJdnU+OvIcYdTXxEHItzF1MbqGV45nCW5S8npyKHPi16szRvKcvzVpCVlMX20u0MzRyCxxWBR/Pw7pL3mLt1DhcMuoBBLQehCIWX57/C8txldEnrxjVDrkJTNH7c/CNFNUX8unUOiZGJ3Dz8Rl5Z+CrN45oz+fRJ5FXlc96U8+iS2omF2Yv48rev8GgeLvnsUq4cfAVxEXEc3nY4E8dNpE73MuTVYRTUFDBj4wwGtxlMl+Qu5FfvZNqGabRNzOLr375lbf5a7px+N3GeGM7rdx4DWw5g9rbZvLf0/4jzxHH1kKvITMwE4MV5L7EqfzXJMc24dui1tElow87q/FCHJJFEu2LIr8pnaf4y1uxcw+biTRzZYSSn9jiF7zd9z7R13zGw1UDcihspJdM3fser818juzybSz+7nLSYNM7tdzbT1k1n+rrvWB6zgnnbFjA0cwjn9TmXMm85D//0MFW+asZ0G81xnY5lQ8lGluYuIac8lx0VOVw04EJ6pvXAMINBHfKvE6x1cPgrafKub6q9feXVReTsqGDYsCy2bC7j/od+BqBbt1SGD2vDgP4tefyJWWzaVAIcnCx0Wxtt2bJ83n5nKcOGZdKubTNuvHUahYU1tGgRx9DBrRk2LJOZs7bx9jtLiI+LYOXKAp7832wWLMxh0ocradUqPlSmYezbImT2CEkIwdvvLmP9+mKGDcuioKCau+/9AU1T2bajjO++38ihh2bx5DPWcbdvr+DCy6YSH+shNSWGG2+dRkWFz2qMFIXk5KhQHdYEvPRI60GkGsHKwlVEu2PwaB7mbp/Lj5t/BGDBjgVMXjWZ7RXbuXfGvRTVFPPIL4+yruQ3vt80A02o/LzlFyr9lXRO68It026jNlDLxMVvsr1iO8Myh7G1fAsPzXwYgDcWv8GHKycxtM0Q1hX/xuRVk9lUsomxXUbjN/wkRMTTOaUTvxWto1dGLzKTMkmJSWZ41nCSo5KJ0CKYnT2XoyYezaGvHs5lAy8jPTqdOdvnMHnlZAB+2vwTU1ZPoXlsc3qm9yAhMp4e6d0YmjmUtOhUlu9czrvL3mVY5jCymmVx47SbqA3U8vW6r1mQs4DD2o5geOZwolxRxHhiSI1OZcamGXyyegqxnlhaJbSmxFvCzdNuxqO56ZPRhw9XfsiOyhxaxLUgLSaVx399nPxgJ9UqviXd0ruSEJXAwFYD6NeyL7HuWLqldaN5XHNaJbTi0KxhdEzuiC517vvpPrKaZTEscyivLnyVudvnsqNiB5d9cTmxEbEoQnDPjHuCd4p0RjIO/2kajWzseQTDMNENSSBgoKoKc+Zn89vKPFZvLCJ3UzEjjrQ00IqKa5j4+kJik6NYs76I2trAQTPe1kZbu66IH37YSEFpLVVltfh0q5VWNYXJn6ymxusnZ1MJ/ftmkJoazWcfnc74Mz5izMkfsHT+FWRkxIVcW+FzJXttR9AFNn/BdubP2cb6rSXkbyml/5A2+Op0miVFc+N1Q+jcOYXVa0tYuiyPdm2bceZpPbnq8oHU1RmcefZkZs7cwqQpq1i9PJ+iyjoGDH6JQ4d2ZNA5XuIjY+mT0YeFOxZRXleOoqjEuGNDcwPJUck0i0xCExpdUrtyxiGnUVZXwvl9z2fO9jlUB2rok9GbqwdfhUAwO2c2S/KWsixvGfO2zWNz8RY2lmxkZPsjAciIy2BU+6M5psPRnNnrDHIqc5i17dfQk4gdep3gSeC4TseysWwjFd5yzul9NgAbSjbQMbkDj4x8hApfBU/Pfpqj2o3k0v6X8sK8Fyn1lrKxZANXD7qKTsmdaJvUlm83TePkHuNpl2SNjj9aNZmfNv5MWU0FZd4y/KY1PxIfGc/W0my2lG/m2M7HEuuOoXlMcxblLEZK2FSyiRJvCZGuSEzTYETmcK4ZfA2KUDi7z9loikaruJakx6SxtGBpaO6re1p3xnYbQ0HNTi7qfyFgBWukx6Tz87afaZfYLnR+OZW5/LL5FzYVbsatuVlfuDE0x3PGIWdw2YBLWV2wmlun3xa8V53RjMN/m0adjT2PkJoSQ4S7LrQeTGWFj7vvPYpxY7uE9i0oqGHC/T8x84eLcWmC4SPfPHiWA3ZYVGmplyOObM+7bzbURjv59I84dVw3zjrzEC68ZGooZLewqIZmCZG0y0xiy9ZyMjKsxEivV2fh4hy6dUklOTlqrywI10YrL6/jpltGcO7ZvUKfe70BEuI9dO6cAkBefhV9emcQCFhCoQDlZV6KS71075HGR2O6sGVLGXfePYMP3z8ZRVH4ev03VPlqGNpmKB+u/JB1ReuIdcdSHagOzRv8VvQbRjBfJsIVQbW/Grfqxqf7gnZKWie0QiDw6T4q6iqIckVRVlfG3SPv4qSuJzU4L7fiIkKLwDANVEWlZVxLYt2xrMxfyWGZI6jyV7GuaB3n9joXQxp4A7X4dB+GaaAIBVOaNI9Np3u6lYD61OynKPeVM7DlQCbHfsLnv33Ojood3HfEfdYEf10VtYHaBiuSltaWMKLDYbw1bmID2w5tcyizL/uF5fkrGPTKYB4a9QCdkzuzoXgDI7JGYEqT3MocuqZ2QzcNYj2xVPuriXZFE+2ODpUToUXiVt20SWgTzDeSVNRVUBuon6uUUiKR1Piq8ere0PbaQA1xUXF8es4nRGgRoe1frPuSBE88UkpKvWVEufbuPnJw+LcT6mxs11FxcS2vvL6Yz7/+Db/PYGdpDVdfOoCrrhzI/Q/9xIwfN4IQnHX6IXTqmIzLpXLVVZ/hivCwaWMpBze+xkqWHDumM9/P2Mh5531MTEIk3bqkcuXlA2mREcuLry1g5ZoCpn+3keuuGczWbeWcc8EUbrhmCDdcO5Sxp3zAU48fy9gxnamu8jH+9EmcNr47Lz1/4u9qo4WskFb02KUX92fCAz8xf8F2EIJTTurGocMyWbG6gAsu/Qyhm5SWeRk1qj3LluUz9avfKKn0sm59MUcc0ZZ2bZMAy5VXXFwbcqP5AnUUVBWgKRrHdzqeD5ZNorC6kJ5p3bnn+wnkVezks98+5aj2o6jT6yiuLcZv+CmuKaYuYEVlKULh87VfYgRMNpVupmdqT/pm9OHsXmfx5Kyn+GXzbISQnNbzVAa3HkxRbQk1gRpURSVgBHCpLs7vcz73/jCB9TvXUeav5IisI+mb0RdVqHgDXirqKkIBC5qi8dOWmdz49c2UeUtpk9CGjskdkVIyutMJ3PX9PZza45Rg/UkSIxPok96Lq764hh6p3Tmrz5mM7jKaGZt+5LxPLiApMolOqR25fMBl/LD5B7757Vs8agQ903sSoUWgCJWZW37hrF5n0a9FX8775AKePLY/uqlTXFsC0gp6sDvDT9d+ypdrvuaXrbO4eMqlnNrzFMZ0PZFe6b0IGDpnTDqDzqlduXTAxTSPbc4xHY/hwZ8eYk3uaoZkDeWsXmdyWObhjP2/k+ia0hWPy8XdR9yNbugU1RYhhCBgBCioLmhwnzg4/FcJG9lYjWpkpEb3bql0655qaWj5DaKi3Bx9VHsiIzU2bCgGYS09kJwcxVuvj2P+vG20zmzGFZcOoG3Wwcs2t7XRWrWM5+UXT+SHGRsxELRplQDAhLuPYPoPG1GE4NSTupOWFo3bo3HXHSM4dpTlBnxr4jiiIq0J4pTUaHr1SKdZUtRenYPLpYbcblLCkUe0JSraxZo1BSAgNTUGTVN46fkT2JpdBrrJqFEdSUqMpK5Op3l6LL17Nefw4VmcPK5bKEChRYs4Hn9sVKijOzTzULKS2gJwXMfj+Obcr+iY0pHmsc25fyTkVuRydu+ziHZHkRyVzANH3k/LuJa0iG1BRlwGXVO70jy2OU8d8xTl3jIGtRnE2G5jMKXJcR2PI96TwMaijSCgWZQl73Pj0BtIi7ECFuzoq0GtBvLkMU+waMdC0mLTObHLCaG6OK/XefgNf+h9q7hWPH/8cxRVF6EIhbHdxhDjigEgKzET3Qgwvps1mrKTU68bcj2dk7tQp9eRFJlEy7iWvHDCc/yw6UcEghYJ1uJyaTFp9M6wOoVRHY/iiHaH4w14+ebcr+mR3oNodyTPHv8MvTN6E+2O5uZhNxPltq6pIqycoZZxLTmqw0hO63EqxbXFZMRlAIKU6BQeHvkQ87LnEe2JCY1Mjm5/NIpUyS7bRuuE1gDcd+S9fLb6M2r8XjwuN5rQGJ55KF1SOgPQO6MX/zv+meBxrWvp8WhOno3DfxIhpZS3PvAIcQS4+94JmKaOojQOUquPuqrnr9BCa4q9HYHs6XvFxbVccd2XREW6mfjKmCaWk7awNeG+nbaBDyat5N67DyM9PZa4WA+m2biOmkJKycefrGHe/B08+8yx+2z3/sSQJupezieES+bAvqt71+l1FFQXcPcP93BI80O4eehN+3S83bE/VcYPlGK532+Qk1fJR5NWUF7h44nHjm7yN/VPxO/343a7GT36RHQtgmNPHE3zlq3o2Lkzyalpf49GwuEvp1GvYml1maEhv6UpZuWi2DpeQCgT2jRlKBoL+ENLLP9ZbE0yOy/F1m6TUmIYdhSQQFGsv3anYIcui+BI7aP3TvvdAAH73DJbJ1JZ7eOSy6dy203DOf74TsHy6usoPDw6vD5VVaFFizjatU1E181Qfk54vRmmRFXql3S2V9qUSMxgGK0QIpTUacvBhDL9ESHZFYkMXiszuEgBQUVvgSoUDFmf5KoKNaSjtqscjj0XY3+mKPUNpZ1wGd45WIu2gZQmmqJR5avinu/vJTUmlRuGXN9IAsZOtrTtCD9e6LoKNbhNQvC8VKGGjqcIBQShOiIo1NqUfpx9HuGrmNrnHn6Otn32InT2vva1sOtUVdRG18owTDRVpbCwhhtvm0Z5QTWXXjbQvpv2eK85OPybaDSyCQSaFuLcF+x1Xg62u8DRr/p7YSe62lGDe7M/7P8H4X21Y78dN/jfv/3B3hnZOOwNTSZ1/lnskcTBwn6CP5idjC1NA4RGSfvCnrTR/i3s2rhLZGgkpu3iqt3VJbs/XbQHu5MJHTf0n3U+1v0ig54CpwF2+G/RqKWzG1Fb48vWAjMMM+SmMgwZ0hOTUgYFKS2NL4DPv/iNx5/4FV038fn00PcOFALLnZRdlk1uRa5l1wFekFYIgctlydL8kfkiK6fnn9nRBHRCSzfsDp8PbrzDoPswg/sfMzAN6zopaGBqBHQIBBqOOgqKYdsOSZ3Pem8Y1j8b3ag/rq6DP2D9tUdEhmG9DwSs40sJGzdKxpxt0P1wg8+/svXxwDCt/ewy7O26Xl+2fexQuWE22/vbZTSwM/j9+YskF15jhELu7bQCp6Nx+C/SaGTjdms0JSwQ3jBaP5agzH2w0Q2noqKOwsJqNE3ZZzXkfcFez6U2UMvdM+5lztY5JEclc/ngSxnTZcxBXJ76v4VrL8bDqgqPP6CS9abJ6lVmaGShKKA0cUt89pXJg0+bRMcJWqRInn9YIy294T5a8DbTDdDCbLAb/6aWk8hsK/jkLZVLrzEorI9CRlWsfzamBEU0LNcuu6lyweoQwz3OpjWNFCojIRZ25DT93X8zMuyfg4NNWJ6N9Xf79nJWriyioLiajesKOf2M3vQ6JJ2fZ24lIyOWTh2Tmb9gB4GAwaHDMikqquH5l+dTV+unW7d0zj+3d0hc8pWJC8nbXsGFF/QnKyth/zf+0pqQ/mrd12ws2cCiqxewqmAVp3xwGkNaDyElOuVPrZHiUI89+vDWwmfTTLp1EPTqued6dbkgKgLcbqshVoGlyyVFhZJlGwATLjtH4A/Ak8+ZfPS6SqeOgqtuMnj1LYNB/QWxcYLBAwXShB9+MklPF/TsLnj1XZNNW6BrZ7jwDAUJzJ1rUlwG85ZDeipcfq6Cxw1ChciI+k5DCJg5y+T7OeALwKH9YOxxCkUlMH++SXktrF4HJx8H/fsqLFgsKS+TLFoLkW648DRBYpKgshKefs2kuhZOPFJw2DBr+YWFSyVTvpHkFUg0N9ZzmdPyOvzHCT3b2dFIO3IqOPXMyWzdVo7brXHlNV/i9ep8+NEq5szZDsCUz9bw0eRVALz40gJKS2pp1zaJlGDWfWSUiymfrUEPmGzcVMod98wAGq+Q+WexO67l+cs4qdtJLMtfxpVfXkV6XDqLchcFj+nIuO8P7OtWWS657BaDqV+aDbbvDjPoJrMvw7c/SM6/wqBZAixeJnnqBZNp00x6dYFOHQUBHY4/UrBjh+S3DfDkcwYCqKyER582iYyEd9432bpV0qEtLFggee4lEwE88YzJm++aZKTDZ1NNvp1mhEZU4XZKCYkJgg5Z0DELJr5nMm++SXU1nHGxweo1krhouPY2k4pyyVffSS6+2iA9BebMlzzyjIlpwoNPmMRFQ8e28PyrJosWS37bILl9gkFKIqQlW52k09E4ODThRjMNOOboDjx0n6WRtfjE/2PLlhJatoglMlJF103S02IoK7PWDjGBpUtzOfO0ngwd2gYAb22AQ4dlcs0Vg+jftwUTHvgJ+P2VHf8IUko8modZ237hxy0/ct8RE/hi3RdU+qqsz51f+n7Bdn2lNhfkrXDh8Vjv93RJdd2ayzBNa75D08DjgksvUrnkbIWBPSVPPmfgAuLignMn0hoJ+QNwykmCOXMkW7ZJli6RdO4o6NBOcNt9JjnFsK1AsnoVxMZITANatICTRiuMPFLhsrMUarwS3QBpWp2ePfeiaRAVCV/9IFFVWLlOUFQKaWmSI0YoPHy3iqbBwvkmGzZK4mLhiktULj5ToWcHyRPPGmzYIJkx26R5S0FkBCz5TVJYLJk1R9K7h+CWqxU2b5Zcf5dz/zk4QBOTM36/QcugZpceMKmp8RMR4aKioo7oaDeaprBlaxl22sKD9x3BvNmX88vc7XTu/hy1tQE0TaFVq3hMU1Ja4iU2xn1AjLfzR9JjmjN32zw+OOV9jmx3JKt2rqFHWg/rBB0BxP2KrsPOIkl5+Z4bUUWxGvXUZpAYZzXuQkBdHXTtaO1TWg51fujXV7DyN2t/lwsWLZfExkCL5oKePRV+/VUye77k/LMFgQB4ayX3XS+Y/IrKmtkqTz2kYkqI9EB0tGWjJwKSEgWaapWZEAMpzaxjSAlX32py1VmCj19R6dnZsjcQgPTk+jmXai/ExICvDrpbogAUl1ruuKoqSXwUfPi8wmcTVbKXaBx/jEJlteWyA5i/RGI4fY2DA9DEyCYy0sWv87K5+/4fWLe+mPYdmtGuXRKtWyXw3MsLWLg0j/c/WMlVV1mJaRPfWsL2nHI8qkLbtklUV/up9QYoKKhGUQR+v87OguoDY720OpyjOxzFopxF3DfjfjaWbKJ38950S+3aZDKfwx/DNK0GuapSMvJkg/5d4dP3td2GLNfWwruTTD7/TpKXB9pTJhedKoiLh7c+kqzdZrmuTj5R4YTjFT6fbnD2lQZtWgnWrIHbrrWu2zEjBbdMMMhIE3TvpuBywZmnKvzvFZNFawADTjpO0K2LoLAIamqtziIQsP5u3iL56AvJ17MkS9dDbqnJOeMFcXGSNybBvCUGc+eZXHyOSoRHsGS15L5nTDZvlLRoJejSRYGvTF7/ULJ4ncm8uSbnnKrQv79C756SS24wOaSPwA1cfr7giBGC2+43kY+bLJxtUu1zvGgODrCbPJvICI34uAgOG57FRef1RUq49JJ+xCV68HoDfPvl2SQ1s+Zn4mI9xMS4Mf0Gjz50FKmp0Qw/NJOewYXABvRvyUP3jQQsN9r+9KQJYWV/t0tqz23Db+PLtV9wVPuRnN37rNCox2H/oChWR5LUTHDUYIHP23QTWr+CK8REw0ljBB63Qnm5tEYMEqKjIC4WrrxQYexx1oJizz6i8N5USXUlPHavQueOVkH9+ynccoOgTQZER1nbzjlNIS4eNmaDMK3oOEWBq69UybI8uaiqZYvbJYiLkdxyvYLXC1FuiIgQPPWAytTvJclJ8Ol7Gh07QFW1JCJCEB8LgwYIzhpbv3pqdBTExcB1VyiccJRl85MPqLw12aSmDiJUK5x9xDDBI/cKFq+WPP2ISq23Yb6Ng8N/lZCCQIzp59777mPGjI1MmryatyaO+0MF/hV6aXuroeXwx7BHNeVlkhsnmNTVSp59WCU1bd8v9L0PmWS1gQvOsa6XHXK8K4ZphSaH30/2a9ue/c2iJZLnXjZ5/00rbM0+zi13mwzoDaeM37PNv/fZv5VdFQSOCVMQSHEUBByCNBrZJCRE0KplHAHdRJoSTbOy46UklMhpZWTX637Z+QX24mOmaU3Lq4ql02WaBzZT3tbQMqQR1PtSnVHNfsRu2OMTBM8/quJ2g3svFI10nZBumG5awQGZbSAi0goYQNbnqcjgBL5139TnwAhh5dUoot4ORbG2hfJrgrk7hmH93dWtZydcymB5mmp1JIYZ3DeYSxMXB21aC3Td6jRE8JhtM0FzB22mPs8ovGywylCCyajhnc7u8nQcHP5LhDobOwu+X78M+vdv1WhHIWgyQVNVFXb9Ldk/YOv1H1v9cl+xxREdDhxCWK4x2LsRrFAI5kJBRPBOu/Ccpq+RaCKh0kZrorFuahtNyNLsrtymkks7dRA8PKHxSV1xsbWj3RkaRr2brqmyVZVGv4m/AjvkfNcO2MHhr6DRTyUQsBSR/0wHsb/nZhz+fuzN9W1qMGvn2xwIN9ifHTzb0jm72maatlr3nyv/YPNPtNnh30sTP0/LJ6brJoGA0UAPzX5tmjKkmWZpo1n7+v1WS/LNtxt47vl5IX21A62NZtsUCBgEdLOBnYHgediimbb2m53EqodpvjnsHfpeaKP5fXDzXQb9jjR4/Fmzwf7hGmR2A+8P1H9ma6I1cIHJhtt03XKl2bk8pWVw050mtTWWu8vWOwPr84DeUEfNNBtqnskwt1l5JVRUNrTXlHD9bQa9RxmcfbnBznyJ32+Fb5dVNNRnCz9X+71uWOcY0Btqy5my8bambDbNxomp9meGYZUf2KVON2+VHDVeZ8FCs0GZ4XbY3w8Egv+C9Rp+rQN6w+ugG/VlhbsRHRz2RKPOxu1WUVUlJBpou9dUVYRe23MzYGujKUGJGqu4wqIatm0rQ9MU3O4/JlS5L9iLoLlcKq6wOSZFEbiC56FpSkgux1o7xppb0v6AYvN/HU37/ZGJUODe21VOPVGwaYMZCsZSFOtpW9Osf0LApo2S7ofqPPiYlfF//yMGT/7PaPBkbr+2/2qa5UrTNOt9IABr1kmioq05FTufxjStz11hx9vVDpdWL/z5yDMmw0cbjDrD4PFnjND3N2+QbN4sWfa9wnsvqyQmCUaN1znqNIMRJxlccZNBVXVw3iasbuz3mgo33qwzZ7YZip6TQRejS6PBNluPLdzmd94zePQJyx5dh63bJJderePzBc8jbH97vql1C0FqsgjNi6kqBHySCy/WqauRofNWVfjkM5NHHtWtMoJ1bpr19aOq9SM8Ta23T1Wd5a4d9o5G2mi5eVVs2lROYVE1WzeXMHZsNzp2TGbhwhxSUqPJykxkxcqd6LpB3z4tKC+v4813l+DzBujYMZWTT+qKx6USFeXmg8krKcyr5LTTDiEjI/aACGPancrK1QV8MXU1nmg355/dm9TUGFavLuDr7zYQ8Abo3DWNU07qxo6cCn74aQunju9GdLSb6d9vJDLCxYjhmX+blUf/jth146uDH2ZL2rUmFJ7cFEJY4c0pzWCHJ/h9YO06SXkZrNggEcBZ4wSaCyIU2LRF4vUGn/Al7CyArdmSwQMERSWwaq2kVzfYsQNWrZckJwiq6iApEbp3FCQlwKy5kjkLJEccKhjYz3Lnzpon+WWuJDkZzjtZEBUtWLNWUl0N81ZYdpw9XmHJUpOfZposmq6hqDBqnE63TiY+U/DJFyZlXnj6ZcngftC/tyAxRjBzktUy9z1MZ+kKiQIkJED3rlYC6qzZJvGxgt+2SWavAC+SeStNhvYVDB8qKCiSvPmBRCpw8rGCTh2sOp05RzJnkSTSAycdK2jWTGHuAiM016QblrJ1eQXsXCfJzpes3QidOwjGHSvYuFHy7UzJaacoZGVa9b9+veT9zyUrNsMjL0qSm0lOPEKwNQcmfSmpqYHHXjRpmQanjlZwe2DiByb5BdCnOxw/SqGqCpYsk1TXSdZugGMOE/ToekBvPYd/CY200bZuLeP40f/HvPk72JFTwSVXfoHPZ/DGm0v4+eetALz/wXLeenspAC+9vIB1vxUC4PdbvovIaBeffr6a7dvL+OHnLdxx94HRRpPB1RrXrSvijTcWERPjxlunc+c9Mygt9QIQFakRG+Pmg49W8umnazBNyRtvLua5F+exaVMpE+77CZ/P9gU4j2i7w75uZaWS8RfqfDDZaLB9d4RcPUEX0WdfS04+R6e6Br76TvLo/0xMQ9IqQ9Cto2D2XJOkJEGEB1autkKRAdatl9z7iEl+nuTymwy+nSG54U6Dd97Teetdg4pKyZZsyeQpJl4vXH2rQU6OZOFiyZSpJjFRsD0H7nnQKm/SZJOrbjKoq4OvvpW88ZbO9Okm408UeCKsJ/ojhwpmzTHxBSSBoKupohK8XmtUUFwuGX+xwQlnGxwxTDCwj2Dmr5LHnrFGZRs2wS0TTAxdhpY8COjgrbNWYi0vh6eeNfF4rMCL+x4xycmVbNgomfiWYUW2BUdnzRIlaamwbgN8NMUkOhJaNLdsufpGg8+/knjr4OHHdNaskSHX4nU3GyxaLEMjN5/fumA+vwzaAYGADEX3eeugzgcIeGWipUEXEwUfT5V8/qVJZTWMO8tg2nRJTo7kipsNyitsl/p+veUc/mU0jqWRcPhhbXn68WMQiuDoY99ly5YSWrSIIzJSwzBMUlOiqajwAVBZ5eO334q49qoh9AgmctZ5dfr2bsEdt4xgwWE53DPhB+DAaKMJIVixqoCpn69hyIgsKopr2LK9Ap9Pp23bJJ59eR4lpV42rM5nba/mjB/fjelfnsvZF37Cex8s59NJZ9CtW2rIFefQNLZrKCVNsHGeRlys7Ubd/Xd0w2rMTFmvSeZxwblnK9xypcLRh0rue8RgR44gJgb69hGs+U1SUACtMiDCA8nJ1ndjYiAtFTweQUIc3HCFwpPPm1x6lsLPs0yqaiApSXDLtQqZmYLsbZLZc02KygXTZ0oG+2HrNjB8EiTExcOp4wS3XqNw+zWwI0fy0KMGURFWh6AI8LhBUQVnnqSQEmMy+TPJA7dbFeHzWUmmY48RxMcJPv7UZPEyyQVnC66+QZK/U7J8hdV5DRqsMGgwLJlncspJgiOPtMpYuUryybeSwUMsTcJfF0sKCiE2CrYXQKsyyaP3WSOnmlqr85g33+DnWRJNEURHWW6stllw100K7dsJrj5PoGrQrJng/s6CretMVNXqaLp1E9zfRmH7eoMJ1ynEJ1kXr0tnQVmJyYb1kvtvDkbe6fDpNxJdgdYtJXMWQ6d2kj69JYMGCJ59TEXTJMOONyivgMTEA3DTOfyraNTZ+HwGWW0SEIrA0CW6YUWnVVf7iI52oaoKeTuriYq2HMGPPzoKaUrueeAnzj7/ExbMuRxVFXTo0AzTlJQU1xAfH3FAjLc7r507qzj88Ha88dpYVKV+fZ0LLp5Kr17Nueziflxx9Reh0G1FFTRLiEKRpagHcL2dfyUS3J7fdzfa7p6UREuXLDLS2l5XB326W1+urLLK8bjB74fevQSLlkq+/1Fy2w0Crw/0oOxMSak1sW2aVnl1dcG5FgX8wZydFmmQmWmVHdCtuYWCAsn44wQP3aOGAgDAcum1aG7t59KgVUtBmzaCFWvgvOCvYvlqyeGHCnQDSsoJjW4UxbIjKR7OOdkqcNo3sG2bZNgQhR49Fb6fIfllLjx8r4JpWvtXVFsjB5uCQkn71vDaYwqREdbciu2unPW1xooVJgOONjjteMH5ZwkKiqzjHzpUsHy5JCXFctUlJdbPWzWVaJuWUj/3lVcANV5r9BJP/bxWcSnUeuu/U1klMQOSB+9UGTJQhL6/br0kNRlcbmukGBvtRLw57B2NOpuICI0Fi3N4+vk5rFlTSGp6DB07JpOaEs3rby1hw+ZSJr65JKSN9vGU1RQUVpOaFElKSjQVFXXUenXyd1YFtdEM8ndWHRDjLTea4Oij2vPttA08/dQs4pKiaN0ynjEndgEkP8/aQlSUxvczttC+XTL5+VVccuUXnDS6Kxee35fxp03itZdGM2xoG2fOZg/Y+RplZZKBxxoM7gGT3m6sjWbj9cJnX5tM+VqyYzukvm5y6gmCmFiY9IUkr9xkxg8mx49SSE8XbN5qEhMrOPpIwaPPm2zdIejZHdZukDz9qsmnn5joQmAYkL/TGlnYWmilpZay89LVkqdeNSktlpRWS449RiWjFUx42OD5iSZuD3TNEhw+QlBaChERVkdjJ4OOOVHhhrsMHv2fQV0ATBWOO1ZBCzbkJSU0mGxft1ly31Mm0VFQVA79+1sVcdKJgvsfN0lLhubNrWAVTYPBAwQvv2OyfjsM7isY2F+hWZJkwmMmHTsJYj1w9mkKW7dJpv8sQYOeXaCyWqIqggUroE1ruOZSwRnvScafaHXUO3danbXLVa8Jt3KV5IfZkrkr4X8TJWOONTn2CIWM5oK0VLjzEZNevQXHDBd0aC8YNkhw+3R49FmTdpkw7niFo0cqPPuKwapNClKHcccIFAVy8+rn4PJ2OhFpDntHo85GUQS6blJcXEtmViLXXzkYKeHyywageVRq6wJM/uBU0tNjAKis9JGbV4nUTR68byRpaTEMHNCS9u2scXWvXhncdvOhwAHSRpOSzp1TePKxo/nooxVUeSuJi7VGUvffewTvfrCcklIvr7x4Iu3bJRHQTU44riPnndsbVRXccduh1NQE425D+e4Ou2KPCJJTBIf3F9RUN+2gbxBCXA4DBwoOHSYoKbfcYaoCtXXWk/QpYxXOP12htBTuv9OKFuzdW+HNV6BFiqBrV8FtNyrMXgR33KQQFSlISxfccoNCl06CG65S6NYZEhIU2rYVXHO5wuYdoLoFrz6pEB0tGDIA7rpV5btfJIoCrVOtazxujBJKULWfzLt1ETzxgMrHX0gio+DlJxQSg66mwYMEqWn1o2C3C26+VmH9Nsu9NeE2JTS536u7oKi8XpLH5sLzVQyXSWEh1NZK4uIEzz+u8PK7krwCaGb9pPD7sUYxErp3E1x6phXU8OQDCp3aCdq0Flx6CXRuJ0huJrj0IoX0NDtSNLjIXR2UV8E1V1n1W1lpPZxFRQluvVnlw6mSktJ62/r3E1x9pcqiJZLySjANyW3XK7z6LuTsBMUEnx9aZAhuuFpBCEtVe8JtCgkJ9coiDg67Q5hBbbTYMG20j6es4Y3Xxv6hAv8SbbQ/ON/izNPsHeHaaLc+aFJeKnnyAZU2rfe97iY8bD05n3uW0qBsm6a00P4ou0vS3B1Naa7tiw2BgDU/9ca7JvPnmbz9mtbANdaUfX+XBropW/ZWg07X/WhavTba0SeOJqNlKzo42mgOYTQa2cTGuklIiAgldNq5NnYyJARHKIpADY6C7Eg2K/9GCUadydBrM6ixdqCwNNpkaFVOO5fGSj41ARF82rb+6nq95puumwdNUuefit3gxMULHrxDJTLCCmv+PcKTKHUTItyQnm6NHwMB6zO3uz6x0M4p0fX6/A978TMh6kdMtlyMEWwMpVkfDmwHFNr5LXYUVrhygT1hHj6HY38Wvq+q1eubmcFAh3CZnPDzU1RrTHzTXQbrt8Irj6m4XA0bbDsRM9wOO7kUgGDOza7bNLVxvdhBDPa57CpJ06AMrLmt8PwZ+zP7HO3y7U7HzqWyNeygXprHvlbhCbi7kxpycLBppI02YEALBg1q02hHK3mz8Uzg7juR+gTQgzF6UFWBustMpXXsxja7XPX2HMhO8N+GoliTzbB3T+XhDZCt23nFRY3re1eNsQavVRoJjQlhtX+hhj/417WbBk9VG09i725S204ctRtRlPpgh10tb9TAKvDik7vegw3tdu0iYNqURltT23Y9Xvi5NnUuuysj3JZd7W+qw2iqTu397DKcldcd9oZGt5L11P/n3Et/hWtKIhH7cb5lf5f3b+OPekbskcCf8azsj+inRou+QQOVgz011Hua2bNdd/ZI7O/I752fg8OBoMlbzl5OQN9FZ8x2l9muMWtfy71maalZjzgzftjMa68vwjAsXTL7eweK8I4hYAQwTKPBZwEzQMAMNLDDMA0CRgDd1EP76aZOwLCCBXbtaAJG4zL+q+yq/9UU4S6WcC213TXChtnwtR2Sa5dhGNbEuZTw3Msmc+ebIW00+5LYul16mH3h5dh2hHc0gWBsiAi+NkyY9p3ksHEGR55qMO07qyBbI8zed9flBezw5vCOxtYQC683W8stvJ52tdnWHQManGNo373QpmvqvM3gtvc+MrnyJgN/nQwdz76r98ZmB4c/QqPOxuVSgi4pJTSvAfZ8R2PXmD0/YmmpWcXt2FHB2rVFqKqlS3Yg15aR0upotldkc9qkM+jzbB9u/e42AF5c8CLd/teT4a8ezsiJo1iavxQpJWM/GEffFwYw5JVDufTzywDYUrqFkz44mQEvDmbkxFGsKVwDWJ3MG4vfYOBLgzly4khWFqwErAXb/qvsqv/VFPbcgq0/Zs+tXHmbweGjrZZ0xSrJeZfolJTIBorNqlI/n2KXoarW/I4QsGK1pLikXhvNvr1s3S5NrdcZCy/HtkMIWLlGMvR4nUHHG5xzuU5BgcTlso49abLBNRcIvnhbZdgQhedeNuk0VGfQiQZHjtdZvkI2UlRWwtxtX39rMuF+PaQhBvUabbaWW/gIL9xmb63k9vsNBp1o0O0wnUEnGJxyocGmTdb9poWdh67DLXfozJ5jhh4AJk02eCKoK7fredt2RkRYOU7hOmwfTzF55LE92+zo1Tr8GRppoxUW1pCbV01RcS07sksZNaoTrVvHs3p1AYlJkbTIiGPDhmJ0w6Rrl1Sqq/18/Olq/HUBMrOaccyo9kR4NOLiPXw1bT0lhTWccHxnkpOj9rs2ml1eXlUul069jCePfZIeaT2sz5CU1pZx+eBLuHbQtaFtNf4a3KqbqedNISshK7S9XVI7vjzncwDu//l+HvnlUT445X0e+/UxCqoLWXrt4gbH/q+tnWM33H4/LFwuaZkOmXuIRquugQ0bJFVe2LBZcvgQQfu2AvywPdtKgPQHoKzMempevEzSpaMgOhoWLZO0yrCy2LdmW8mQyUmQVwTHHS5IiAefT/LuJybN4gVHHwYut6CySjJpqiRgwtGHCjq0ExSXQEmxZMM2S2utf1/o0k5ww50mN1+mMG60wnW3Gzz7ksmp4xV+nCv5bRt03AyaSzLmWEF+ATx7j8KJJyjc/aDBC2+ZPHSHwqatMGywNYG0aXMwlFjA5K8l+fnw2vsmKYlw3BEKEZEw9VtJ7k5J5/aCkcOtuisps7abSLpkwaFDFJ58wGrtTzrT4OlHFLIy6+t5yleSknLJwF6CXj0EtbWwfpNk2FDr88pKK8epqMhSYli9Cby1cPihgsxWMGuOiW4Ibr9R4HILTANmL5B8Ok1SWQHJ75ukJ8OxRyi43PDJl5KCYkn3zoLDhvxN/YIO/wjCOhurt9m4qYQTxnzI6af3oLaqjo8/W8vXn5/Dcy/MZ8jgVlxwfh8mvrWEmlo/Lz1/Iq++toiVa/JJS4lGBB+fIqNcfP7FWkwhmfPrNubOz+H1V0aHQo33V38jhTWqWZizmLTYNH7dOpsXZr/IBQMuYHCrQQTMAG8teofVeWsZ0XY4Z/U6E01o5FTkcv2XN9IqvhVXDr6crqmWkuDnv33B16u/IqDo3HXYndTpPlYXrOGItodz2WdX0L15Ny4feBkuxXVAREX/ztidTWmx5MjxOrdcInjo3sZJnfb7wkI45iSd0ccL/Lpg0icmX36ogoSTjofvZpj07q3gDkY13fWAyctPKbRrJ7h1gsmNVwjmzJUsXmUJZqqA4ob0BIXIaMHLE00GHir4ZZZJbg5ccLbK08+bKB7Q3IIHHzd54E6F4lK4+AqdYYcpeGssF9noUYKMZpLjj1GREsYfL3jpVZOcPMnmbEmNz0omlSaMOVYQGwtPviH5+leT4nzJhFtUKivhiusNpn+m0rKF4JZ7TQb0gi5dBflFVpb+mvXQKs3SQZs8RbJopSQ+QfDhJyblxYLxYxVeesVgRyEkpghi3VYdhq+fE77EwCPPGKxYK2meofDxpwYP3KaQ1UbQLFHw4y+SlhmQmGBpuy1aLLn1boMx4xVWr4ZffpG89IxKbh68O9nE8Eumvq8SGyvIzZMUlFhqDavXQ0215Sp/70PJ6vWS2HjBux+YVJYKRp+gOOloDn+IRgECAsGgga148dkT0DSFI0e9zdatZWRkxBIRoWEYkmbNInEHI9Ny8yvZsb2CB+49ksxMK5HT59Pp1DGFh+8bycJFOdx5ryXEub8bZyEFCAjoAVbvXMOINiPo1aIXj816jIlj3+CiPhfSt3lfSmtLeXXBqyhCcHrP03nymMfJrchjxc4VXPPVtbx36rtkxGTQKq4lw7KGsaV8K9+t/46rh1xDpbeKxblLOLTNoXy14SviI+M4t9e5/7kfW3hS5+LvNVKSrPe7u6RSSg7pKXj+CY2oCMmQ400qKyzJmSGHKJSXSn5bJ9GCeSgpyfVlpadYwpSGAaeOsToMFUm0p37tmCMPE9x9q8Jn3Uy+/NrksKGSD7+QDBok0DTJtFmSyy+A2FhLnfrZh1Q0F2zbKpk2QxITbYlPKqp1rBovnHiswonHSk4/2+DxuxRatbQM0nXo0AaG9oOVqwTTfrQSHgf1gdlzJIePgLgoySUXqqQkC6RuMn++5IkH60e/708xqQ5Ax/aWzlhctGT8OMgtsBI6n7hbJTG5fnkAuy7sjmfJUpOffpZMn6rh8cBzL8PMWZKUZoJNm6zRTkIcREZAmzYCocCQQYKH77R+p+vXWw96Z5wi6Nhe8twLhjU3Bpx5ioKpm2xYJ3ng/vr8p/c+MVHckJUpmbUQ0lIko0+A4M/OwWGfaNTZ1NXpdOzQDE1TMHRrvRfTlNTWBoiOcqGqgrKyupCm2P+eOpaS4loefnIWc+Zk8+tPFyOEoGePNExTUlxUQ2JC5IGxPnjHG5gMbj2IC/tdCMDcHXPZWraVAS0HkJmYCcDaorX8vHUmZxxyBkPbWD6HU3uewiEv9GZD8UZaxLagb4u+9G3RlxU7V3DFF1dwfr/ziXRHcuuht9ChWQc8HjdLc5cGH+z+mz83RYUObcXvrooZ0KFFc0FUFGRvh/iY4NyLAlFR0L2z4MobTLp3sUQoa72Q3Mz6bmW11QhGeSDSY+mgtWwOpcVW6LAqYOSIYEBIUKYlN0/SJl3w0K0KER7By49YUi7zF0iyWlvlRwnIzBIM7CeZ+rVli6Za6syxsdbkeGGhpYGWtxPS06yyDR1OHy04aqTCnBaSF14zkFLhzNNUZvxkkrcTBg9USG5myekUFDfUGauukvh9kusuVhk6SBBxL0RHAQJee04jL1dyx+MG2VskX0zScAdHOOHzUbW1EBNlnRNYmmS11dZyBj//KjnnDIUFCyU11ZIOHSw72mVaHaWiQqdOIhRU4PdZ5SQkWO91AwqLoSZMt62iXCJ1yY1Xq/TtJXh6AkQHf8b/zTvf4c/SqLPxeDSWrcjn7f9byoqVBUTGuOjSJYX4+Ajen7ySwpJaXnplYUgb7bvvN1Fe6aV7pxQWL8qhpKSWOp9Obn6lpY0WMNh5gLTRkJYrbUDLfny+dirPzXmBKl8VtQEvbZPasqpgFUtzllFWV86CnPk8MPJBdFPnm/XfUlZTxpycOXRL60K/jH5sLdvKzM2/IIRgVeFKzup1FokRiQxo1Z8nZj3JwBYDmbruc87pddZ/8sdmJyeWFEkGjTEYdgi8+9rutdF0A/Ly691q+QXBFTXLoaIcep2o4PaYLF0DHo+V8PnUKxJFmnz3o8lt12qUlJikpAsqKiE6AqqqrUa3qhrenCRZl23y0SeSc05VOOIwhZfe0nn7fZMePRQ0AaOPFei6dWxbn8wwoGcPhVatJLfcZ9C7p+DLbyWnj7U00JCWBppp1ufEeOtg4iTJjmKTuXMlw4Zaci0DBwi++0Hy7QzJ/x6pF/oc0Ecw9UvJS2+atGkFR41QOGy4wiefGwSkCgYMHQAZzQXffi+pDUDPbgpbNhuUlErS061HmeLi+qizQQMVEj40uWmCQfcugs+/k1x2nqC6Cj77VnL9VdAiA976EMaPs9SzC4saLiInJcz4yeSrH2D+Snj1PckRg6FjB2vtn/tnwGvvmLRuBSOHKwwbovDRFIPqOhWpw/BBkJYm/lbKBw7/HBo9n2qaoLzCy8LFuSgKTHxlLABXXjaAzp1SWL+pmNdfGcOJx3UC4Ld1Rfw0cwsLF+1gwj1H0Lx5LL0Oac74cd0A6NYtjSsuszqm/X2DimB2X9vEtlw3+DrWF62jylfFM8c+RXJUMjurd7I0bxmbSzbz2NGPcXjWYZjSZGvZVpbkLiM9Op3Xxr5GrCeGEm8pi3OXsCxvGd1Su3HVwKsAuGnoTbRNbMvinCWc2+scTu95OlA/x/VfIXyJgaGHCCor9rx/eipccr41P5eQANdfIYiLg7NPF/Ttbd0Ijz2kcuF5CgkJcM+tCqWVkNhM8O6LKm1aw5gxCkMHCUYfZ4lnHj1K0LWzYNyJgqgYwYJlcM5pgrNOUUBYCZXlNYKZ8yRLlktMQ9KuHZx6skJERP15aC549hGFuETBgqVw6XmC08ZbJxgXB5dfrNCmVf25jD1RkNFSsGQl9O0tuPpSa9/oKEhMFsQlQbeu9R1D3z6CCy/QWP0brFkHekByxw0KffoozAwu5FZcAkgrsm7mXMmaDZKH71Jpni5CcciXXCBIDSbRRkTAc4+quCMtm6+9THD80VaZD09Q6NheYfhwheNOUMjIgF6HCE443rIzFJmmWOvhqB4YN15hzQYoLLIONnSw4OyzVZavgt/WW8vA33+HQucuCj/Pk8yaLykp+6N3j4NDE9poP/ywkSmfruXVV8b8oQL/iqeepibrm0rKNKW511FkhmmgNqE+8F8LDID6a1pRJrnrcZP8HMkj96h06vT3qAdT1svK/FEMk991DYaOFxzl5RfAuZfqTLhVYdhQJSSj82d0xvbl97O3Ze4NTR13b23x+/243Y42msOeaWKJARcut4rfb2BKiTtMGy0Q1EZThAjpiYUnftr5OQdbG00IgWEaGNLKPNMUDUUoGNIIJXiqQg11Hrqph/JkXIoLIQSmNEMJnopQ0BSraiQS3dCRyAbb/0vYbUVMnOCGyxSioyE9dc8NSLjemZ2MqIXpeIV0yGS9HpiuWxpeYO1rT45LO/pJ1r83DGubEia7YppBfbTg7rYIpp0vsqt9tu6XotZL39hl27I1EEwqtZNETSvf5+MpJk++YXLuONGgo7Hry06kFIp1fooS1IOj/vx23aYqDe3U9YZ2hNts5x7ZiZvh9ezSGubQhKPrDfNlbDuashnRtM0ODn+ERtpogwa1YOjQNgQCJq6wpE4hRCgCrUEBTXQi1ncaJ4AeSFRFRd1FREsVaiO9NKDJDkMRCm7V3Wi7QOBSXY22hzpfSYPk16bQdWsBuoP5gLe7TrK+AxZoirpP+UKqCu2yJCDx+wVu9+6/G669JUS9xla4/paq1sueKQqhifHwz/dky64oCuxq0q7Jl+Hb3Y0va5OaYU1pq50yXuGU8fXXdNfPm9QZa+J4TW3bXRlN2RwuPSNE/fnv7l7bk2Bmo+P9jn0ODvtC49Dn4KjF7XaW39sTu+t8m2J/jOpMaSIQoRSH33Pl7a6T3F0HvPdY57Jrx/BfY38tg+Dg8F8h1AraE94V5XVcf9O3HH/8m3z08aoGO9uS/WbYONzetuv2g42Uth31Gm7WtoY2W24SGVJMCNd52xvsfTesL+b0sz9m1HFvM336xtDxdq2jQMDg0cdnUV5eF7LPtsM+tmGYvxtwoAgFIUTIhWkfL/xcTWmVY0iDotoiLvv8ckZNPIan5zwTch1+t+l7Tnx3DCf938nMyp4FgG7oGKbRQILHlCamNBu4Ik1D8uCjMzn66De4Z8IP/7kgiaZwOhoHh70jNLKxGzC3R+WKywbw5JOzWLgwh9NPteRf6hcasxs6O8qlfpu1/eBPoNu2ha9JY9lnr51e3ziHr13zRxZPs9vXTZtLMQKSRx4cRWabxFDnoaoK4XWk65IZP2zm8ksHBD+rP259PTWs01BeU4wLgaDEW8L4D07B5/dTF/By8cCLuGzApQ3cgUKIUECEisr0jdMJmAEmnvw6Ehna991l73J2nzMZ1GowsZ4YTGmiqfXl2HXUwL0WMlNw1umH0LNrCq+8sQS/38TjcUbADg4Ov08jN5qmKXTqmEz3Hs0pKa4JbVcUwew52WzPLiWjZQKHDbd0xRYszGHTlhKEhKFD29CmdcJBMx4IrsQo2L6jgtm/bsUVoXHsqI7ExLjJzi5nweIcAj6drLZJDBnUmuLiWlavLWTY4FZoLpVVqwsQQtC9W+o+uUQUVdC+fTP69W0RskNVFeYv2MGWzcWkNo9j5OHtUBRBako02TvK+fHHArp2y6BrlxRKSr2UldaSk19JeamXww5rS0K8tWjd5q1l3HHH90z64FQ0TaGyrpLkqGZMufgTimuLOfT1EZzUfRxI0KVOq7hWFFQXUO2vpllUM+Zsm8vna74gNTqVdUXr6deyH+uL1/Pz5plkl22nylfDzqp82iRYIelzs+eyrWwbLeNbMTzLWsJ7R8UOavy1/Fb4G4mRiQzPOhQhFNpmJRIX62bK1HUH5Ho6ODj8O2nU2VhRLNaTdbh76ccft/DFN+uIcsGMmdvIz6vijNN7sn59Mb9tLMLwBvjm2/U889RxpKXFHBTjrVGGZHt2BS+9thDFNKg1JEuX5HHHbSPIy6ti+cp8pN/g46lrueayAbRqncBV133FVZcP4JSTunP+RZ9x282H0r1bKvsq+uTz6RiGGZzngl9nb+eTz9YQ5YLCWdnk7Kjk/HN7k7ezkmeenQO6j0eenMunk09n46ZSzjrnY8aN60r2llKmfrmOt14fh8ul0qplAtFRbiIirMsT4YogrzKfe2fcR0F1ASd3H0/zmOY8/uvj1Ok+Jhx+L1/+9hU/bfmRx455jBkbZ5Bdup2iqmK8/joy4jPILtvGj5t+oqymjG/Xfcv28mz6tOjDr9tm8/W6r3GhMWvbr+RV53J6j9O554d7yKvKp01sJrO3z+bRYx5mbJexSAlVVb7Qqq0ODg4Oe4PSlNfdbsRNWT+f8c7/LWP54h1U6ZLVy3L45DNLgn/Y0NaUFlZT4dOZOXsb+flVYWUcWGyXz6IluXz00QoqfAYFeZW8++FyKit9DB7cClVVKK7ykb2xiDnzd9CpYzLTvziXb7/byLhTJ/HME8dw6ind/7D7TwSFrIQQfDBpBYvmbaNKl6xbmc/kKavw+wwUIbjw3N68996Z9OnVnB9/3IymKvTv14LXXx7DF5+fS15uJT//vIUrr/uK445/m1nzszn2+Le5d8JMamr9eNwuUqJTaJvUloLqQnIqc0iISCDaHY0pTWI9sUS5omgT34ZnT/wf43uO48w+Z/DOKW/RPbUbx3c6nklnfkCPFt2ZOP51Hhh5Py7FxfvL32dJzlJMYGnuMj5f8wUAMe4Yzul1Nm+Mf40fL55Bl5QuYWu1OBMVDk0jd3nt/HP+2f8ajWzsUOW4WA9Igjk2UF3j49RTD+HIke3wXDmItOZxVFb6uOyqL7nmikGkpUezfGl+aF7iYGDPt+TkVjJwUCuuvGQASElaWgzNkqK44eZpREa6uOaygTxeXkeExzrdFi3iaBYfybIleXTqZKVoh4/oYmL2PtRKSis/wjBMKirrGDe+Oyee0AXXFYNonhGLYZpkpMdx2GFtAYiJdqMogtraAP37tgSgtsaPx60RG+fm8ov7s2FDCW+8tZh77j6cpMQohFpF26R2XDPEUjUY+8E4KuoqMEwjlFNUp9cF7bEWi6vyVaEKDb/hx5QSl6KRXZ5NwAiwo2IHse5YJJJqfzWn9jyFke2O5PKBl9E8Lh2AWE8MWYlt8Rt+MmIzIJaD8gDh4ODw7yQsGs36W1MTYMaPm/n5163MnpvNt99vpLzcy6HDMpm3KIedO6vYtqOCyoo6Kit95OVVUufzs3JVIevWFWMcxAXJreRRGDK4NWVldWxaX0RRcS25OZYuW25uBRWVdVRU+Ji3MA+/36CszMvFl39O714ZvPz8aE46dRJr1haiKIK8vCp6DXqZx5/8NVgnv9+6WhP6Vh7NsKGZLFmaz86dVWzPqbAES1WFDZtLePf9ZUyatIIFi3MYMSKLCI/KoqW5fPH1Oh5+chaxCR4GDmhFzx7pDB3SBgXBkMGt6dw5GZemsip/FV+s/YL3lr6PJlSykrKIi4jj162zmbZ+Go/NepyagNcKyVbdVPurqQ3UWrlDwspDUhSFMm8ZQii4VBcu1cXg1oNZlLuInVUF5FTuoNJXCUBxbQkVdRW4VXeDJFgHBweHP0LYyMZqWOvqdL76eh0JiREkJkby2edr6dg2iRuvG8KjT87itTcWghBcelF/jji8LffedQSfT11Jt54tePj+kaSmHpz5GrBHXZL+/Vpw+y3DmfjGAqSm0KdXC3r1as49dx7OMy/OZdKUVdx43RD69s2guMRLWno0l13an8hIjdXrCli1upBuXVNp2TKOjNQYNm4stmpE7jlgwF4+W9NUpJRcdfkAAgGD11636ui8c3pz7DEdGTu2C9//sAnp13nkgZG0a5vExo2lbN5aykdTVpGUEMmrL5wYLFOiuRTGj++GYZgoiiApshmj2o/ii7VfYZoG9x05gSgtijFdxpBduoNPV0/l5mE3khydHLLtqHZHEemKAkAT1mVO8CRwZs8zSI0OCm5JuGHI9Tw9+39MXPQWCMlF/S8gPSadozscQ/tm7QArN0cIEYq4s8O3HRwcHPYWYUgpb3vgEeIJcPe9E5DSQIjG4ayGIRuEFsPvN8YHiz863xL+vdJSL/c88CMbNhTz1mvjaNUqvsnv2PXw7bQN/PzzVp584uhgWVZ5exNKLSV8+tlali7N45GHR+6z3fuTfdGLq18YrYZrb/iGd98a74Q+OzTQRgtoERxzgqWN1t7RRnMIo9GcTSBghnSobFwuBVUVBAJGyN1mS7TY2mh2o61p4qBPIAshGiRMKopA0yxdNl23zkcggvNRENBNXJr1tO73G6iqICbGzQXn9iYtNYZWLZvuaMJJjI/km+83MPPXzdx9x+GMGd0FsOrPdr+pauN6EwJcLhWPR6XOp1sadKbE41HDkjXtEZPVCUgkASMQOrY9T7OrJI39GVCvCRcmJiqRlsCoqD+WIhQCRgAZvOB22bqpowjFOk6wUzZNk7vu+5HpX62iVWbqAdW7c3Bw+HfRaGQTCARw/UlBpHAhzn8ie5vsWVen4/PrREa49lnex8r+56Doxu1PamsD6LpJVJTrdzsbW9gxXOhyfxIIBEdbwUXQrPkz67jQtKaZw/7HGdk47A0HRMJ4V1WBfwqmlAj2vgOIiNBCuTD7ip2b808jKmrvH0T2JPq4K0ZQrVliKTnvjbpwU89ETQl6Ojg4/PU0+ZO2Nb7sEYq9zXYFNdTkCtf4srbNm7+DKVPWhOl+HfgTaWizva3etl313EKvw84lXHfMYffYqz7uiYAfHn3a4PRLDD6cYmIHs9nS96ZZv9gY1I9CdpWxDz9OSM8u+P3HnjEZc4HBPQ8blJdLTBM2bJRcdJ3ByZcYTJlqHcAwGh9vVzucsG4HhwNLo2dPVRVNPnWHN8INXzdO8luzppDly/M5+eRuHIwRjj2nEG5GUwmIId0v5Y9rozns/Zomx41S2JFr8v33JmecVL9qZPhfmwuvMVmzRRLQYfQRcOf1Km5Pw/3s14qApctMfpxp8thDKi4V4uOt6//eByaJMXDlxQpJsU2vZbMnOxwcHA4MjTqbyko/NTW1lJV7KS6qoXfvDOLjI8jLqyIq2kVCfAQFhdWYpqR5eiyBgMnsedkYAYOUlBgO6ZlOVJSL5OQolq3Ip7rKR7++LYmM3P169X8GW3CzoLCapUtzcXk0Dh3SBo9HY+fOKlatKUQPGLRsGU+P7mmUV9SxdVsZh/RIR1EEW7eVIU1J27ZJf5vour8zhgE78iTxsYLEhN3vJxQ4pIfg0EGC+fOt8AMBFBdb4qRbciw3W5/uVtBGfq7kq7cVUpOh75EGwwaYDB2kUFwqadVCUOuFwmJJahKs2QCTpkgSkwRCQquWgtJSWLxSsnCF5JhRCm7N2q4osHW7ZP1GiImFof0EQoHiYoluwIatljuuTw+Bx/33ibB0cPi3EepsbNfSmrUFnHbmFIaPyKQor4KE5Bg+ev9UHnhoJoMHteK8c3vx3PPzqKn189wzx/POu0v55rv1uDWF7t3TOaRnOhERGtO/30hBSTVzf83m6KM78cRjo0LJj/sLW1YnL6+al19bSEVJFXUI5s3dzo3XD2XDhhK+mrYe/Drb8qu59bohJDWL5vSzP+b2m4dx0thunHL6ZK67ejBt2yZBqEl02BV7CeLiAkm34To3XSR44O49P0BICVXV1iqX9gqdE983eecdg2FHKqxYLTnteMHN16pIAS+/J3Fp0Lc7DOirMGeB5J33Td6fqLJ8peSOB00mvaLw0VSTmYskegDue8LkigusUczr75tszYfPvpMsXSV5aoJCZRW8/o5JXUAQMCXLl8DVV6i89KrJT7MkrTsKFiySXHam4KbrnGgCB4cDRaOWXyBo0yaB118aw4wZF5OXW8W2beUkJ0fhcllhsNHRLmKirFnYJcvyMXXJ22+M5967DgeslSljYz288vxoXn1lLIuW5lhlBxMD9xe2W2zBwh18+OEyIhKiMHwGL76+kNJSL8OHZ9IyIxY10kXu1lJ++HkLXbuk8OWUs/jsi9847azJPHDvEZxz9iF/ydII/yTsqolPErz/sspp49UG2/eElPVLEasKDBqsMPFplZceVvnhJ0llhUTToLxC4vODIQRbtkk0FWJjrI7O44GoSEjLEDz9gModlwhGDhB8+YHKsSMFAwcKPn1T5fDe8MhNlo3paYKvp0tm/CpJTIbiUnj1/yRI8ETAgP6C/3tRZeE0laGDhDOqcXA4gDRyo3m9On17ZRAT40YPmDRLiqK21o+um0RGasGcFokM/iifevxolq/I5/pbprFzZxVffHoWhiEZcWgmppSUltaSnBR5QIy351t25FRySK8Mjh/VAWlK7rh9BBkZsdx59w9U1fgYO7ozudvKiYq0wpc6dUomMT6SadM3MGhwK8Bxn/wedt1ERMC4Y39/dBrUJyUmCiIjwBOMEPPVwdGH20uGQ6QbaryQFA/PPqCCgGtvMVi9RtK6tQhGB9aXawTDqUsqwOsDvx8QVmBBVTXU+aGwBPwBaynqnTslQ/oKjh4hGDVc0Kaltb8ioO8h1n4JSYJBA52L7+BwIGnUarjdKhs3lzBrzjZeeGU+1V4/3bunoSqCH37ewo8/beHZF+aHnlS3b68gISGCE4/rRF5eJTt3VmEYJrl5lQispM+i4toDYrzt+uvbJ4OaGj8uRZCaGoOmKKiqwm/rComJdpORHseKNYXU+Qyqqnxce8M3dOuaygvPnMApp09mW3a5EyjwO9iRXIU7Jb1G6lx7i5XMsruRaiAAy1ZKFq6UrNkEs+ZLKiutEcr8pZI5iySvv2fSrrMgPU2wdTt8+JnJT7MlOTuhR3dBdBSs3yT5dYHk/kdMcvIlirDmWPw+q3Nxu63OSFGszqWyynLZuYNh0f36KhTslERHQlJCvcx5ZRWUlFj7GUZ96LWDg8OBodHIxu1WWb+pmCf/NxuPR2PiK2MRQnD5Zf2554GfePP/lnLbTcPo1j0NgPcnrWD5qjzcQnDbzcPJyIgjMzMxGNUGmW0SOPGEzsD+HznY2mhDh7Tm6isG8cijPyNdKgP7tWLC3Ydz5+0jePSpWTz69CzOPbMXQ4e2Ji+vCt00ufLyAcTGeliyMo9Zv24js00vx5W2B+xqSU0XdGgp2Lip6V7GHiHqOrzzgcnOSmiWIXj+TZOHblKIjoaf5kB2kUmnNvDgbQpCwMjDBZ9Ol/jqJBeeKjikhyDgl5xwvODxl0xGDIWjPEpoRN29myAmrqFtmgZHjxS0y7I2GAacOk5QUaVw1+MmqgrHDxdcfpGgb29BUqL1PUVxRrUODgeakIJArOnn3vvu48cfN/Hp1N94+cUT/2rb9po/6gJzXGd7h11PlRWSp181WbFccss1CkOH7Huwx4OPm7RtA2edvufv7q9r41zjA4+jIOCwNzS5nk1NjT+k2eVyqaiqNYIIBCxfip2rYul+1WuBKapAU5UGcjV2QuWB1NESgr3SRrNHW7puKTULAYGAETyXf6a0zsEkIlJw5HCFk0+EHl1/vwEJBOol9nQDIj3W6KO4zJprkdJygwkBAZ1Q4me4zExI8iZ4eWxVAsO09t9VpUDX691qUD/Kst2AtnSOYVif7W3OkIODw58j9FO15ywGD27JoEGtG2l9CSGa1P9yufb8a7UXYzvQWKKXjY/dtM1qSNnA5XLCXX8P+8HU7Ybhg+tdVHvSHbNHFK7gHWbPodx4teU221VSxqVZHYJhWBFrdhnhAqbhx1MVmtS/aEoip6ltjmaag8PBRbOX7Axt0FS0fRG1aoJ/gjaaM5L5Y5hho489IUTTjbzHY41KAjrBlWDrywofkdhl/ElNWIe/gF2XA3ZwgCaeDW3dM3t9lnCdsfp9dn0vQ9pkAEuX5vHttxsabDvQ1Nsrd9kuaajlZp3T9O83MvGtxSH7HG2svcOeTN9dfdnbC4sk7082Q/pj4furwcgxl8vqaOz7adEyyXOvmtRUWzuXl0nuf9zgyttNZv5qNjrOrvehg4PD35dGnY2i1GujheuN7apR1fC9aKA5tnRZPt98u77BtgOJFUVWb0f99vpt4WvFCAGz527n3f9bdtA6w38Tu17/pigshvc/kqF5EXv/lStNxp5ncMSpBoOPM3j2VTNU3vqNklffNvF6rX1VVTB0kMK2TSbfzwgXUq23YU8dn4ODw9+HRo4Oa72SABWVPirKvXTsmEJkpEZpqRePRyM62kVFRR2mKUlMjMQ0JStX7cQwTOLjI2nfLomoKBepqTFs2lKKt8ZP586pvzu382cQQlBeUcf6dYVoLo1eh6SjqtbcwJatZZQU1xAV7aZtVhKRkRrbsss5aXQnLrmob2j1USdgZu8wTSgps7L5o6N2v5+mQka61enk5UsyWwkSEmBrNrRIlLz7ooZLq6/3vHxJl86CryerJCZZG6OiYeQIwYplgrq6+rIVBTZukZSWQ0ozaNvGuXgODn93Qp2NDD7hr1xdwPkXTKV33wxys0tp1yGVd948iXsm/MTgQS05+6xDeOqZ2dTU+nnmyeP44IMVfPTpSqRh0qtXCx558Cg8Ho0ff95Mdl4582dnc8opPbl/whEYxoHRRisuruXl1xaSvbmYgKrQu1s61107hHXrirj/4Z+RAR3F4+KxB48iMzOBSR+t5KMPF9O5ewvefXM8EREHRiT034QdEVZUIOk8QueGCxTuvUPdbb25XYL1G03ufxxWrIT0NMlHb2lERUFRGXz+nURI6NUFenYXTP9e8tokSYxHMul1ldQ0EYoYq6xquPjawsWSdz8yqfULBJLzTxYMH64419DB4W9MqOW3PRECSEiI5NUXRjNn9hWs31DM9u3lJCR4UBQ7XFUlwmPN3M6ak010hJsvPj2HRx48CqjP7H/r1XG89to4fpm91Sr7AGmjzZm3nQ8+WE6bjikkRLt5+IlfqKz0sXL1TnbkVHDd9cOY/P6pZGUlYhiSO24bzrPPnUSkR3NcMHuJ3YjHxQueuk/l2KMbLhnQeH9JrU9w85UKM79S2JgNPp81V1NcCsvXSJaskOwssObQLjxPYfKrColR9TpqdvlCBCebg9v/94pJbhF06gTrNsEr78jQvs71dHD4exIa2dhthrdWZ9CAViQlRRIImGSkxVJRUYeUkgiPFgxBVUKd00MPHMncudu59Kov8fl0PnzvFAIBg1Ej2yOlpLKijuRme/C3/Ans+aDtOyro2DGZrp1TkO2bccEFfYmNdXPySd1JSYlmxo+buff+H3n6sWPp1bs5ANVVdbhcKpGRB2Sx0n8ddqcSGQUXnfn7o9M6H/TqJsjKEmRvl6QkWMEAXh8cMQjuvqu+DHsOpqLS2sd2z9kdjcdtaZkJAX6/pLZW0r+/oFM7wd03CXp0bmyng4PD34tGrYbLpZC9o5xVawr4vw+XU1RWS/fuaRiGZP6iHBYvyeO5F+aHOpuA32Tw4NacfkoPVq0uIDe3Eikhb2cVIDAMk9JS7wEx3h5B9eiaim6YHNI1lREjsshsnYimKVRV+ejSOYXx47ri8Wj8PGtLaB5n3YZitmWXs2RZHhUVdb9zJIeQNlqBZPAJOrfdu2dtNCmhoCi4eJkCJaXWa12HnYVQXWuJYOpWMeTkStZstHTRlqyUlJRK/H5LG21TNmzKhvWbJbou6NBe4K2CIf0EfXsIUpPFHm1xcHD466mfswn+9Xg0VqzK57pbvsXlUnjtpdGoqsKlF/fj1ru/56EnZnLR+X3p08caITzz7FyWrMglUhXcdP1QWrSIo3lGLH37ZCAEZGTEMWJ4JnDgtNEOP7wt+QXVXHLpZ+DWGDygNY89fBTffb+JV99ahAvJIX1acMmF/ZCm5Nnn57J2XSGuSJVb7vyOu24ZzpFHtHO00fZASBstTZAaL1i2fM8te2wsHDrEWrwsMtLSPtM0yEgX9OktiHBbeTj2PMu7H0h+WS5JayN44HnJNWfDoH4w4VGTGhNMAyY8afLwLQpPPahy+c0GZ1xlIHS44yrByCOcORsHh78zQg9qo8Wbfu657z5++mkTUz77Z2mjORxY7Ea8qlLy6nuSuXNMrrxY4agjncRYh8baaEc72mgOTdBowkJKKC/34g9Y2mhulxoaQeh6vTaaEJbWmK6bIXeWqoqQHtrB1EYDMAyJYVj22dpohiExTBMkCEXgUhUIaqOZpgxNVGmq4iwxsBe43YLOHSXDBqoM7r/n+pLSkp6xRy/2azvBc1cFAl23AgME1ihbU+t1zaB+DVVNC9NSCw6uNNXROHNw+LtTHyAQbGwHDWpJnz4tcLsaa6M1qSMWbHPCxSytBdZMDMNA05QD3tGA3dGpSClDgpz2tl3Zb/bYa6Dsb50tGSxbpT5yIyjvgnIAjvc72A+mngg4cZRVd7+njRYuVxP+enedwu4UknYnV+Ny4jocHP5RNPrJRkRoREfv/S9ZU5VGjZ+lafXXKB0KIdC0fRylSMDEasjtrxrB13vql5o6xb35nn1MPey9oP5qhL+2+Zs0rkbw/BwhSwcHh32hURNmmrLR06f9ZBse7WNv++jjVSxdlE3/wZmMOb4Lbo9KYWENr01chN/r5+RTenJIz3TqHSEHBtu2nTurmDlrK6ed0iPo/mtscyMEjTuOXd+Hz4fb9fGD5fcRR4YVrIbtH3482fC7CGB3IpM7rbLF0QJSAAPkZBO5FcQggThMNLTvwFZtA5xOxsHB4Y+w2+fvcO2pprZZAouS5umxlFf6ef31xdT5AoDlvmrXLolvp2/ihx83ASDlge1obLt27qzmqWfmBOeNmj6PRpRK5OsmskBaIxwJ8mMTOSe8pwr7Z4uTfiiR79tvgn/el8gZsnHjHy6ELYEiiXmHiXm+iXmmifmgWV9GnsR8wETuCG7QgeYCskG+Z9a778ywsh0cHBz+xjQa2djimwUF1dTW+nF7NFpkxFFT4yd/ZxWGbpKQGElaagymCSOGZxIV5ebFF+eFJtmTkqI487SerF1TTGTkgdeItxdEy8mpICe3kpSU6ND2nQU1VFV6iYh0kZYaE1rfpq5OR5qSyCgX6AL5vYnoIcBa7Rq5VCJ8AvoDfqAiWFvBzykAcbtAxAdb+gBQBvInCZkgOgmIApKD+2eDNCQiVUAMUAjkSsTNKiIZpD0/Uw0kgjJNQbSwIxhAHC7AD/KbsI5MAcpBlkiIFIiMA1C5Dg4ODvsBLSgvhgw+VitCMGXKap5+YS6qYZLVIZn/e/tklizJ47W3FyN9OjUBk9tvHMbgwa0xTUlBQRUB3Qi5rAIBA1UVlJfXkp5mpYPvKv2/P7C10WprdW69YzpLF+bgx8oVUhTBho3F3D3hR2orvKiRLp569Bg6dGgGwNkXTmHL5lIWLrgcLUbBzJIoqoTNQAuQSRLSJfIDE/mVhFiBXCNRrhGIMxTM50yYKeFogTJBgWownzeRayTkg1wuYQQo1yrIb0zk9KDRiaBcr0CERLokcpuJKAORADJNIH81kRNBVkuUpxSrA9QBAbJUIk2JNKTlgssD83UT8gEPiFEgjrOXqNzv1e3g0CSh33b4siMCpDQxpXRuRQcgPKkzeKOs/a2Ap/43m/ffPYX27ZsFP5MMH55Jzs5Kduyo4Ltv1jH1i7UMHtw6tDy0lBKTeo0qNRROfCDTuiWKovDp1LVs317B/AVXsnlzKRdd/hmKIpg7dzsFBVU89fgx9O/XMnQuQgjGj+tGeWmt9UPQADeQD+ZEA8Yq1qghCdgIZIDyogKbJHKDNbJQHlGQb5vI34LnlwDKwwqmZkIbUC4MNvqVYD4jEccIRLLAfM5E9pCIoSBLQMyQSBfQXSAOAXGsgjgKzLMNa7RkY69MKeur1JwkkSskylgFFkvk/yTicCAay8Xm/Mod/hLMoLCvcG5BhxCN3Gj5O6tJS4sJdTSGYaCqKi++NJ+fZ23lsMOyiI3zEBVVv66v262iaQoRHqs4OwvfpSmhqDRr2/7teOzj5ORU0KuXpWhQUlqL26Wi6yYnj+9GRJSLyZ+s5qFHZvLIg6Po1i0VXTc445QewVKsEYaSCHK+RAwXyIWm1dCbWBPxQ4Oji/YC0V7UR5H5sDopGwPLDeav3ySzJSICRLoAzeqQxBABBRLRHsRTSv0P0p7orwz+9exywq6gPZHB94UmoqWw9hskEBcp1uuDGDDg4BCOvTihc/s57IpmgDUiCQ5tWreKZ3t2BZM+WsGhwzIxpUnrVon8PGsLfXpncOWlA/j449XU1PgAKCquIXt7OYVFNWzZXEqbNolIaVJQ6CO/oIroaBc7C6pJTIjY72vaWImjKq1bxfH2/y1jx45yXn5lAXn5VYhgxzb6+E7/3975vcZVRHH8M/fuZm+tjT+axNTWKkhjQqTaQh98EHzyB7XForQV0RSDgeKvB8WHYv1Z/wAfpIgQsKgPisUWSx8q1gftQ/S1NaCkpClpbdKY2gQ39+6d48PM7L2bbE2EZDE6Hwhszt6dmV3uzNwzc75n2LJ5LXtfOMKx44N0d7cRhiEvvnKM8yOTfPHpbiMAnRb4VlA9gfFWLgOtAlcFSUEKknkaKTABMibIuCAXBVYBK0HWCQwKMqogAm4HWSHIek1wfwAzINcJjApyReCcwBrMxFbETFajIL8LnBdYZ+3jIBcEuSzIWYF24A6FnBHUYy46Tczej88R5mkgc07HxSyjIYL2Ces8luro70SdHR2tHPxgOx/2/8TOJz9j3/5vAHj5+fs4fuIXHtlxiLu72ti40XgS7x44yUf9A0zPJPT2Heb7H84yMvIHPb1fMjx6hRMnf+WlV79m7NIUQRAsycmYj+/oZvO9a9i16xO6ulrY+vBdhIWQr478zAMP9bPn2c/Z0NHCnqc3me+qYPVNK2hrvZ7qY1ingnuUGdw7A9Nbbsb8f5v7kTAD/1XQr2vkNDCp0K9pZNAuIT6loKzQfRp9SEMzqHcCeB/0bo3u1TAO3GDrXGnLtNocOazRb2hYrZCDYsqIQR/QyHcCqTJRbAMatdcENOidGv2ERj624Wm1Jyh7PA1GmX1gEf/c46miyiKy7+33uJGE/W++RblcJoqimovcUtpsrmWvv45j0sksdqJLEbFHWdd6TfXblqW0ce9prc0+jj2xsyruNJfPFXk6FX+9r+FU//PZ8uU6Qakre6E/5+y25uvzaxieBhLHMVEUsX3bNuJiiQe3Psqta9dzZ2cnLW23+OS2HsBGo0kuGg2gUqmQpplOpVAISKxN4XQriiBQxHFi0s/bwTIMVTVdjYt0cwEDRp+z+M86WgtpmlhBqtlFD8OAJKmQapnTBoA4rlSvA5DEamwKZPs1BTIvwW3OY2159T9kqWUqZDoYJxbN27DlukkmLwIlV7fDlZFSuzzm6otz9nwQgcfTIFyfrka2ilnEVqKXpL97lic2QCC7IdzNEYaqxqaAQlj7hOK8irn5rqTm8862lPedaUcmzzdRZ7PbnLXBtFllncEN6lLnNcwdwK/lgcx+7+9s9SaGetkMnDdVr77Zdt+3PQ0mC312oZLmT8tSR6N6lhOFXCRtlcXI1JymGpFFTHrp8Xj+9UjuhTICPj/deAA72QQqyLQbWtujkhWVSlI9svefICKUSiYmOEmSea72eDzLGefZBEFAENhQfuvUuFURj6eggD/LZSIrDomiJk6dGmbgxxH6nttCqVRE64WHN2ktNDUVOXr0DGPjU/Q8s4ma5SqPx/OfZHp6mriYMpMkJEmFimjqrZx4/p+o8YkJuXDxN0KE9vZ2m09sirFLU3R1tdoD0Bbu3Zh9nIDhc5OUywkdG1rm/5DH41m2uD4/NDSEqIBVzc0Ui0VKpYjQHzzksfwFUouE/L34X/cAAAAASUVORK5CYII=
- data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAfIAAACcCAYAAACEGClOAAAK5WlDQ1BJQ0MgUHJvZmlsZQAAeJyVlwdUU9kWhs+96Y0WiICU0Jv0FkBK6AGkd1EJSUhCCSEFFRsqgyM4FlREUBnQEREFR0faWBALtkGwgH1ABhV1HCzYUJkLPMLMvPXeW2+vdXK+7LvPPnvfdc5a/wWAksIWi7NgFQCyRTJJdJAvPTEpmY57DGBAA3igAYhsjlTMjIwMA4hNz3+3d70AmphvWE/k+vfn/9XUuDwpBwAoBeE0rpSTjXA7Mr5yxBIZACiEgdFimXiCf0NYXYIUiPCHCeZPMpo8wWlTTJ+MiY32Q9gJADyZzZbwASD7IH56HoeP5CGnImwn4gpFCG9G2IsjYHMR7kZ4TnZ2zgR/RtgciRcDQDFGmJH2l5z8v+VPU+Rns/kKnupr0vD+Qqk4i730/3w1/9uys+TTe5gigyyQBEdPMXQ7MydUwaK08IhpFnKn46HbAnlw3DRzpH7J08xl+4cq1maFh01zujCQpcgjY8VOM08aEDPNkpxoxV7pEj/mNLMlM/vKM+MUfgGPpcifL4hNmOY8YXz4NEszY0JnYvwUfok8WlE/TxTkO7NvoKL3bOlf+hWyFGtlgthgRe/smfp5IuZMTmmiojYuzz9gJiZOES+W+Sr2EmdFKuJ5WUEKvzQvRrFWhhzOmbWRineYwQ6JnGYQCwRADkSAC3hAAtJADsgCMkAH/kAIpECM/GMD5DjJeEtkE8355YiXSoR8gYzORG4gj84ScWzm0B3sHBwAmLjPU0fkDW3ynkK0yzO+3HYA3IoRJ3/GxzYCoPUxANR3Mz6j11N35WQ3Ry7Jm/KhJ34wgAiUgTrQAnrACJgDa+AAXIAH8AEBIAREIJ0kgYWAg/STjXSyGCwHq0ERKAGbwXZQAarAXnAAHAZHQTM4Ac6AC+AK6Aa3wD3QD4bAczAC3oExCIJwEAWiQlqQPmQCWUEOEAPyggKgMCgaSoJSIT4kguTQcmgtVAKVQhVQNVQH/Qi1QmegS1APdAcagIah19AnGAWTYXVYFzaFbWEGzIRD4Vh4AcyHc+F8uBDeCJfDNfAhuAk+A1+Bb8H98HN4FAVQJBQNZYCyRjFQfqgIVDIqHSVBrUQVo8pQNagGVBuqE3UD1Y96gfqIxqKpaDraGu2BDkbHoTnoXPRK9AZ0BfoAugl9Dn0DPYAeQX/FUDA6GCuMO4aFScTwMYsxRZgyzH7Mccx5zC3MEOYdFoulYc2wrthgbBI2A7sMuwG7G9uIbcf2YAexozgcTgtnhfPEReDYOBmuCLcTdwh3GncdN4T7gCfh9fEO+EB8Ml6EX4Mvwx/En8Jfxz/BjxFUCCYEd0IEgUtYSthE2EdoI1wjDBHGiKpEM6InMZaYQVxNLCc2EM8T7xPfkEgkQ5IbKYokJBWQyklHSBdJA6SPZDWyJdmPnEKWkzeSa8nt5DvkNxQKxZTiQ0mmyCgbKXWUs5SHlA9KVCUbJZYSV2mVUqVSk9J1pZfKBGUTZabyQuV85TLlY8rXlF+oEFRMVfxU2CorVSpVWlX6VEZVqar2qhGq2aobVA+qXlJ9qoZTM1ULUOOqFartVTurNkhFUY2oflQOdS11H/U8dUgdq26mzlLPUC9RP6zepT6ioabhpBGvsUSjUuOkRj8NRTOlsWhZtE20o7Re2qdZurOYs3iz1s9qmHV91nvN2Zo+mjzNYs1GzVuan7ToWgFamVpbtJq1HmijtS21o7QXa+/RPq/9Yrb6bI/ZnNnFs4/OvqsD61jqROss09mrc1VnVFdPN0hXrLtT96zuCz2ano9eht42vVN6w/pUfS99of42/dP6z+gadCY9i15OP0cfMdAxCDaQG1QbdBmMGZoZxhmuMWw0fGBENGIYpRttM+owGjHWN55nvNy43viuCcGEYSIw2WHSafLe1Mw0wXSdabPpUzNNM5ZZvlm92X1zirm3ea55jflNC6wFwyLTYrdFtyVs6WwpsKy0vGYFW7lYCa12W/XMwcxxmyOaUzOnz5pszbTOs663HrCh2YTZrLFptnlpa2ybbLvFttP2q52zXZbdPrt79mr2IfZr7NvsXztYOnAcKh1uOlIcAx1XObY4vnKycuI57XG67Ux1nue8zrnD+YuLq4vEpcFl2NXYNdV1l2sfQ50RydjAuOiGcfN1W+V2wu2ju4u7zP2o+x8e1h6ZHgc9ns41m8ubu2/uoKehJ9uz2rPfi+6V6vW9V7+3gTfbu8b7kY+RD9dnv88TpgUzg3mI+dLXzlfie9z3vZ+73wq/dn+Uf5B/sX9XgFpAXEBFwMNAw0B+YH3gSJBz0LKg9mBMcGjwluA+li6Lw6pjjYS4hqwIORdKDo0JrQh9FGYZJglrmwfPC5m3dd79cJNwUXhzBIhgRWyNeBBpFpkb+XMUNioyqjLqcbR99PLozhhqzKKYgzHvYn1jN8XeizOPk8d1xCvHp8TXxb9P8E8oTehPtE1ckXglSTtJmNSSjEuOT96fPDo/YP72+UMpzilFKb0LzBYsWXBpofbCrIUnFykvYi86lopJTUg9mPqZHcGuYY+msdJ2pY1w/Dg7OM+5Ptxt3GGeJ6+U9yTdM700/Snfk7+VPyzwFpQJXgj9hBXCVxnBGVUZ7zMjMmszx7MSshqz8dmp2a0iNVGm6FyOXs6SnB6xlbhI3J/rnrs9d0QSKtkvhaQLpC0ydUQ4XZWby7+RD+R55VXmfVgcv/jYEtUloiVXl1ouXb/0SX5g/g/L0Ms4yzqWGyxfvXxgBXNF9UpoZdrKjlVGqwpXDRUEFRxYTVydufqXNXZrSte8XZuwtq1Qt7CgcPCboG/qi5SKJEV96zzWVX2L/lb4bdd6x/U7138t5hZfLrErKSv5vIGz4fJ39t+Vfze+MX1j1yaXTXs2YzeLNvdu8d5yoFS1NL90cOu8rU3b6NuKt73dvmj7pTKnsqodxB3yHf3lYeUtO413bt75uUJQcavSt7Jxl86u9bve7+buvr7HZ09DlW5VSdWn74Xf364Oqm6qMa0p24vdm7f38b74fZ0/MH6o26+9v2T/l1pRbf+B6APn6lzr6g7qHNxUD9fL64cPpRzqPux/uKXBuqG6kdZYcgQckR959mPqj71HQ492HGMca/jJ5Kddx6nHi5ugpqVNI82C5v6WpJae1pDWjjaPtuM/2/xce8LgROVJjZObThFPFZ4aP51/erRd3P7iDP/MYMeijntnE8/ePBd1rut86PmLFwIvnO1kdp6+6HnxxCX3S62XGZebr7hcabrqfPX4L86/HO9y6Wq65nqtpdutu61nbs+p697Xz9zwv3HhJuvmlVvht3p643pv96X09d/m3n56J+vOq7t5d8fuFdzH3C9+oPKg7KHOw5pfLX5t7HfpPzngP3D1Ucyje4Ocwee/SX/7PFT4mPK47In+k7qnDk9PDAcOdz+b/2zoufj52Iui31V/3/XS/OVPf/j8cXUkcWToleTV+OsNb7Te1L51etsxGjn68F32u7H3xR+0Phz4yPjY+Snh05OxxZ9xn8u/WHxp+xr69f549vi4mC1hT0oBFDLg9HQAXtciejkJ0Q6IlibOn9LbkwZNfSNMEvhPPKXJJ80FgFofAOIKAAhDNMoeZJggTEbmCZkU6wNgR0fF+JdJ0x0dpnKREbWJ+TA+/kYXAFwbAF8k4+Nju8fHv+xDir0DQHvulM6fMCzy9VNqpqVMsugJzS0A/7Cpb4C/9PjPGUxU4AT+Of8JizUh8jnksS0AAQAASURBVHic7P3Zc11JnueJfdzPufsK4GIHiI0gCRLct4jMjIzMjKrqyqqarpru6RnNPElvY3rQXyCZJNOjzPSgB8lkprGRqVs9M91d1dNd3VNVWZmVEZmxcSdWgiQAYt+Xiwvc/Rx3Pfg5916AZJC5dVVW4RfGuLjnnsXdj7v/tu/v9xNaa80pndIpndIpndIp/VaS+Gf/7J/9yrxcCOsbf9fafcf14sT5v1h7Tl7/i9KvW5Z5V39+07//Q6N3vf+/6+MnvMdr8X7HX79efuPvWqhvvsE7rn8nvev+f1/JH7ff9v7/bb//dz3/bff/ezL+4h3bj7/+G/ctrTWu6yKlpK+vD3GqkZ/SKZ3SKZ3SKf32ULlc5ujoCNu2+Rf/4l/wK4pip3RKp3RKp3RKp/SfkgKBAFprHMdBa40NsLS09JbTVU2dN4q74ftKKSzLQiuBEAKBQmuNaLARKOUihDnf1SBlXWY4aUqom/68+3vftQIh5GvShlLqG+8nhHirudT/TWvlfZfHTBfvY6B4/bzj7ffPcV2NJS0QqnZ+bey87+Zebu364+Ntxt9VLlJIlJLmUzvH7uFqVRsnpRRIidYKcWLc395OY6LxTVVC6mP9E5hnKXGivSfeg1Lm/v4x4Y2xP76mafU5VP8bpJAgVO0e5j71cWy8b50clFZYMlCbnyfHs5GOj23DMfXN77xm2n6DKU8pBUIhhazNC6XN9zq93uc3k/LuIWrfj/fjuAmxcTwb2+Mf8k3u7zStn2yFAssy7jJ/bhx/XyfWX+McomEeCBulFWDOr42POtEe4Y/X8XO0ePP6P0n+PPNJn/guhP2N17/LdfFu8p6nvef487ihX2+86sR6MW0VOI5TG/9flk7uUY37jv++/Ge8y/UJ9fff2Oa3zefX54r3gzbzQco3nSO/Yf99fd861ldt3rkQsvb5XuSvD/nN66PeLmXm8wlXQH0MvrmdvyxJzH6cbm4hkUjUnykUlmXmnA1w+/btt/RAHR9cLWsTwXyaiSB9pniSAfhMU9QnkLnt8Zel/IH0BsjFRQoBSJTWWLy+0hr9BVJzjDECHrN+nQG8aaJoKd74+0mfhP8phDj+G+6x9jeOjz8BTo7Jse/e9T7DbDx+jPn4G8WJDR3pPe+ET/U134s4Ps6NfTML02+TPva+wLx3pEAp7W1Q4tj9/Xs0jrslfEFDI6SozZ/GsW2cR36/as9uaG9dAGtol3Bq7TvWr5ogaM77pvcvhHhtPp4kVRP06hufEAKl/PXhmv75z1D62PfahvGWuVU/aO6nvOkkZH3dNfbr5H39+9Xu751naU8AkycZ2zswAifmx0kB6PjcOH6f2hr3BJJGwcofs8Z7+vNcq7ogVrvfiXnceE197DXy5Hp4rWHfvLGqE135RTEX9Xl6Yn16x19b19+gZJy8//sqFyfvc3yfPr52GtvSuM+89TnvwmC84VnH1rc3jwW+wK1eu/abO3R83zp5/rvW79upzm++8fG1/UaZtf02TNhb9td30bv6L7z183/8P/9f+G//2//WO6rNmvGaYgP8i//f/+fEBuszZoFWGjsAoVAI13WNOl9VuMolYAcIBAJIT+NULlQqFbTWWJZNOBLEqVZxygqlNcGgjW3Z9Qnubwy1fpg/fM3PdRTVquNp98cnuR0IYFsWUlo1Rqi1kVBKxQqOU0VKm3A4AijK5TKuo7wN9rjkJIRGSsvro1Prgz8eQtiEw2FAoZRLpVJFKddYJKSoMT7/fpYNgYCNwK5taOVyGdsWSCmRlumL6zg4rotyvYWmxLGF4J8XCJgNrlyueufVJ65l2wSDlpFCT2z0NT5wQkMpljRCSoI2SCGoKJdqpYKUkmAwiLQE1WoVp+piWTahgEQIiauNb8ZvXyQYQmlN0amYsVIC5SosWxAKhZCWv4EY60y1qnCq1ePv0Q4QDNnHLCSVssJ1HYwmZ2GHAmbeKE25XKbiuEhLIrU375DYtk0wJD2NRuFUHZQ2TNXfqHwGICXYtk0gEDg2D99GrmfCqlY0gUCAYEjiui7lchUhBMGgec9SeuPmmHWDUChXEQzZ2LZdEyhc1/XON99t7W9o/gbgayqVt2gXpi/FQgmlNVqcECA1BINBbI+vqHegaU6uv2rFxXGdmiAUDEljyvO+u64ZD38/kBZY0sIO2LXrXdet7R81hUAJAoEAgYBFtVqlUnEQQmA1aDxSWoTCAbRWSG9MHKVwlcKpmnVq2xo7EHhtXtf685pGflJwNc+pCfq/Mkro5EbsM7TjjPi48CoAjVIuJUfjKvc1Bq6UIhgIEgi+0yZx4vESx3WoVt3a+AfsANKS2JZtgFLKpVIx61Z6Fi+kIBgMEvDWrS/guFVB1ali9j+FZUuCwQCWZXmCmdnftJIoV3l7oiAYlEjLqo2vEGZ9VByzH8iAWQNWAyN7H8HFf581hYH6PtP4Xuvj8rb7va8pxryvUqmKVgppCQIBG6WM9cRRZp8MBMX7WwMaSL7DJKSEmbP9AxcwvEti9oBATXi0wWzOlUoFpRS2ZRMKmw1OabMRjQwO09fXh1KKbDbL40dPcZVL35k+zpw5Q8ibaAfZI6ampshms5w9e5Zz54fZ2tpk/PEUlm0xMDBAd08PdVOUL7nWuuR9CFzHIV8oMTkxSTa7f2wRKKW4eu48be1tBAPBmiVAa8OwpyafsbKyQltbJ3du38YOWvz0b35KLpfDDgQIBKSnQQYol8tYFvT3D3Dhwnm2t7d58uSJt/FLlHLJtLRx5epVgkGLo3ye2ZezrKyuGMFACAIB3wxp2jc42MuFCxewLCOBHmQPmZ2dJZmKMzA4SDBo19o6OTHJ+voOSrmgzYYppTSCh1vlwsgI/f29HB4e8uTJ2GuSfUgKRkevEYtFsQO2Z1oy42dJy/NPyNpY7+7u8fmXDwkGApy/cpH29nbmFxaYnJwglUpx+fIVLAvm5uaYn1+gs6uLm9euEgiFODrK8/z5CxYXF+jt7WX04iVKpRIzsy/Z3NxEVRWWbdPb2825c8PE4lGvPYZ5LbxaYW5uzmPSUK06DAz0MzQ04AlKUCqVePxonKPDIghFIpnkyuUrRGNRLATPns0w92qBSqWCJTShUAhHweDgIMPnBggEAhQKJR4+eEh2P4tWmkDAwrLrCzwYtDlz5gwD/QNoNDUV+C2UO8rz7Nkzdnc2OX/+PGeH+8lmszybfk6+kGdo6CJ9fX04TpW19TVePl+gXC4jpKZaqdLS0sXwuWGi0WiNgQtv0ms0UjUIllpRrRoBJRh6m3lVUiwWePjgMflcDkdRE3aDwSBBK0Bvby99g2dAqXea1nVtIzWfK8trzM/Ps5fLEgqFuHhplM7OTtCSarXK3n6Wqakpr48CVXHItGQYPjdMLBrjyZMxdnZ2qFQqZj5beHO6ytUrV+np6WJra4uxsQlKpRK2NAxG4dLW1sbNG9fMBi8NMyuVKywvLzM1+ZxkMsnFSyO0NLdg2fKNm/7bNByfgSqlcByHQCBg1vmvzMhPbN5Cg1IoDdVKhVAoZNYgNOx5ErSL47pMzrxgcWERy7ZqzNXfB9rb27l8+eI7nn+8v46jWFxY5NWrRcrlMghF91A3A/0DhEIhqtUq2WyWickJisUiIWlTrVZJNaU5f+ECzekElpS4aJTrsrq6zfT0NP6+PXr+Il2dXVi2EWgr5Spf3/uaYqGMZds4pSp2IMCNmzeJx+LYNQFWsbO7w+MnYwCc7TtLX18fthQeA35fF5AxoStXeRYZgRUIwGsugje7pF7//R1kbPfcv/eI1dVVes90c+vWbaoVhy8+/5yjozzD54Y5f37IW9+/oFvkXd2WAqVcpIweO9w4922AeDzK2PhLDrKHdHV1MTTUhxCCSsVhdXOVg2wHqgd2drKMj48zM/MCrTWlYgWlYXjoDFJKisUirxYW2NrcIZ1u5tw5SSFf4sXcPLZl0d7ZThcgaJjMNPrw6qaJYrHI1PRznoyN05xO0tHRCcDh0SEL88tUK5qbty/T3dWNJQ0Dq5Rdpqee8/TpBBsb65w9W+HmzZtYSjI3N8fmxg7d3d0MDPWYp7mS5zMzlMtlIpEY7e2dPHr4hLm5OYaGhojGQqyurrGyvIVtR7h46SyWlNi2xf7eHkuLGzQ3t3Du3ACO67C2tkI2myUWC3Pu/Ai4LoeHh8y8nGVqaopzZ4fp7x9CaDM3bCEIBW22dnbZ2twi3ZRkcHAQy7KYX5xnby9Lc2sb4WiEFy9eMDX9nAsjF4jHoyil2NzcZePFKxTw4YcfErcFwnXBCmBZNgqBkBbCLYEwpvNSqcTEsxli0SgD/V20trawu59jYuo57e3tXLh4hWg0zNrGDpPTs1SqkpGR88Rti1K1xPLaEpPTL9AiwPkL5zDuR8nq6jp723t0dXfT399NI17CdWBxaZXJySn29/bp6u4kGo3w7NlzcrkjLMtmcHAA5cLE5AzPnj0n3dQEOKytrYGwuHbtGol4iFA4QD5f5OXLlwRtc3xzdYliPo8t4ezZswQsiSU0K4tLHB3laW9v5+zZsyAUpWKJ/Z19DjOHoLXnwvlmibhSrLKytMqLmTlS8RRDA32U8iXmXs6RzWbp6+ml2uGwsb7Gs2fTrK5s0NPTQyQa5dXGPAd7h0hCjIycJRQKITQ41QquUlhSojTYtgVSgLDYWF9nP5tlZOQ8Aduu7zceg0AYS8Pa2gZaaypVl6WlJZKpOH19/WT3s7R1tuP7SmqmRyFAawM+eM186+NcJEE7SOGowMLcIrZlMTzYh+zswnVd9nZ2mJp8xquFV3R2dBKPJVlaWmJrfRsBjFwYIRYJMb2xzsb6Nq2trQyfG0AIyfPpWdyKAl0lFo1iCcHM9DRaWJwbPkelWmJre5dAwGJ0dBQhbcrVKgtLazx9OsHi4iKRSAQlJBcvXqS1LWUY3smN8CRjlgqUi9AWrqPY3NymkM/T3dtFJBoDXDM2SpnPk2RU69c/a7951/n3wPx9dHDE2Pg4169fJRqLIi0b8zINbgAhUK7L/s4eB/v7JBIppqemCYfD9Pb2IgTsbG7BpQvvML/WO6y1Zmdjl+nJZ+zs7BCPxygWi1SLVaKhKD3dPeRzeZ5NzTAz9Zyuzk6SrQl2V/dY2djGUZI7Ny8RjcbQrmZ1dZ2xsRlWVlY4f+4sgWDQKE9eeyqVCmNjUzybfkFbexutmVb28nmezTwjEomZdRsLobVmbWOH8bExnr14jpSSQqkC2mbgTCfS9tyVb3oHb4jD1EqT3Ttgb2+P1tYWmlpaXh+W2ruyvM+aidI74YRP+03v1v/UmuWlTWZmZhFSc+vWbbQSvHg5Ry6Xo6WpBevCee8evPn+b6V3YBSUNFYNrY9tVRYatFGKbIDvfve7LC8vc5A9pLOzk4+++xFaa8qlKtPPpkkmk+zt7zE+Ps7Tp08ZGhoCYHdvl7GnY0RCkp6eHiONeIOgXGMedd3j/hCtFYLjA6lPrDwh4OjoyGhBu7tcuzLK1atXcRyHmefPWZhfZmpqip7eNlpbWwlJY9qZn1vkwYP77Ozsvf5Mz4/c09PDd7/7XQCcimZ+fp5iqYRyFdvb2zx6/Jjm5iYuXbpEa2srD8RDvvziHmNjTxk620symaSvr5/t7W2WFjdoaWnm5s2bCCkYH5/gxYvnaK3J7u+zv7/Pzs4OE1PP2N/f59zZ4XonpUUgFOLK5Susrme9CdnK7du3CYVChEIhpqaeIaVke3ubmZkZHNfhxo0bZDLN7OzsUCiMMz83z4MHD7hx4wbxaMCT9I3JDitQexYYPmHGVxz7VG7d36g9M7I/drlcjuXlZQb6+49JgP656XQTw8PDLCwukN3N0tXZycDgINFYzDAHpdnY3OLpkyfs7+cYGOjn9p1bxKJRdnf3mZ2dZWlpkebmJtbXt/j885/T3t7F9WvXEdLlwYP7PHjwgGAwyOVL5xkcHCCbNYw8Eg5z5/Ztkskkk5MTPH78mEAwyNDQAJevXGZxcY1yuUx3dzcff/wxSlUpFArMzc3R1NT0zYvnBMkTvj/l9d+Xvnd3dhgbH2dzc4Purl7u3r1DU3Mz1UqFp08mmZ2dZXCwl0g0ilJVNjY3ye7vo5QiHAwxNDSEHTALfnV1jampSWxLcv7CeSyD+qO2Q2hFMBhk+OxZ4okE65vbrKyukkqluH79GtvbOySTSdDGpQV13IIw5pFan8y7VJ7LxuA92ts7GBwYZG1tk2KhUHvXu7t7TE1NMTf/ivb2dm7euklHRydffvkFDx88ZObZM84ND3PlylWWl5fZ3t6ntbWVu3fvYgcCvHg+x/OZGVrbUnz88cfcvBni0aNHWNLi4sWLCKl5+Ogh9+7dIxgI0Nffz+bmJmPjY+zt7TEyMkKhUGB2dtaY5O1zdLR3vNtCqjVKabQya/zp06dorUmk4p5Frz4WaI3r+d+lEN74URf6Gpi50j62pAGg6Z8D5HI57t27Rzgc5MKFCyQScbM+G86xbJvOzg5SqRTxeILp6WnisTiXLo3SiFVpxJ6cpJPreXVtldnZWdrb2xkdvUwul2Nra4tSsYSrFPvZLC9ePKdUKnL+wgXOnRvi6dOnfP7lfaanp7ly6SzRSJT1jQ0mJydZWdng7NmzfOvb3yIajaF0GQMsc9Fasbe3S09PD1evXqG3t5e5uVc8m3nGo0ePGBwcJB7NsL29zcTEONPPpukfHASoWT+jQUl3d1ddGHoHKeWS3c/y7NkzNjc3uXHjGk1NaQ9k2vDOvPXiH/P3P//3Gq/SHiZL+/fX9fkAZn41WISl107fglDbF7Rv9q5NvBOfvyKdUDp8qzF4jNxMGN/PrJHSmD3393e5ePECtmXzdOwpDx48oindxA8++R62ZfPzn3/FxPgEAoeuzm5CoRAtLRlyB0fsZ7OsLG+wvb2PbWuampLEYyEk7mugAN9HcNKXJ5RAKIGLJpc/Ym7uFY8ePuLgIA+Y4wooFsrMzc3xo7/6G9JNTUSjCYqFAr7kK6RFV1c7wUCUpuZmfLCS670w2fCSLMtrk+X7YepIarPhNaKqZQ2dGonEGBjoRylFKpUgm80yM/OC3d09Dg+LoO3jk8PbYBECKbRRW7WLRBEJBRgeGsCpVGhOJymXqqAEtpAIpdnf2efBvYdMTjwzt/LGTSNACg+tbqFxGuaSrqG/tRYobUyMxjRlIZTAQiA12FIitPE9ba6v88XnJbSSpJubPZ+MpA780gilPT+YRMoAFqYNAonjVpkam2b2+StGRs5y49pVkokoKEVHayulQp50U4rdvR2++PxLioUyd+5cZWCwC8u2sSz4n/7Hf89PfvRTutpaiMf6axuWFBopNLdvX+PwaJ+H98dQymJwsB/lmkVt8AQKrQ22oVAoMnxukEgk4h1/Nx8IBCTNLU3E4nHviJlXoVCISCRKIpHg+fMXPJ+Zpbe3l5u3rpFKx1GqSlNzmjN93bR3tGDbvjYG42NjjI8/x6lWaW5JcaZ/ABkwazCeiuPi8pd//TcEI3HO9LQRDIePadN20ObG7esUC3nWN7dRnr86mUxyprcDANdRFAoFdnYPEFIcE6qlEESiETItGSwJynU4ODjk8PAQkOzs7hzDiijXZXFxiYmJaRKJBDdv3qK9owVNhXS6iZ6eHqLxIHbAm3fUIzXM3mI1MCP/nZj22BIsCefODYKu8mf/9i/46x9/wT/+4wRjE5Msv1pmdHSUH/7hD9jY2OA//PufMDk2RSxq09HWzjs3Sm2hXMXmxg73Hzxg5tlzent7WV/dpnBUQdjQ3NJCLBolXyiQy+WoViqv+WvD4TCZTIZAMMD29jZHh4ckk0kikQjb29tobeZbcyZFIhEnEAmQaWvhx3/zM8pVxejoRVKpNL42DiBtyYWRc1QrZebn1rw9URIORzk73OuNvbGk7e3vG1O59/7MHqYIhQI0NzURiRr3lMDCAEtdEokoFy+dq421lBaRiE13dzvppgTxeOjY/l8jIZices7k9AuGzvTy0bfvEo0EQVcNq9IKgSIWjfIHf/iPzD5AwCgQ+IJ+Fa0rVHGYX37Fw8dPaWtr4/d+73dwlcunn/6MF89fEAlIunt6vdf4ptXY4PPWitxBgYnxZzx9+pRQKMT65g7SDqF1lXgiQVM6jeO67O0cUC6XDWDaMuOhtMaSkkwmQywWZ39/j8PDPFJadLS3s7m1Rblcrq2P1tZWhHCQ0iLTniG9mcZRgJBoaZT9TCZNOh0D4Xpm+Pf1vb8fKQzeRJwYG1e4NSXY9gfdn7Tlcpn19XVKpRI///kXfPzxx3R6Zu36olYoqWoL099Yk8kk165dRWvBy5cvmJ2dx5KSnt4Obty4QU9Ppyd11WyF3qcP1jmuvauGe7+af8WL5y8QHiCj6higUaFQYGVplXtff00ikeB73/seU1NTTE5MmLZ5YtjH3/0Y5drGtClcnGqV7e19KtUK8USCeCJBOBwmnW5Ca8XBwQFaa46O8h7DNmZHaVk1Zq+UMj7DvX22t7eZn18gk8lwafQSUgi6u3rZ3t7m059/yfrael1S9CVyT7r3x7VcLrOzs0sul+OLL77g3LkLDA4MMj+/gCUljnfeo0ePWF9bIx6Lc3h4iLSPo3hrfvH6YALU2t1opmvcrN70KYRgZ2eH+/cfMHh2iGKpeOzaxk9/PiiljrXBlxqFh2r3+339+jVGL49ih2xWV1fN+MrX29h478b2mT5ZDRJ4XcpuvL5QyLO1tcnu3h4zz55x89Y1zpw5U2/bO3xzyWSSa1evol2bSDSKkAbM19vby5kzffT09LC0vFx7rmjo96VLlzh/7gJSSkIhYyGR0iIWj9Pa2orrODQ1J2vXSGkxfG6YUCjE3/zkM/6X//gf+Z1PPqK/v59oPHrc3Mfr4+E9GDDzc2Fxgb/+8WcEAgawqZSxkkhLkmnJcPPWTdram9nd3ePRwydsbKwTicQol8vkcjli0agR9izfqtM4d0ybz549S39fH0K6xh9MXespl8vs7u5i2TauUqTTaeLxWP2dKl2zbryN3gQYM9erujn2G0l4br9XrKysAAYr8nTsKcFAEBkQ3Lhxg77+ftZWV/niyy8p5PMkk0mKxWItGiOZTPLhhx/S3d3N85kZZmae09bexkB/PzPPn1MuGd/zpdHzXL1yhZbmFv7xP/7H/Mf/+CMePXyE1i5Xr10jkYgd69vJ96i8cakDQG12d/f4m7/5CQcHBzU8iR9SFotFuHz5MoND/TiOSy6Xw3UdHMe0JxwJEY/FCEfMdW1tbXz/+99Ha4MxKZVK5AsFAnaAVCpl3DkN41wul9nd2SGfD6K0JpmMEwlHqMeVmX4cZLMUCgUODg4M48u01AClJ9/vyT3Gu4n/IydOrn0qrVleXmZubo5yuUzVqTI9Pc2rVwtI6XL27FkiFy9ydHTEp5/+jM2tLeLxmLcv1cN27969y/DwMCsrKzx9Og7At771baanp8kfHZE7zNHW1saHH35Ie0czSrncvnWLUChEPp+tRaa0d3Rw/uwQg4OD9T33NavCOxj7O+TQ+pz313x9j5ONGnltYLVkY32Lr758gOu6ZPeP8ADJZvGLIEpJT4KRVMoOQlhIYaG0wLY0zc1JhoaGyGb3mZtdJJPJcPbsWVoyGayAbZqhjzPwWoMbXCHSkkhhobWgWnSpaId0IsmFc+d4+mSKbHYfqW2WXq0yPjZBpaz48FvXiEZCVF0HJaDqarIHh7Rmkp60Kj3NTLGxvsVnn/0cy7K5fn2E4eEhgsEgH3/8Le7ff8LU5BSlqkM2m8UKWkQTETQOSlVR2gUUWmr2DvZ49OgxylWUK0Xa2lprKGbLFoSPbCw02vXR2grl+TVq6H1hIYTF/m6Ox4/GkLZmY2OT4eEh7OBxJpnL5cjlcpw5c4ZwOMzX9+6BElhY4LomplYIao54bzwFArdi4jWlVkitPK1aIixpEKrCaK5SCrR2cLUmGAgQDATY29ulMFGlUql4/u96GJGSynuVxjqhpQA/DlYKXK1QwlyhBSgPBRqKBAgRQEnTBheFa+wK5p82AoEWEi2MD1l77RRSo9A4yiUsrJomAxLhaQtKSKquZn19iy+//JpSsUK+UADlheq9FxMASwpSyQS3bhrQUSgQoLW5ifj1S0TCEQJBG1AoDMJdaoOEVrgEgzbhYKB+M09juXr5EufOGheVZVkEbC+WXilCwQBnejr55Psf8emnn/L1wzFKjuDC+T7C4XDNGiK0QgrzLKFBIkxMvNLepiKplh2KpQrReIL+wQEOjw5rCObnMy+xQ2HO5gdYWlpicWGFM2fOcO36RdbW13n6eAbXdRoENfOG6nuGidkNhSXBUADw+yk9awhsb+9y795DhBQcFQ65cuUK3V093pwXnqBdt/BAvT+CemhpqVRify9H7iDvxazXwah1PuDHEdetRWacIBqNMjQ8yM7eNtPTL2lpa+X6lYs0t7TgaIdUKoUlwVUOhYKL49qcH7nE4uIiqUQcrRVzrxb54qt7/PAffcL5C+fY3c2y8GoBp1rlxo0bhANBfvzjHzM5/hxbRvjoo7ukUyl+53c+4Wc/+xkzz2ZxXcmNm6MkEgmEck3OB0wUybF48obwReGBnYoFF3SQ3t4+lKvI5XJ0dHby8sU8kxOzWHaQaqXCq1dLuC7s7+cYH59ieXmZixcv0tffg9Yuli2J2GFcxzDp8fHnLMyv0t6W4dq1a0RicbMKXZBasr2X46v7jwkE4PDwkEuXRhk+N1wTSHyBY37+FYuLCxwe5gmHw1y7do1kMlmz0Fme5TF3sI/rOFRLZSy8vUsBsp6fwkwE3w3hDwSgNQND/ezu73KQLxEKhbh85RI9PT2ASywWIRSKkMsdUSiWyR8VGBkZwalWKZYqtLW1MTU1xRdf3CccjtLb28dhrszDhw/5+c8+5/btO6TSMcbGnvLi+SLoB/zn/+T3EVoTjUpGLw1SqVQROIRswbfu3iaZTBAIBY65XY7T23zg7we2E439byCtamgzw8hVLQ5ckEwmGT43TLVSJZ8vIq3jyNBSqcTExITx3e5sm3H3zBWu63J4dMjG+jpHR3kikSiO47KxsUlLJkMkbGMHArwPmXg9g/Cdn59HWhYd7a20NLcQDAZq2kClUqFSqWAHAmxubJLdz7K9vY1SRquempri4+9+UNuMqlWHtdV17t+/z8HBATdv3mJ4+CzpJqOJDw0NEbAj5AsFno5PUMgX6O7p5tbNW8SisdfaGY1G6esz/uPNzTWkJT1kbD0hjrQsZC0ZQ0Os7IlQhXg8Tl9/P8GgJH90RCgUwpKydh/HdXn8+DGHh4ec6fM39UZzvTIM1NN6TYyoRuB9yrrmDsc1nUby2y6koK2tje6uNpaWFtneOUDpuiUGGrTw15JyvO5P981u/nMrpbIJu/GSGsiGsdFKgxTHNPRj9zwROyob47YbfIpCCJqbmhgePkcud8Tq6mpjR2vnfyMJgbQskql07VAoHCbkaUY1v5lHrrdBCwwD0l64WSgUrvUnFo0RCoVqbRSNG4ByCYUj9PX3c/eDD7j/eIypqSm0KnDx4kUikZh5R9TX7vH+18dMCInyfOpNTU24rkskEsG2bUrFEru7u3R1tLG/t8fh4SGJRIKOzk7K5TLBYJBS6bgrqX5fH2msKZWKHsOXnsXLP98ikUgwODiAZdusrm2wsbHB/pkuOru6jg3x2zRyrTXVapWdnR0ePHhIoZCnUGi0CtXdFb5g0bj2fLICAdLpdC2hRiQcJtPaSntHRw1sWwf8mTC5TMb4dtNNabTSOM4cO7s7VJ0qra2tJJNJCoUiR0dHtLe1EY8nCAaD5HKb7O3vg+ez7ezs4u7duzx48JjZ2VkQFe7evUPQtk3oHcfX0mtjoBpyM1g2qVTaMEKnSjqdRinF/n6WcrlMpiVDJpNhd9cA3Xp6emhrz5BOp4+NmVIuhaKJCnrxfI5UKsXo5YucOXMGy65b0AASiYQBkQbgq6++Ynx8jEDAZmTkPJZt1e7Z2tqKbVtsb++ysb7B8vIynZ1d2IEEPsq8UCzy+PFjhBDs7u6hPEwCDe+xcQ6fZIpSSuKJBM3NTV4oY4D2tjZ6enq8cE2BSTxjMBEAqVTKhP8GKrQ0tyA9K2M+XyAajZFON1GpVGrvuqOjhdnZOMVige3t7WMurXgiaSISlHm3mdZMvZ3fYFX6TZMNJgbUkENzJsnlyyOUy2VCoQDJVNRkFrMkGhfbliSTcfz4Wa1dJBauC6VSmempF8zMvCSRSDA6Osre3i7Ly6sGQHD1Ml3d3aCr3vPejOrzF5SJW3TY3tmhu6uLM31dRKIB77i5R2dnB6FwPWxDCkE0HMQSGsuyDOingZaXl3l4f4K1tR0+/NZNrlwZJRaNGHc1kmgkyrkLg2T3s8zPL7Af2KWzNcXwUK/xgWA2bV+TSCRSnDvfRzAQpKurlVAoVNtItDY+k+MhYwqtGxmWwlEuSkAsGWH4wiCxSJBwxKa1ucWwYOmgpIlXXFxZZmRkmM6eNrL7ObQfwy8ULgLLA7v5kqzwxtEAnr0Nw1VIjIYlhPbi8D2GYDVu1ppkKs6VKyOkm+JMjM2wubmJFJaRoj2ytIX0k7YoVdOowGiMAU+rB2liW73Ncvr5LLs7O7R3dmIHbC98TlNxNVUNroJi1TXSb0AY3z1Gi645Z4SgUqlQrVYJ2hahgA3axCwLz9/f1Jzm0qURivlDMi1xYtEYjuNg28H3WyX+RuOP7QnynxMOBBFK41RdAyC0LF69WmRjfZt0uokLF4aIRE0IyYu5edZXt3CVIhWPcvvOHZPYpCFMKRCQjF48j9KC8YkJpsafI1WQS6PDBINBkD5ewSTqqQsUPmNy0Ti18Va6LsQpXY/3NTgSXRM2zbUarR1vnUm0AikDBOwQWrtUqyUcx2yc66s7LC4tEY2GGB0dJRINm42UKslklJGR89iBAF/fe8TKyhr9fd2MjIwYbdTL62D8tIJK2fjXI5EglggiCJicB8EgyVQcy6q7iGrjjwXKRSkT7+yqKpa0kJY20QAiCA1x2hpw0bgSyk4VnAq2HcCyPHSwJ3BaQmMJXQODmvBAgdGwGgGDsuaXFsJCu8pLYuW/yzL9fV1o7TI2Nsb01CyCEFevXSAei5t8CycS5fjM27da1PJ7eEJHoztJaRcEWFLS1dXJxvo2c/MviUSiDA0N0d3TWhOEfVBjNnvIs+mXTE/PkG5OcPHSOdo7MihdxnUCWLZnZdIuiWSQkYuDhEMxJiYmmJ9foLdnh5GRYYSwKJWM376zs43ung5mXy7w1Vdf8eLFHFev3jA4JGkhRABLBmvCRzCYRetDkBrXrWDV4uUl1UqFai0mXRKwbSzpg+EMRkV7llHluYSVqmJbNtJSSOkDz2RtfvvjJ/11I12ULqOpIqRr9kXh5/CQDc/w9wBR+zyGd/JJvnl/+E9BNR95o0allMK2bYaHh3m18Krmk/HjVEdHR7Fsi8PDIhvrGx4iUFAo5FlaWuIon+fixYvcvXuX+fl5Xr1aYHFhkZ6eLjo6OpAnnQInxqQx4F8IQVdnJ9euXePscD8H2YOG8wTt7e309ffUjmmt2N7aZ2VlhVQqxaVLlxrMcIqdnR1evnxJc3ML165dNQljhG5gfmZSzL+aJ390REdnJ2fO9NUb542Tv7j9hReJRjkTT9Y3yhOxybVF1Ojn9bUpr23+b4FAgAsXLhhEdIPp17Zszp07x81bN2hvbye7P31MI69p/fWHmmd4C8DyTNqNPv5GLVlK6zUEuxCCVCrFSDyOUzGpHf2ogMbJ/DYfttaaru5u1tfXyeVyrKyskEiGCIcjLC4s8OzZDJcujzJ6eZSzZ89yeGhi7uOJOLZt82r+FVIILoyMEI8nUJ7m56PFXddlZWWV7e1tWlpajK9KK881U0ewaq0IR8L0dPewsbEGQKa1jfeiRqSxViYK4ATeoaOjk47ODQr5AktLi6TTaaKJOKsrKzx9OklfXz+DQ72EdRitNEuLi4yPP0MpRUtTihs3bmBLC6watNYAF7HMHLYkY4+f8PjxI6yAy8WLl7D9WPST4+7PZXxrme/ffrMpr1HQbJzT0moANApJJtNCT083W1sbvHr1ilQ6RiqVZm19jcePH9PcnDI+ymj4tY2u5v/10nEaF1N9bruuw/r6OsvLyyQSCc6dO0c4HEZrbUJX29u5e/cOW5tbzM+tGUuHf702roRSqcjS0hK5XBatNa1tzZw5cwbbNr8f65uUFPIF9vf2KeQO6O/vo7m5pTZXjCWjPi6NSanq42KYiPIS1vjCgm0b19pJM2tvby9SSlznKQ/u3wdR4crly6TSyZr2649VI6jWtz4dW+sNWAxLyhrS3l+7Qggsb5xP4gtyuSOmp6d5+mSKTKaFa1evEQoFmZubQwjB+XPniNgmpLcxCqlxT/PvWSqVmJqaNjkh+vvJZDIn1r+qYSCEEEQiEa5du4brOBzsF9jb3aWGZfKuq5QrrG9ssLaxiRCCeDxOT0836VTK7IcNVmLhRSwtLS6xvbNJe3s73d2d3juuKxsnLXh+VIKUVs3SJC0zjj52Q8hG62nDZ+N7PWYR/YZjv2GyAeZeLFAtukgtOdw/ZGHOAHeKxQJPn44xdLbPZFHTCqEVllDY0kivAkComu/MdT0pRigQDlIez8omTppQjlE9gD8YDNDRmWF3b5PmlibsgMXqygb7+3tUqlU6OjuJx8PYtqf9eeCqjbUNcrmcZ7otsLq8xOCQYcR1c5syLlzh+XRRCGnMTeVymRcvl7j/YJxSqcCtW7cYuXAOlAPSplpx2d09IHdQQCiXUv6Irc0dwqEokagPirM4Osqzv5f1wj6KaKXY399jaXGJdFOcdFMTQmi2t3fIHhjwRKlQYnt9m2QkRCAYNGFCUpKIxehsa2dleYPerm5K+SKL8wvsbG4RsCy6ujoIBqwGVKNv5vFijvElcUUoHKSzp5O9vT02trbBstnb3yESCdHWniEcCWJyUzdIpNollTRS+152m52dHfObq6gUi2zvbJPPF0AocodZdnf3CYUiBENGy7k0ehal8zx59IyJ8SksyyYej3N4WKAp3UxbcxMdLS10Ztoo5vaZnX2FLWy0tHj58iUDQz384AffJh6NsLOzy87OjsmK52hWltd4+OgJruNy68YVrl8fNUxhbZ18vohWgoODHK9eLYFQHGQPmH85z/DwMJlMi7fo3sNXVVukJ6RurUG4DAz1UXUdHj58yNTkM0LBCMmmJvb3cyTiCVpamo1vWlooXDKZDAMD/ZTLZZrTKcMcpDQM3L+9FyZm25JLF88hLc0Xn3/O11/dZ2hwGBGW7O7skM3uglBUKiXWN9YIhXtqoDPjq66a5DkBi0xzE4GAbdDpysUSEA2Facu0srd9wMF+loW5BY4O8yRjESrFAtubG7S3ZujuakXoUe7fc5iZek7Asuns6GB3d49wOExbWwdCWKwsb3F0WAEk+XyRV69WDKamWqK9vZWmdJqjozzLS6ugJdpx2N7cYu7lLAuvFhi9fIGPv/sB5XIVKVyzvpVGYuQcS7igq1hIhFJob8M9ODxibGKSly9fAjA6epFMWzfJmMFa2EBrOk17cwvVQomXM3Nsbm6iVYlUOkVzc4th4h7eQwpNc0sTTck02Wy2nqHMFUgtsTB7YLlUZXl5lUgwQLFQJNkcp7k1bdahNL5mhMS2FH29XURDYYr5A8afTNLb2UcynuAge8DWxiYojao67O3sku9oJuFZFE0ccRWhXCyhSaWTBCyJCYQwuAzXu25/dxe3UqWYz7O3vUumJU40FqvNq72dHWampikc5ei4eB6h4NnkMyYmJ0kkEvT3niEajdGeaWGtKUXx0GFhboVIJErxqExbppVMcwtSSLRb4dXLRRYWFzncLzI0NMTW+jYBGeRMTweRkMnsZiFAuR4+x5NTMW1XAjNOXvsqjsuLl7Pcu/cIgP7eHhLRhGHkQoDrkIhF6Wxr5iCbZWlxhe3tbQ4ODrh16xbtbW0oVVcELQuampI4rusJdQ6aOtbJLGNNtapYWVmjVCqQze4Tj0fo6up4+15w8u9vOvYbJhvgydMnBAIBOjo7qVQqPHr0sAYcsS2LeCyGHQjQ1tZGKp3GDtg1Ta2rs5OmdBpLGv9Ya2srlrSJev5k2/NhSEvWjr0PpdIp7t69ixCSvd19JicnkJbJWJZKpbh75y69fe11gIjn93n58iWO6xrfjG0zM/OM/v7emt8nGonQ1W2ku0Z0sR/zXCqWWFhYIBwOk0oliMfjxu+sjJZjUP0b5AsFOjo7kVKysrJiMABe+AeYGMnnMy/I5XKEQiE6Ojs5OsrzdOwpff09XAiFCIZsXr2ap1oxPjcwpv+uzmbDyBu0vQ8++ICv1APm5uaQC57kWnEYGhriu9/9DrFo1JgE34BW9yVES0pSqRTf+973ePDgAZubm2xvb1N1NefPn+dbH9whmTThbul0mq6uLtLptEmPqk3a3aZ0mo7OTtJNTViWRT5fYG1tHcsyWajK5TLra2u0tLQQDAfB840PD58DFebly5fMPHvmYS8UV65e5fLlEYOo1ZIffPIJgS++JLufxdEwPDzMR9+5XbMKra6ZRdvR2YFt2cw8nyEYDDJy5QqXLp2vmdnm5+cJBAK0trZSqVR59OgRWhszcygQJhKN1CXrd7jI30meENnX34+QkmcT07ycnUVYFqVSkZGLF7ly5TKRaKSmSYyOjnLhwmW0NubbQCgEnrvoJHYCT3MYHBwA4OXz50hLUqlWWFlZ5fDwiI72duyAxfz8PJnWJs9XLYhEonR3ddPS3EImk6GpqRnHqfJydpbOzg5aWpppyWTo6OwEbbOxscHTp0/p6Ojg/IULRBaXWF1dpbW1lVgsQmdXF3fuBHjy5Amrq6tsrK9TrFRN/PjVq4RCIZ48HsNxTZY2rTVTU5MAxGNx7ty5w2B/Dzs7O8zOztLR3oGNZmtrC601o6OjfOtbd7AsiSUlzc3NdHaWSKVSoI35v7W1lVixSCweA2l5r9HMz+am5lryqHS6qW4ZEJJA0MTlaxHi+fMZdvf2SCQSXLp4nYH+AYQUhoG1t+Mjuq9cvkzACvLq1Sva2toQUpq9xLdeSMHRUZ7xsTGTiMi2uHP9NufOn6cWV3zC39vc0sInv/M7PHr4xOB9pGB3b5eVlRU6OtqR0mJ7e5vt7bSJPZcW4XCY9vZ2lFI0NTXR39+P4zhsb2/X9o5gIMjKygq7u3s0NzcTDFpsbm7Q1pEyjNyb76FQiExrK3YgxPrGhtkDqg6ZTIZUKlXTjkcvX0ZaFtNTL5icnPLSGge5ff0WZ8+e9fb8MD/84R/w45/8mJ2dHfb399Fa09/fzw9+8HHNtRmNRenq6qKlpRkpTUrldLqJrq5O824bSEpJImmSgAkhaG1tJRqJHFsPvb29gM3kxISn1Stu3rzJxYsXCYcDhEolWltb0VoRjcXo7+vDsi2y+1laW1uR0iLqubl8hu86Ds9nZliOhSiXy4xcGOHO3bu/0tbwn4qE1lqvrDwHGqIJGlDlQggSiRhCCHKHB0gpafaSaRwdlQwoJmAWnOM4HBwcUK04xGIxEok4lUqV/YMc0rKIx8MGoFUTWE6m0PNMvl5ubOUKcrkcpeLRMa0eINPSQiAQ9MycRnMxoI99yhUTmqZR2HaATKallgIwf3RkUPeW9GIEDSjJMByN67jsZndroR2RSIRkIukBHixcx+Hw6JCjozxCGRNuMBQiFo95m6dhUIVCnsPDIy8U67jJKxwOE48bnMHBwQHVcj1eNxAIkG5KYfumBq0Ai2qlwu7e3rEqRL6ro6mp2ZiRdEPYl7Tws/6YUIG6OchRmv1sFrfqPVebcKpUOollWThVtwYqCoVCJFMJc1y5HB7mKBbKhMNhkok4WikOD/O1HOxSSiLBCIlEAmmLY++nUjIhTVXXrwqiicdiRKNxk2JROSAEO9u7VKtVhDTj0dTUZDRWpTg8POSwkEcpXcvRbMxvMeLRGAiJ65okFY7rRwd4KXm9Dd+2LKKxqAEvvsnX9cuQN76VcpnDgyOcahWNY8YjZjQiy7KOm+UaTOC1F6UV1BDcvpDqzW9tTJn53CHNLS2gBYdHhxQ98JcQAtu2SSbjBINBXNcINdncAYFgsHZcKUU+nyd/VMAOBGhKmbmYPypSKBTRKMLhEKFQkFKpRLnkEI/HicWjSCmpVhwODw+pVMu1eRsKhWrYmYPskcGsePiQWi5sKUilkkRCYSrlMrvZbK3d/mcwGKCpuQU8c3Uud0C55HqhoXGq1SqHh3lc1yEajZnYfi/jneOa+Vkqlb11FiIeT3j1HaQ3vySlfJl8oUDVrWBZkngiZsKptKZcKrF/WEBKi1Qi4qVXFRSLBXJHeQAyzc0cHub48ouHTIxPkEgb10hvdyeWZZFIRszc8kz+PtraZBgzVjLXdcntZ01q5VDI3P/gqDaelm2ZMK9IFIRFpVTi8CiHct3a3FVa43jjoZRLNBbGdR3y+VJtRgXsAMlkgmAoVANtFb217eOK6mGrBuTX1Jw2c1VDoVDk4ODQzD9lIhjS6TThSLiWYAUh2Nvbq8W4a2VqTTS3NHv52B2KxSKHh3lsy6ap2fCPw8MjSsUS0WiIZDJV8/+7LhTyeY7y+drcSsTjRrnxlglKUa5WOTrKU/WwGrFo3GTQk8KswyMzD1NJr71SUK1UODjIUXWqJBMptNZMTD3ns88+Q2vNBx98QE9vB5FIhGgkQrop/Rus9f2uFLInT49S9/vDzs4OUkr+5b/8l4aRK5UDGvcUH7jkMU/8KlNmktXy4noJ24X/e21jkl5uWLNxaS08k5UH6HhPRq6V57vwUyj6z6iBCnzf5Ql/tHjzAPkauGGCDaEevinaS+Wna2FhXjiLp41zLCE/tVAvV9VLONa0ex+oIuRrlpaTpfYEJ3wuus7oat3wfTP+GJwcBylNUhkpGgQxvyobxxmG1496+UdZ22AMoMMILbVn+eNY87lxTACqpUCskX+tW78v1BmU9i0Hqn69D2Lx+6OVabipeXis/W+s7ub/7roeCIw69uFEf99dTvSXJL8NfrUJLzUo0q734TXmTQNz1/XxNz949/F986ZQSK3fmrq/vnFu1BKOmPmh8OfbyQ3DvM+6AO9HPLieVO8DfOTr79E/r1EwsYQHFPMjU9Tx/jR4fmjwidba33gv/71rDdJ3M50Ax/pCa+NEaAxdqo1Hw/lALepWeIKv3xZTvxWtLU8rPbGv+WvWdZiYnGBmeo7t7R0C4SAD/QN89O0PDeOX/jz2J2p9vM39/P3Kf7/+vLBOWNX8OdMw4d9oyvVv51/7nqAr4YG3GvcR/7l+e7UCYR/fl2o5ItTxe+mG+dv4e4NCcpxOzCuDwOWdCVVq/W1orz/eXg77Y+2q7U8Na9A7f2FhkbGJZywvL6O14syZPq7fGPUylXo+8nfUYvjl6dfHyE3RlFK9ItXxhAvay65lEOBCWLiuQ7nseOABk6JPWgLbA4BUKmUsbK/Kl8Z1qlQdw7yCAXmizu7JDtTjqgGENBuQU9VUnQr1etkQsG2DOnQVjqNQrstr5eWEF+fqJeIoV6uGiWs8QcSEdlmWkYCl8hiPZZsiMq7x6Wv80Bqz8QG4jovj1NsvhDZVyqRfWxecqoOrHJRfXQhTHELada26Wm38vfbGzLuQLrZl10I8KuUKynXxBS1paa/wA5hMSzQ4n6C+kXhMouExJkwDb8M/6fPlNeHIvB7l8XrRsCl67+3Y2vM1Ye9/NSGlMdzLX3jevY4NgTp+7QnG91rZwpMMoMZg/Nu5x5r3G2Hi0NBPn0FR30ROgmbedB2N76TxdwFYtfGvUeN7epNQ442j8a++abPw54z/3Rcg/fH0x/Dk+/WErJN9Uph2Nq7rN7kufA31ZHsbGbvbMP909QSMwZ9H3t9v6vsxIaHxfKjNT/9YYxiiMgj617YmX3DxzotFYwydPcPAUC9KKUKhIFZAGGbqz+vXqHH+n7g3ePO24Tw4LsSesKwd6wMAVm1ZHXvG25j6MWXgxHP97wJozBBZe96Jd3zsnt76rgmc3vw9eb44Ma/Usc40PO9En2sCZeM6a5zzJ8e3cS41dkQTCgc509NGd5cJI7OkJBoKI33G/x7y0N8FsgG+/vreMfRyPRbTmFqGzvbT0dGB1i6lUpHxsWeUSnXzTWtbCxfOn6dQLDI3N0fpqEhPTw+9fd0cHBzwYtYgjwf6eow/5x3mzOPZxhQLi4tsrK9TqZgFaNmS0UuXSDelWFtbY2lxmarj1AsLee2XljEZ3717Gykls7OzrK2tGZCeVx87EAgwPDxEW3tbTdIsFgo8m5khd3Bk2oBDKpXm4sURA/goFlhZWWVlea3G2OPxOP0DfWQyLbVje/v7Xg573+JhwEH9g90G/FMxWYkOsoe1vvrnGQFJ03fmDD09PRwdmcpylWoFgfm9vSPD+fPna6j8GtU0oBOakEf1RBm/5Cx93cTw/te9SSP9RembmKEQDT6id7Tjbff6bae3vY+TTO5dx9/n+jcxll+V3mqx+IbnNV7TyPze5/2+bT69ieF6xwa9ehM1Zug/900hSG8b7zfRybFtHPP36fubnve25/863Uonn/dN6/xdz32TMNZ477f9/rb7vm1+SklnZyedHR2vj3NjW37d8/s3QDZALmcKSRTyRZqbW+jqaTKacEWzvb1NOBymo72bw8MCU1MzPH78hFQqRTQSYT+bZe7VAnYwQiQY4tnUCza3trgrbXr6eznIHfLo4RhCCOLRCK3tnd8gARryY/dcR7GyssKjB+McHBzQ0tJE1amyvr6FW5VcvnqR5aU17n39FK0VA4O9nuVAsrm5wdZmlnS6iTu3b/Nydpb7955SLBbp6mw2T3dsVlZWODoqcO3aNTrbWikWS0xNveTp0wkCQYtUKkV2/4h8/hXBQICuri52drI8fTrG/t4+7R3t5PMlioVF8vkCo5dHybSmyO7v8+zZc2ZnZwkGgsTjMba39lldXUdRNYjlUpXp6RkWX63Q1NxMJpMmFApRqZh+F/J59LcDhIIxFpeWuHfvMV2dnYQjYba2tlheWscSUYaHez1LuK+V+gNpJmSDvmc+GzSLYye8lX6Bjehd9I0a6a9wj/fRQN51j18X/SIb939K+ibN7Be5vnFz+1WEove97uRGfpJOvvtfx3i/a441MkNfcPhlGdf7nPvrXHPvK7j9Ivd/0zs6+S5+mff9pme97/H3FWjfxLi9Y8p1f3MWvF8j2QCf/OAH7O/tkT8qcOZML9/7/gcorSkVHaanTZGEbDbLs2fPefz4MR0dndy6eZNYPM709DRf3fuasadjXBq5WI/D8/2Rv8RkEUJSLpdYWVnj4cMHFAoOIyMjnL9wjlwux4//+ic8fvyYdFMCxzPBRWMxPvzwQ2IxU9ji0aOH7Gw/wc/H/PDhQ9bXNhi9PMr3Pv6QaqXC4uIG6xsbvHj+gkQiQSIW5cXz5zx5Mk4ymeT6jatkWjI8fz7Pp59+ytj4OEJKlhZXWV5e5sL5C3z7O99mc2ObL778khcvnpNuSpNpTZHL5SgWinR3dXP+/DnS6TT37j1manKK+bkI7W1t2HYI16s0dqa3l5u3rhKNxsgflfjRj35E/siA/NY3NhgfH0Mpl1u3b9PamuHhg4c8fvyUx48fc/Zsz8kB9P/wPt+xME6i3d90TiO9a7P8RSXjX5YBvO36X/dG9YvSb5pxn9QCf93Pe9f4/l3TUN618f8m2tuoff+iQuS76G3WAJ9+1ffxNg33l6X3ud+bLAq/CGN/kxD1ruvfV2B42/4Bb0788neQbIBYPIxlgxAaO2ARjZkwmUJ+jwsXholEwywtLvLkyVO01ly7PkpHVwatNE1NcTLNzcQjUWKxMKl0glzuiNzBEatrO+zuHRGwbRJeUZL3mXRKueTzR0yMT7O8tG4KT1w4R0tLEstSdHRm2NkRhMIBEDHa2jNEIxGSySjRWAQhLO83VROYj44KVKsuoWAE2wqwsbvJ2NNx8kcFlFAUShW2d3d48PgRparDnUt3ONPbTjAYorklRlt7mngshSBAueTiVAWBoE0iESOXy4JwKJdc3CqgBZlMK9dvRL00lXECgQChUAjXNbmvq1WXcChAW1sH1apDSyZNImFQuJa0jYYtjL8uGPQRrCGam1Mkk3ECIRvHdcnn88ZvbvsAHmHASWYkzaHayL4BXNHIFN6XfhWJ+tdBf9vP/9umk6bm38T9f5Pn/6rX/SL0m5oLv0mT67usAb/pZ/0m7vcmc/77Pvs3JUj+sm6Xv4NUK5riZ/sqFYvs7OziOFWePB7n6rVrRCMm93g2u09TUzPptDEBK1dx5swZkolmQqEQ8WSMS5cuoRxh4hmz+1SrVVKpFBcuXKC9vf29GiWlRblcIZvNUiqVSCaTJBJxE8KWSHDr9m2qlQpNzSm00rQ0tyGlRTgSQQjB4aEJyQkGAqTSKY5nqzL1vb/++msKBZPa0w6Z1KDlcpnt7W1STS1eeUITZ9jV3c0nn/yAQCBMIGCzsrxBKBSiXCmzt7dvwszc44lvotEY0WgM12O22WzWS3sbIhaNYtm2lyXvMufOD5NMJgmHwzjVKtmDA6pVh0Q8UYtBTyaTaK2JJxIc5fO1/iWT9Wxyvy2T7pR+zfS3/d5/1Y31b7v9vyr9bQuOv+3j96vS3/b8+9t+//j1yL1axUIINjc3eXD/EdWqyVZ0/ryp+GQKr5tcwn56QGlp0k0pmlLJmoQaCXZQLTsc5Q95NTtHSybDldERBobOEEtE+eaSkX5qVi+NozIhcKaAvalpHAoF6enp9MLbDANuajZl5tCSSsXh+cwsq6ubtHe0cfPm9XoKPltRqRY4ODhkdzfLt7/1HR48fMhh3oDaHFeisE11MqFqLyiRiBCPm4pN5XKZwaEeCsV9trd2+eqre+SPSuQOykSiAfyqmMLL1ZvP53n27Dm7Ozusr+/R1NTEmb5eYtEwdlDT09tW67dTddnd3WNq6hnFQpnhc8P09Z2huTlJa2szSikqlSpTk8/Y2Niku6eda9dHCdgSjqHAT4S31MLYTqJ3T+mUTumUTulXIfUW16U8hqb/zZKpfubWi8GHQiGampopl8usrW0ey+Prn9OYg7hGnh/DcR0KxSLVignSd6pVjvJHVCsV0JH39smczP9s/vbjwL048xqy3QsT0zA5McnTp08JhyNcv36d8+fP4fuItdIsLy1TOMwTDAY5d+4cE5OTNUZ+rHSgEMcQqCZvr0HBn+k7QzAYYHXVZEVaXV3FtgMMDPTT3t7u5Tw3ITqWlMTjcZxqlb29PJVKhVKpWMut7hdSEUKyv5/lyZMnzL5cYHBwkOvXr5FpySC93JCu4zIxPs74+DjJRJKbN697dXB/U3GOp/RbQX8HNIJfiX7b2/+3Tafj96vRrzh+4u+ARcRo5MLGrw/c1tbGnbs3qFQqRKIhkqkowqsL7pMUFlqZ7ESbW1usLG+QTCZpbWthaXGJqckZLCvArdvXyeVyzM8ugra5eOksmUzmeCKSY+QnjJEILRCYutLaq2aFqyiWSszOGYT40EAPzc0tWJagWCoy9WyBe/cfkUrHuHnzJsMDfVjSRXseBKEstjd2wVVcu3aVQMDEvNZzAVeROAgvdzFCUq1W2NvL8mphgVg0zJm+PhKJOD09XXR3dzM7O8vSqyVisRiD/X30dHeCquJnOYtHY1y8cMHElFce8ODhA5YX4vT3DhCPmgB/AayvrjE28ZzlpXXODZ/h1q3rpJubvKo9kvxRnomJGR48eEhrqyn4MjAwgOWlTz2eZOOkT8nXzH99E+eUTumUTumUOJ6Y6hei90wE8x5U46SmXrS5sfTypo+MjJDL5cju79OSydDT00OlUmFpeZlisUi1WmV9bY0vv/ySiYlxdnd2WFxc4ODggN4zZ/jOd77NxYsXTe7ruTl2d3beu2GRsKlUlUgkTN7hnW0cxyV/lOfJkyd8+eWXrK2tG61cSgqFIg8fPWRvb4+B/gF6e3tNkpoGBL0QgubmFkYvj3Lt6jUs2/bcBOZfKp2ir68fgJWVFbLZfZTWbG5u8tVXXzExMWGKTWC09/1slrW1NYLBIO3t7bVax0hJLnfA3Ows8/PzlIqlWiIcrTWu6+K6bj17GrCxscH8/DyWbXPp0iWampsQ0uTYPjjI8mzmGY8fP6a1tZUbN24QiUR4OTvL/Kt5YyH5LYl3PKVTOqVTOqVfL9kAi4sLFIsFhNQc5Q9ZXlrxso65zDx/Tt/AGWPqvX2dRw8fMTY+g+vaxOIhtnazAB7oSlMo5qlUywSDBphmil0oKtVSLVSsTm/RzLUiEoly7foVXLfCyuYOk9MzVCol8oUCuaMjYsk44WjMpGPVGuW6FPNHCO0SClqEAw0obhTtHW3kDookElFSqQTbO5tUqw5Vp+xVI0vQ0tzM3bt3ePz4KXNzrxBC0tbWxvb2LtWyQyweJxCw0UqTzWaZmpxhauoZ8UiM4XNDZDLNoB0QFoV8idmXxnIwOFQgnU6zn90lFo3Q3JImGLRBV7ywL5NJrlwuEgkHCYcjBpMgje97e2efsYkpckd5hs9fwFGwODvP3NwcLS0t9PV2/XKxjicDzE/plE7plE7pt45sMH5ly7Jpbm6hVCoyOWmqFTmOJpczWckikQiDA4NY0uLxo3Hm5+cJhS3y+TyDgwNcvXIVhEMymcR1IByOoJUmGDTIamnJWmnFd5K0CAQl6XSaGzduwMQ0u7u7PHs2g1JuraatXx0HwLJtmpubCAaDhILec7wkDQLB7Vu3QAc5ODhgcXERMDHuoVCI4eFzDA4OEAqF6OvvR2vB+PgEy8tLbG9vUyyW6OruNrWDU2kq1Qobm5tsbm5gWTbppjSpVMorTGBAcqlUivb2DubnDcMNh8MUCgX6B/o5Nzxsqqr5sdvKFIXIZDLEotEaU/Zztvu53JPJpCkiUypwcHCA67rG165+fSaaUzqlUzqlU/rtIqG11nNz48cOqgZwmyUlmeYWUxdXaKrlMhsbm6buOOa8UDhCe0c7lUqZvb09qhXD0NNNTRTyeXb3dgFIpdJGc/9G5Dp1QJxnLt7bz7KfzSLxwGEC2tpaiUXqZVGrlQpraxsopWhpSZNMpRuS8BsT9vbmNvlCoZY5DowbId2SJpVKo71c005Fsbm1RalUwi9AHwgGaW9rw7KtmkaePTgAIBwwFdZCEa/ikZfqNZ/Pkd0/oFKtoJWpeZ6IJ2hqbnqtElY2u0/24NCUfc20EAgGUV5/C0dH7Ozsoly/ippbA8qFQiG6ujsb3ujrJvY3Fhk5pVM6pVM6pd8eelf1M8jTWNVLuS6Wl2DEVI3yfqiFMel6eUqt0dLyGH/dVutnd/OrgR1rz7safIIZae8efpYdjSmPKDnJtIRpl1cO02fkyvVR515FJdnwDK1QQnu/KzSG8ZsQOFO2VDTkMvfR8o0VzPwqaDWO2Vgd6Jt81yfSATZq6GZcRX3YhTACiecqqKdBPFF44JSRn9IpndIp/f2jd1U/Q+k6LxACSwbqhXqU9viHAIw2asoJavxau8KvXtXAlIT3D12Psnt3WbgGRnYC0i+l5YWdScOYhDCWAykQWCjXqfuJ/bKYylQikt75pmShd0Of2UkLgW7gfeIYk7Zs2yDmNQipatq8MRh446F9xuqPif8QaUZB+dnTfIFGHW+DNtaHY9XnGvpvGLH2EOyYNvg/i29g0Lp2yimd0imd0in9PSUb4Mnjxw3Ibgla1piZZVu0dbQiLYvlpVVzlVBorQjYAYNm7zTVYwrFAutr6xSKBTraO2htbSWXO2B5bQNLSlpbW2nJZN7dKo+Jua7L8vIye1ljwq7V+LZgcHCQRCyO1pqD7B6rKyuUy2Uaq4Clm1KcOXMGywqA1iwvLbKzY8z8rnKxpIVlWXT39tCSyeC6imKhwKtXi1Sq1Zr2rVxNIpFgaKgPOxDAqVbZ3Npmc8Og8C2hUco1Wdg6OmlpaQYhOczlWN9YJ39YNO33yqE2Nadpb28zmeOEYHV5hd3dXap+BTovTr6r11SLE0KQPzpifn7BVD8TZixaW1vp7u7GlifKt57SKZ3SKZ3SPxiyAdY3d1hf3+CoUCSVStHaYtKaVl3NwcEBl/QI6aY0L2ZfsbW1hW3bNDc3o5RDumkLS0pTBaxYZmJ6mv3dQy5fgUx7G9nDQx4/mUIIwe2bl2luaXmriihq9ZAtSqUiq2t7PHwwgeNWSCQS2FJSLpfZ3T+gXBKcH+4D4PnLV0xPT9Pe2uTFbwc5yB5gh8IoEWZwoJuVlRXuPZrg6OiI1paUMY+LADs7O2SPioyM2ASDNs9fzDIx/oxEIkE0FkRrbfK0V6pgSTo7OtnbyzI1Nc3O7hYtLS1IjUn0UnTY2jlk9PIFbMtibu4Vc3Nz2Fawht4/PDokGAhyYWSE7u5ODo/M+BTyeeKJsBEelGB9Y52zuRKXLoWwQwEWF5Z5+PAJLZkWbCtILpdjcWkDpQP09rRh24F65rb6gJ7SKZ3SKZ3S33OyAa5fv87mxl+Sy+Xo7u42SHGgWK4yOTmJHbDJtGToO9PHy5cvicfjdHV1cZTPsba6hlBVPvjgA6qVCoV8gezBAeVyGTAMLpfLmSxvr4WfGaplccOvmAaFQp6nT5/yauEVV69e5vz581hCsLa2ztLKGg/uPyARD1IqlZiYmKBcLnPx4rc9dHiV8fExXszOU61W6ev9xzy4f5/5+RWGhoa4fv06Smt2dg9YXFhkYmIC27ZpbW3h3tf3cF3B9evXaWtv5vDwkNmX80zMTxCJhnAdl7W1DWZnZ+nvP8O1q9dAaTY21pmafM709DThsE0qnWJychLHcbl+/SZdnZ2USgWezTxjfv4VWmtsW/Dy5UtmZ+cZHBhg5OJFgoEgOzt7LC0vMzk5QSQSIZaI8+TJE/az+3zwwQc0N2d48uQJMzPTKKXo7fmDxsH8Tc2VUzqlUzqlU/o7SDZAZ0c7oaANrkMsEqK9rQWAiuOSiN/yCn2ESadS2NIiYAk621uJxwYQSjM9NQM6yNnh/lr+c8dxKZdclCuwEMaMjXijP1dw3DQsEVRKFQ6zB1RLZRKxGG0tGXa2t1ldWqZ4VMGpVikelSkWSuT288TjMVqbO4hEIzy4/4j1lQ2qpSr7O1mEluzv7FMplkjFE7RlWslms0xPTFM4KqCEw+HhIclkkr29LOmmNOl0kkQ8xcryGosLqzgO7O3mKBUdcrkjSqUKkUiMtrYOdrd2WVneYGdnj2rV4egwTyAQ5OiwTDgcJpWK0dScZGpq1dQ/PyyxHzqiXK6yu7tvtPF4nJbmDIV8gVfzC+RyRzhVl2KhSiBQJn94SDhg09rSRGtrM/FoiHKhSnY3h3a85DKnSWFO6ZRO6ZT+wZGXu9QDWnkoaSlMytMvv7rHxYsXyWQytbrZ2ssR3hg/XSqV2N3b40rsEleuXkW5YzybnmZzc51isUAgGOTSpUv09PS8tSEnyfdP+wC2xaUlJsfHWVpawqnWz6sjyM35X37xJZOT0+zv74OQ3u/HmdvW1hafffYZ8/MrCCGwgqL2TBNuZkz44xPjjI+Ns581sfR+drZG2tzc5MHXD3j16hWlUsWkTG1oF0C5XObx48c8fTpONptFqzfj9ldX15h59oy5uVe4jlPjyT093fzwh3+AUtVatTPLkh7Sntf6d0qndEqndEr/cEgCJpe5sFBIllbW+PHffMZPP/2c2ZdLlIoGqW0SqLlerLUy1cEw/4QQKNclEg7Sd6aHy5evEosnmZ1doFiocnn0IueGh4jHowZifeKfrkVu1bDuAGhp4Xrf9/f3qKoqZ88NEU1EUVKZ66RAWBZKgItidWONju5Wzgz0ICyBFgqEhRKmspkWAbKHObZ2tvnWtz4wbUJ6ueQNtN91Na6jOcgekoinOH9+GPAQ68IwZ595FooFiqUCff1nTB75Y0VeAKEol6tsbW3T3NTCQP8ggUDgWKJ903bNYSFHoVxgZPQSyXQaLTVaKOLREAN93ZwdHCIaCvNs8hmL84u0t6W4c/sqwWDQG7D3K0hzSqd0Sqd0Sn9/yGPkypQBxWidUhptz3FdVK1Clz7GfBqpUeutVUlTCuW6OI53Dyl+ISajtUYr829tbZ3V1VWikQj9AwMecKxOrnIp5AtMTk6yt7dPR0cnXV2dtfY0tm19fZ3FhQUsy+Q0j0ajx9othKBSqTA3P8fBwQFt7W309vYaYaUhHl65iq2tLV6+eEkgYNPd3U0qlapVNfO15fzREYuLC2SzWdo7Oujp6SEQCCK92HQfZb+5scnS4hLSkgz0DxCLm2Q3JoZdmDA4rZl5/pyxsXGU1ly7epXh4eH3HtNTOqVTOqVT+vtHXvUz75/UtLVluHPnFpVKBaQgEg8CslZH3DA8E6LWSEIIiqUKu7v7zDx/TqlUYvjcEKVSiZcvX2LbFhfODxCPJ74BTe2lJhXgR7YLKZibXyKZTHJxZJhEPIVlC4QwTB7AtmwODw+59/VDMpkWMpkMm5ueK0Cb+Gs/ZGt5eZmjwygD/YOEogFksLEMnYOmSqmkefniJR2dbbS1ZTzm7CL9OHgkrtKsLG9wkM0zNNhLIhE3PTiWXlVxdHTEq1dLtDQ309rawtHRUc2a4QtQUktWllZJNyUZHBwknUoRsGwkCqEVCk2xXGRpYYMvvnqAZSkuX77C+ZEhItGQQQee0imd0imd0j9IqnFjIQVaaSzbIhqLkm5K88EHH2BbNoV83pwsBI5jYpyVUpRKJY6OTG3vVCpF/uiIyclJ1tfWGBoa4vd//4fcuHGjdnxjfeO9GuVroD5ZtsXQ0BBXLl8mGonULAC+T18phW3bxGJRPvjgA3p6umsatK9F+/5q27bp6enho+9+l1AoZLT+Y3XNjQYcT8QZHR1lcHDQHJN1jb2xnV3dXVy/fp2mpmaklMf81VprpGWRiMe5ceMGg4MDBAIBpBBejXdZe14wGOBMby/Xr10jHouZlK7es6rVKstLy3z22WeUSiWuXrtGT083+XyRbHb/F3zlp3RKp3RKp/T3iSSA6yiUqxFKIJVEuSYpmiTAo/tPeDn/ClcLHAVIC4XNUb7M46eTTM+85ExfF9/+6AOi0QT5vKlyFg6HSSbjRCJhlBaUihVKVedY6U7fOS58lzu+390wXttSSBwuj17i6rXLxJMxEKpWL9zPg27ZmmQqyu/+/u/S09+DtIO4WiAl2LaRVaRlYQmXC+eH+OijbxGNhtCuBmW0eynrTDoej/Phhx8ydHaAUCiAVia225aAdpE4hAOSCyNn+eijD0mnUzUt27LqAHLLljSlk9z94DZDZwewbJPdTQiBbVlo7SAtgabK0Nk+rl2/SrrJu5eoZ5dbWFjlZz/7ioODQ7738Q8YHrrA4sIq//ZP/4K//qsvqVarDVni3qSd2/i4xhqJb3B11Ew0J85pxDbQGEpYTxt47B5v+/3YPUXDPd9Gbv33XwrY94b2/aLk13xHvmF83OPj8k1j21hHwP/nN09Y5l9je7U+Pj6N/X/nuJ3SKZ3SPwSyAf7Nn/4btra2AHj58iUHOZP9zHEE2f0sqeYE86/m+frePaSU5I/y3Lt/D61denp6+PaHt2luamLb2fUSmtS1XMv65TbQdLqJDz/8EOUq5l/Ns7u3iy0V5XKZfKHAxx9/zED/AGDAYg8fPuTLL7/Ebigz2t7ezscff4yUkt/55BN+9rOvWFpc5C//8qCWeKVQyHP9+nWuXLlCOBzkB9//AffvP+bhw4dMTY+hteYwV6Qp3cTdDz6gq7OTpnQzjuOyuLRIPp/HEppyuUy55DI6Osrly1cIBgOUy1WmpiZ59PAR09PTgOLg4IBMJsPly5fp6+8hlUphWwHW1zf46U9/SiBg4zguOzu7XLt2lQsXzrO+vkH+6IhKpcLDhw+YnBxjf3+f3d19LMtG/FIlTBsZwomwtXcxSz+X/Ded5t9DNAAYdcNvPqPT+t2Ja8RbhIC3Pe99QX+NbXivcxuY61vbJ9/we2Nf3xQi+A1CyrHUvt730yiFUzqlU2ogobXWjx///BggzNdMpfd3e1sbtmWzvLx87DzLtmhpbqGjs8MLWSuwurJKsVQm05Khs7uTXHaf5bU1ADo7O2hqakac9Ome3HS1RmmN6zgsLy+TPTzCkhLlmdQtBAMD/aZkqmuypS0uLL4GyEskEiZFazCAcl2WlpbY2983YD4hUFpjSUlnVxfNTU0A5AsFXs3P47jusfOCwSBnB/oJhUJUKg7b29ts7mwD1NoWCARobc3Q2toKwEH2gM3NTQrFYh0EqDXJZJLOjg6isRhaK1ZWVtjf20dpf9w1juvS09NFS0sLB9kca2trlCtlAnYApT1hCWP5uHBu+I2hcd/w1r1xPsFgvvGadzGjN5FsKCAD7ywi803PPsmoG6nW/obnaa8eQGPbX7tfQ7t+ITpx3dvad3Kc39b+t90XvL5Z9ePH3tUv2/5TOqVT+q2jd1U/q1b2j6G7G0l5jPNtvwPYtgVCopQBmLmOQkqJZUuUUrjKINcty3pzKtE3kRfSprXGUbrGUKUwRUiklAgpasVUlFsPC2tEoFu27dUkEbiOYxj0iY3dsi38Km1CyFrMvKvUsXMDlgQpUa5CK41C19rkfwohkJZBoyuvXrhqGDf/HHOeqbKmXOWNbX1jNn55fygkrlM3ZTcyfABLinrBmHeMKUKgnArSaqgG1/g7BnMgpXw709F+ERjv7wbmohrHzC9e499bu171OflugaBBcFBKmfaqtwgCjc/z2wSGkb5hrik/P4GwvHPfYz42Mmpp16/TJ4SFY9XsvN/823tzWr5V6PKLBjn1NjYePykIaepVCE/plE7p7ze9q/pZIBisVRYzQDa3xtgsDPP55g3X80PbNiiFDAU8J7s0v0iBLRrKf75Po31mAki7zqSEx8iBGpJeCoEMBI5f3xAqJgQoZfzRQavuK/bDxAwQTnn7r8KyDWjNsm3DkL0iJn6FNykFSJM4ptamWrPdmm9bWhaWbR875pdHbTxXWhoQCGF5woTlgfm89iORQdnAM2y0qgELEH41uW9ivA1/S2Eb5uKXcz1xjrSsE/c5YdoWjef735UZE7/OuuvlG2ioKtfwMhrmzVv8v43tsW0TBeC7nmuCmt8ub85Sr9OuvX5q2ZhN0Jsvss4w39sEL0Rds/YE1hrTll7/Gy0cjcIOdaGlNrbHhCF/bHyN2zJzTLnUyuGalntj12BxOGXip3RK/+DJBtjd2alrux7VKn9pTTxq4rZLpRIASh03YQcDIaKxKEq5FAsFqlWXSDRCJBKmWqlwVDSo90gkSigUenervA3SdV1KpSKlsknl1qiRp1Ip7EAAtKJaNSlWG9vtZz9LJpMopcnlDnCdt2tegWCAYDBI/ihf3ydPkCUFsWiMgCc0FIsF8oUCVoM2HI3FCIcjFIt5ioXiG+PvtdYEgkGCwSClUhGlHLSqyydWTbFURCIRQqEIjuOQPyoc09yVdgkEbNKJRH3c3kQN2rJSitzBIVprEokYwWCQYqlIqVRCCEEikQSgVCpSLlcIhYJEIrGa5aOQL1CtVgkEAkS8CIJisWgAd8K4PsLhEJFI9LjlQ2sq5TKFYgHlYSgEkkg0QigUPGZRODo6pFqtojXYliSRTgOmlO3RYY5yuXKse0pDPB4jFAriR1Rk97OAqFmUzDj4biGIRqKEwuH3MvUr16VYLFAuVWvtdR2HYrGA4yri8SjBYACETbVcJl/IoxrcR8FggEgkemyeHLNo4AsK9UnnNNQoSCTj2JZFsVSgWCgiLUkinsAKnLBAnNIpndI/SLIB/rv/9z/3vkqzAQmjcVjSMJs7H97Asi1++jeeL92PIRfGBHx+eIAf/sEfcJDN89lnn7G9vcv169f54INbrKwt8+O//hTbtrn74Q1GRkZAeFpETYOp3898NRtUpery1z/+Gc9fzhkNC2NyjITi/Mmf/And3Z1YdpCFlWX+8i//krwXJgeGWQ4PD/NHf/RHBO0A/+5//gs2N7aNiV1XvN4ahhyKhbg8epmOzjb+/b//92hlGeYrnFr7tNZ0d3bygx98QldXO5VKlbGJ53zx+Rcot4TSmnSyhTt373L9+mXmZhf4/OdfcHhkBAytdG28tLLo7Orixo0rTE5OsLiw7o27MUsLaWLkpbT54IMPuHHzCgcHB/zZn/05hXweXdPCJB0dHfzX/6s/IfBN2d00mHS1LltbW/zr/+nfEw6H+f4n32ZwYJCJiRd89rPPyLRk+P0f/j6RSISHDx7zdOwpw8Pn+OT7HxFPJMju57h37x5TU1NcuHCB73//Yw4ODvj55/dZWlrCZAAUDA8P8e3vfIdMprlh/BQzL+a4d+8e2WyulgPgW9/+FnduXScYsj1t3eVHf/kpi4uLuK6mt7eXP/kv/ohgMIhSiq+/vs/jR+O1/gPYgQAffec73LpzFYCjoyP+9E//jNxBCXXMtG7+bmpOcffuXS5fGTUWkrevDwD2dg/4/PPPmX25wO3bt7nzwTV2trf52WdfcXBwwEff/4CRkYtYlmBxZZXPf/4VW5tbNcvKzRujfPDBB8RivmmM45YKoY9LjsJieXmBf/Nv/oxgIMg/+y//c9rb25mafM6nn35KJpPhn/0X/4yYJT2N/ZSRn9Ip/UMmG+C//m/+G/7qr/6K1ZV1RkcvcfvOdbTWlEsu9+7dR0jB2bNnKRUdPv30U2LRBB9++CHNLWlmZ2d5NjVG6Cc/YXDwLOVymWKhiPIqnSmtqToOrucvfh8SQrC3u8vnn99jdnaWS5dGOTd8jnBIks1m+fzze/zFX/wF3/34I8rlMk/GniKE4I//+I+JRCMATIxP8OLFC/7dv/t3/Bf/5J8YVHm5zOjoKLduXwegUlH89Y9+xMHRAa5rEPi/+zu/y09+8hkAN27eYmBggLnZV3z99ddUKlVjdSgWmZ6e5t69B7RkWrhz6zqVaoXJiRke3L+P65Y4e/YsN27c4PHjx+QLBe7cvc2ZPpNrfmlxjZ2dHcKRMN///g/47NOvmJubo6uzk5u3bpFMxtFace/eQ7TWzM3NMTY+TrFQ4JPf+R1aWtIIIZh9Oc+TJ0/5l//D/8A//af/hHgs/mZTsTxuKjd12wXKVTUffrlcplKta7quMhECruN4bgXjx3ddl2qlguM4aK3JZDLcun2bUqnE8soiIxdGuHnzFsmk0eyNK0UyNj7O48ePsW2b3//93yeZTPLF51/w9OkYlnC5ceMGjuPyl3/5l7x6tcyVy1cAydTUFP/2z/6MH/7BH5BMJrlx4wZaWXz99dfEEyl+55NPePjwIQ8ePkRT5vadO0QjEX7wySd8+tMv2dnZYfjsWW7duoW0BLlcjpmZKRznFzNJ+3kTHMdBK1MUqFQqUioVa+c8e/aMhw8fUC5X+d3f+z2am1p49OgRL168QGvNhx9+SCxuEgcZV4RlzOe+mb0BN+A6Dk7Vs0R5rhOn6uBUHZOsySet3o36P6VTOqW/12QDdHW1EwxaSKmJRsP0dLejlabqCiz7DqlEmFQsQnOqCanBltDelqGjo4WdrTUKRcXm9gFnzpgNx0U1+AcbAF5KIWr+Ueq+UT923D/sOlQrZXb2DiiWXVLxBN2dnexn91heWuUwX6BSqZDPH1EoFMnuHRCNROjpaCUWjzE2/ZK1jS3y+SI7O3ugXCxMhrdoLEJ3VxsA5YomFAqgcmDJAPFwiPaWJqSwsSyLzkwL/d3dpONpbCnZ3FznKH/IxvoGU1PTtLa2cPPWTfp6O9nZ2SUYFKyu7XCYyxKPRmhqbiYQDBKoODQ1Zejt6QJMnPrRURctzUkikSiRZARla8KxMO2dbaSTcYOY1zewAwE21rfY297DxaWto5W29gwvX7xkaXWNfKmEu1Wi6nAc3WxG3nx4GrwQEq3AFRLlBbxraaGFRCFroYN+PL/CZnltk4ePx7k8OgrCwtWCKhausFEC7FCApnSSUDiAqwXReJJUIkrINuFpylFMzzzn8aNxIsEIFy9e5OxQL6FQmGgkxMpyjmzuiJX1TZ7PvGBufomrly9x+colpG0RCFs8fDDGT/76c77/vQ9obkqTam5BSwtLaHq6OwmG7vDo0SPGx5/jujYffnCDlnQToUgQYUE0FqSntwOtXZqbE8SjQWKxmJmPx3zQbyatHfwcAQgfmEhtTNE2sy9f8fTxFNoNcPPGCOeHB4hGI7x4HmSuUGb/II/rOrXrJiYnWV7ewnFdUokI3/nOd7z7S5SqIiQ1kKRoCG9zPaZuUh6/xQd0Sqd0Sv+gyAbje6xlGfNCrqrKZXr6OQMD/TQ1xT207XFwV2OomvGNhhkcHKRcdZh/NY9WZXZ2drADAfrOnKGlJfN+KNsGhLzvY97Y3GTm2RTPX7zAqRpt0DfP6gZ/5NTUFI+fTLKxse5lojMa5dVr1xg4ytPX11/zxwqha7nkwQPNSauWoc3fQCvVCgE7wLlz5wkGgqyuvWB7e5sr168xODCIbSlSqRQjIyO0t3fQ292JZb+OTJZCsLGxSalSJZPJEI+FwXuOJeWxsZyamqIt00prayt7u9ljYzE/P8/jx49ZXFhBSOH5k3+RsDAzZuoN5wovB7xSBjiWy+WYmJhACkFnVxe6gXE0+sDNHBK1v6mB+zSra6tsb29z4dxZzvSdIRIx+e0vXLhAU1MTrR3tVCsV5ubmKJfLDAwO0t7ejgzYFAoFvv7qMdPT09y4PkJTc3MNZKg9rMbg4CALC4ssLIwRjUT48MObx7L++XO7VCqzuLRET2cnyVTaH4h3arSxWJzBwUGy+0f18dOaWDxOe3sHbW1tPHs2w+rqKr29vfT39ROOhEFIBgcHCUcSJJPJuvsDWFlZ4enYM5Tr0tKc5IO7d7GsgAeIs2lqauL2rdtMTk4cw1hkMhmuX79e97e/hyBySqd0Sn+/qQbhNhuDZH8vy4sXc5RKJR48uE8ymaSpKV4LyTJFRRzWVtcplUrs7ByQTETo7WqnLZOkvS2Fo1zGxsb4dP4VkUiUS6PnuXL1oqlz3sjEayq4Jxj4x5VrQt4aMritrKywub5BKh6nUj1EaVXbrH3N0nEtnjyZRlertDY1sbd7gC0CIBS3bt+sh/MqA5Cbn1/Gqbq0tzbR0pxAS2NN0NoIAMvrO2grzPLyMqurq/yX/+Q/M0xTmKpsltBIjF87GY9x+fIVrx8+GlohpaaqqqxvrREMBpibm0PpCjdv3iQeDdXao11FLnfEwqslLFvw9ddfc+fWTdItzTXmacLaBNPjMxSPyrR3tLC1tYUQNkJYmA397ah1obRJBoYy7daY8fU+T5L0UPrZ/QOePBnj4OCQw8MCfghE43UmwkEgateBySevUaqKyVXvhcl5PvsLI8NcGBkGDQsLi6Cl6YdwQLiYinQevN7HUeh65T0hjfVAeVX5tAKlvDA3FEJLU4v+4IgXswtk93Z5+fIloW+HPACdqrmov4misRgjIxdQrsYOBAgELGLxKENDffT395Fpa2d2drZhuD2hV7kMnR1k6NywyalvXjYgybRkOHu2H60VyUQMafnofxc0NGea+ei736ZSLZl8+kKTbopz9eolbt++VmfgfjTFKZ3SKf2DJa9oisn9DbC8vMzezhpKa5T2NG6tj2UPK5fLPHjwENsWVKsOXV3tXL9+nVg8htaa8+fPc3BwwNjeGJlMCyMjF2hubn57K05qhh5s29dECoUCAB2dHQwODPLpF1+xubFZyyCntcZ1XI7yeVzX5fr16xTyeX72sy/rmrukFiderTqsrKzwH/78z0mlUnz44YecP38Brau1Z5ZKJSbGJ5iZmcGpOqTSKRMC5cU1H0Oiv0ULFl58eaFYYHx8nBczLykWCvQN9JjrpQkn8ouxbG5s8vnh54Ain8/XTN1K1yvBZbNZKpUKIyMjROIRfvSjH4GqWyeOxyr7bfQtKG9on4dlqFlAlDZMRxqgVigUwg5Y5AsFnj59as5rrIPeYPY9WQEPIY+PE7wZJ9GYGa3hXicVZQNAfP3cemy+NGFbDeQ6DgsLC+zu7OJWy4RCISzp5wx4vSlvJCEIhSPcuHXLO+DQ3tFBe0cXKBcNx+aE0rohxK4hJNG3ZmjF7Tt3uHn7jheO5oedNVhVtCYSjfJHf/iHIM11Fy5e9Aen1q5TxPopndIp2QCuW8Gvt33p0gi/97sfky/k+Vf/+k8NQlrUE45orUmmIvz+7/8j2toyjI2P89nPvqT6F3/FH/7BJ0gp+fLr+0xMjKO1QfF+9tlnfPe736W/r+fNqOo3kBL1f18/uA/AubODKAEWAksY7c+WEqVN6tN//i/+BY7rcPnKCAoTx44UKFwEXty3cplfWOZP//TPsIXkD3/4j+jsaTeIcVdgK4ESDrFkhN/9/kecPXuWZ8+eMTEx4cUwGzXU9f7TUoP0YsVrrZeY2GaNxCIVT/DRR99l9OIFnj59ym522yD3vbEwtdUVQ2cH+N73vkfAEvz5n/+5abcNvvZZLin+9N/+Odot09HdUTfFI1FCoj3VzI/713641RvG14TpuSZpj9cPgzo3Wq72jvX293Lh3DAPHz6oof7BMhqyFGhhaqkrAVoKw9RE/aGG2dsIy0ZJBy0clNAIYeLlDZDLxIj771sjPSHAJK3RQqFkY7YzYxHQSE+oMBq7pgKeNURrjbAkVjDAtSuX+OSTH7C+vs7XX98zr7Chot87qWZFOpFxDddo9A1jZiIPvGQzfuy4FMfnh6yHjSnXRYoG3IjP0AG0czxF/EmX1CkPP6VTOiUafOTm02hQgYBNPBbnj//4j00ctpdhDeralmXZBINBT7vRKK3Y3d1l5vlzFhfXuHnzFldHr7K6tsrTx1/z5ZdfotVtBgYG3t0qT8v2tVDLllwYucDd27caTtE1jVUKiatcAgGLP/xHf8j5cwOMjY3Vz/P9z0oxMTnBz35+n0Qizp/8Z/+Y9vYOpOVpaN69675eSTgc5uLFi/T19xOJRqnmcibRi5Q1JL4SLru7e4w9HWdlZYWR8+e4ceOG8TV7/bBti0AwyKVLlyg7BcLhSD2DGtQsIrZtk0rG+aM/+iPskH0svtp1FYGAxfd+8H0uXbrEwquFE8P2lprxbxCeGmvInyTRoNXats2Z3l4i4TD37z9kaWmpNkY+vqDRt6/0cTCYn4HPf5+NfvlPP/2UV/PzDA8Pk8lksG27lgfAcV2UqtSq7VnSOqZt+zkOtNY4jlOzIli2QehbNRyE8PoRoKuri08++QGRkEmAJK1fT95yU+VOGiuGh2g3Wjbcu3ef57Mv6Ozo5Fsf3iUWi4PWfPHF57ycnadardLSnOKP/vAPCQaD75eg5pRO6ZROqYFsAKfq1hJYCCFMUi4k8ViSyclpMi1Jerq766lEtamQ5jgarYSXfMXCcTW53BGqUqEpEaenu4VqKYvrSrLZPMVCCaNi+Dmqfc1DNH4glMa27Bq4bnD4LKNXrtCUaTYmUjRYsqbFSQuSyTi3b19nYKiXUDCC42gkAquWfc1oefnDMtn9Q9LpJloyaQIhifZ8y1UBJVykB6JytEJLQTQcJBoNgdbEYzGunr+IKpRZWlzj/v3HXLl0iXK5yu7uPtvbu/T3llCu9hLQGG3Z1QLHdQiGQ+yuH7Dwap0zve2k02kcVyBkEJTC9YB86XSap+OTRKPRWtW5YNDmww8/4MLweRKRGJaCgJBggVSuydjma4oNw9vIHLRWSGEhhIWLpuJU8cu0NjJlfy4AhMIWfQPdVJ0qGpel5a1jYETtqlr+fON6cGvhVUIKLl06T6GYY2drl/GxKW7cuEIkGmV/L8fOTpaOjjzDw+f54M5dvvj8cx7dH0eoIMKSPHr0hHAo4IU7NuG6VYOPEAKpJU7Z4fH0NEtLKwwMnOHW7ZuAxHXx6shrtJA4ypjqhRDMvHxBS3MzZ/r6jMtI/WrZ0bR2OXt2iINsntXVVZ48GSMUipBKNXGQzbO5sUsknDSP8dLCHh0esr21T9VxENqpodGPL4Tj6+OUTumUTulNZAPcf3CffN74oTc3N/n666+RQlCquszPz3Pl8nlCoRBz83MIYfziL148Z3Vtma2tLVpaWjh//jyRcBjb01a15/fzN3y7lq7sPeJehSAai3Dh/AVKpRJKuaysrLC1uUb+KE+1UuXixYt0dHTiVKscHB6xtLhEuVxmcnISqSVrq6s0NzcxOjrqaXkmntlHZdeqsjXULN/fzzI1NVUD9q2srNDS3MKZro5a04KhEL29vWit+OrhAyYnJqkUC1SrDqVSib6+fnp7z5A9OGBxacmLqVfMz8+TP9wHYGdnH6daJRkPsrmxwfb2dg0hPj42ZsBNwPOXcwwNDXGmu4eRCyM8nZqmXCnz8uVLc5/NTaKRCJcuXTIx5L526eclf8O4plJprl+7zsvZWWZnX7K7u8vG5i5N6SauXL1KNBbDdSpYUtZ89wDhcISOjk4yLRmWlrdqmnMul2NxcYHDw0OEEGxvb7OwsMjZs2eJRiNIO0BnVydXr15l4ukES4tLOG6ZeDzG3t4+nZ1d9PaeIZVKk0w0Uy6XGX/ylImJCZSAvf19rl27ZmrRRyWvXr1iYWEB27JRSjE+PsHsq5ekUilu3LjGQH8/lXKZmZln5HI5tNZsbGzw9b2vkdrEgm9vb3L+wgXO9PW90Rf/i5IQgtbWVq5cMQlp1leWefToEfFYgu3tbdrb2xkcHKxnNRSC/v4BQpE0ynWJRS0CgeBr2RVP6ZRO6ZTeh2yAnZ1dOjs76OpqB2B7d6d2QmdnG03pJsqlCpoSo1fOI5SiWj0ie5AnGg1wp+8y16+MUCzm6evtoimVoMNDqCcSMYbO9mJbFqlU0mPivrm4nqEMQNTAQBANR7hx9RwWJTa2dzjK7noYIM1Qbxt3P7hFU6YJKSWRiEXYdsllsybUSAoi0RCDA73cunUVS/oFNxwymTSjF4eIxeOEAhZIgYWFcl0qpTJOpcrQ+QG01thCUioU6jBsb48NhgSDA90gHGZmnnPgZW/r6mhneHiYvsFelpaWsCxFT2+710eHnd1tA5hTmkxbC5FIjK2tbTJNEZqSvUgtOcrnyBeMINTcFKc1k6azt5VEUwTlVCgfHrCbPzRmfUtw/vII3/nuh1iWMG1UyviQhagLTA1h5fFUnA+/dYVQyGHvYJ/9/R3CIZsb1y9z/fpVAgGbYgE6u7q4fLlEV1dHLZQuFLbo6GpltNpPT08TAdumWCxSqRZpbWsik0kjLYtSpexZMyRaOVhCMjTQT8ASvHzxksOjQ4rFApnWNOfPnWNoYJBAMABC8K0Pb2KJKtvb2yjlcu3qBe7euY0dNPn7j47yRAIwOjIIQKGYpaernQsXLjAwOADaxXEcCoUivZ0tqA4Dssxub9bAjq0tGZpTaYOxV+6vnFBFIBBa09PdSihwhemITS6Xo1jMkUyF6evvY+TCOdNHz899/vww58/zzab0U038lE7plN6DhNZao8ue5qwaQp2sGhJanEzYoozZ1AdX1U24DaZAIWqblhYnGLXPyGupWk8kMvG1SWmDVmiD+PJcvRKB6xVlOdEbaVKu1tqtndfjbLU2z5PSgIl0A9DIChhGi+9T990N1ePPcT20ttcv5cfge+crPHO1CNRj3WthUw3N9QOSTsg1tbH3U9Z64yodP9zOMGrljz+Oh4quxYJ513nD/CY3sBBoTAz7u9zEvvatT4DDfGT7m86HOlrbZ6CNvzcW6UE1oLUbP8F7zyeLuBzvR724SAMdK2fK8d+PlVaFX2sc9pvAnLW++PNaHj//lE7plE7pXfSu6mc0hF15WzD44TSNzEH4ST80KOd1YFWNoeNtoCeqlp3cs2q+ca+Kl/97rcyjA8pFOA5I2YD61WCJWmxxPSNcxZznZ9DyAM0GWu02IIMdc0x5DNl/rls2zMW/voYurodTmePKMA/vnn6FN5/xSxHyxqtk2lxjZPI408IBaSErjdXAMGMrvfGSJhbaMDT/PCNYyJpBw+L1wW0YzzfxippJWR0PjWpkcFKCNxZCWoiTVdBUg1m6kaFqDdpDb+vGdtQZqNTeNdpvqG/x0McZrR9b/bZQK6U9oewEM/YjDPy2Hctlbvr9a6dGJu6nXPWZtx9u2NiHUyZ+Sqd0Sr8GsgHKpSKuV8/bsiSux6T9DFp2oK7pViqVuoauNcFgCNs28oBSimqlgtLKQ2R7xz10czgUND7Ad1kMlbeZ41IuFpEVT8P0UMuuVESiUaOBe/HD2testcYtl3GqDoRtAoEgUtgUCwUs93hWMrdhHw2FQhCUxjSbLxpEtB9/HbQJhiM1xuaWS1QqFayG66VoKJdpu1iWjVM5qqHRzXhaZiy8euoyEqJSKiEchVYmHEsKgcL7Ho1gBwIG9CctTwAxlpNKpQrFClIIbK9iGUo1CEHfNL4NKXS/SWNtjBOvCXTq9XN9jVnIEwxdHbNcHLuXFwpYP69hUpwUIE8ywJNM/ZiwKV4/3shMfxN0kiF7ERKvtfWYpaFBOz9l6Kd0Sqf0K5AN8OOf/IxKtYJy8TJX+eZUE9517vww/f19LCyuMTY+RjjomUQtm86OTi5eOE8wGOCokGd6epqN9W2qVYdAwISoKVcRCoU4OzRAb28vduA4al0oX4vxNzxMtrNHE9iffw5zWwjLwvF+typF1CffQ/7e9yAQgEjQsNx8CV0sIf6f/x3285esf/Qh3T/8IdoOsvLP/zmDTyfAsii3GfBaqFREF0u4ARt1/Srij/8AFhcQ//3/iAVgm1SiYrQf/d3vIs724BweIv/1fyD/bIamjXWwA5Q7upBCEKy4qKqD+/0PkK2tyL/4EWIvCxUXAkFIxFFVh0BuH9HWBn/ye+y/nKX106+gWoVYDIJBLGmjiyXkH/0u4vIonDvj+byVcTW82MC+/xD9lz9GpFKo/9v/CekDqZR+t6DUaNr16aRGqxtqiTfez9dmG39TTsN1eMxK8U7N1//9mxjsmzTxk0y98W8vyc5rv72NGs//Zek1y9QbGHvjZyNDP2Xip3RKp/QrkgRIJpOsra0zPT3N/t4eiUSCeDxOKBRiZ3eH/f091tfXefL0CQuvFrDtAOFwmK3NLcbGxpidnTUauBBYUrK9vc3z5zNsb28TjcYAWFxaYmJ8nI319Xe3SikKh4for7/mpz/9lN2dHUjEsdMpHNdlfHKC4l/9NauLS+Br2VqjiyXGv/iSvU9/xtOv7jM1NV3bpCcmJnn25X3czS3CLc2Em5sQTc1MT01z7/4DmJuHjXU++6u/4tnjJwCIWIzdrS1+/JO/QX/+OZTLWLYNgQBbW1u8+PoxR3MLhEIhgk1NEImwv7fPysqqYRDlClNT07x4/BRKJURLC8VigfnJafJTz9BHR6RSKSobW8w8esry/CtEOISIRHj54gWf/fjH6BcvqZbL4IV1VasO+sFDPvvpT3j29QNyk9M1lP2bsp69+a2L+r/3veabSIjj//42yW0M49LvZpTurxZ6dkqndEqn9LdNNsB3Pvo2i8sLZLP7tHe08p2Pvo3WinKpytTUFIlEgs3NTZ4/f05zczO3b9/CsiyKhTKTU1O8ePGc4XPDxOJRBgcHWF3ZZmdnn87Odu7evcXW1hb7P9tjbm6B9vYues6YKmB137P31Tdluwp3exf9r/5nRudWKf4ffh/xe78LW1uEHzzk+o9+ROXFX1P+wbfQLc2mfnehgP7//hs6//TfEZtdZkRrnmgX3AqIEBLNQSiEfeky8n//vzPPe/aKnfln9I7NoIt5+Oor7H/5rzg604X4R99BjF7h4H/5Cy7/X/8f6I1tjv7kd4m3t8FHd7Fyu0Q/v0+8OUXlf/u/JtKaQe/sURqfoBgJIW5fQ69vIVZXKW1tID6+g/zf/FccTU2R+r8LDqtVCp0dtF8cwf3rnxJcXWXv8jB9/80/hXCM7O4a7X/1KYQiWN++ZWKyFzewJifR/6//jvMLKwSrikQhj3OCWb0Gcvsm3upBHv7e0C9qqj41bZ/SKZ3SbznZYBDVqkEzMd8VOzu7XLp0CWlZjD19CoDyNOBAIEBbWxt9h4e0ZDLYluUlFgFRy/ama8jkk4jnbyQvzAx8t6uA3V30l1/xV3/xV3yUPcISspb/XedyTD5+TOS//+f/f/b+K8iS7MzzxH7nuF99Q9zQWmRmpNaqsgSARkE0uoEePZzhLLlDM5qRy6WRNFuj8YWPfOQbH2g0kmbcnbXlDJvTPd1Ad6NREAUUqrJSZ0SqyIwMrbW6+rr7OXw47n5v3IysKvTssgdAfGVpUXHDr/vx48fPp/9/2tpaiTYkqWQL1YpqrTl5coSevAPdXQc27hDA5NBxHNzgaxHPdFAM6COXUa5ALk/fmTP093SavLEQYY96EDno6e5BXLkMu3vkk8nwfMrzqsWDdeMRUkCxiH76lD/7N/8t/6RcoTXTSHZ9F3wwHpTn94+bOVfK+1IykJqb+ZID/gf2sutD/W8LTX8V+Sph68Py6EdyJEdyJL+lYqrRhDIRVi0pFStsrG5TKpX4xccf880Pv0lvbyeJRIzmxjRaOexs7tDcnGHk5DDnL5zGkgpLuqAsJAKlHMB49Gtr6+xu7aJcTWNjiniiSuVYr2lE2IYmUMLglUsNfdki+tN7bP74E87kFdFIlIrj0Zovwuoa+sef0PpXP+bp2WGO/Wf/Cv1v/4Klz+8T9zDQ213NHP+v/ku0V0FHI1CqgKfQz19yfDvL65FhRk6egGODrJwb4eLyLswso4uaY6/mmJcCbAs8CzxT0OXaFglPQy5H9Nf3UY5LafQZ8ePHEP/r/6lRFp6H1NC+V4b5ZdQvHyEePWKpXKb3vfdIHxsy58XGljYD81voJ5MQs+hf3WRqsIfTg/0wtYCamWX7//x/4dtSIv63/wWbrydI/D/+nXmIbhmiFmD5Hrb28b7hIHZ3GPo4KIflzGvkf+h25jdO/x8Tnq/PmX+V44+U+ZEcyZH8FksNH7npFV5eWeHzzz/HdVxy+RyeZ/DAB4eGuHXL5eGDhzx89AhLWgyPDHLm9Gli8UTo1YUY6FqxsrLMvXv3wfNIJBIcO3aGEydO/MaDrGRzaK1p7eqgbXgY/Rc/RGzuIaQk9+Qp7s9/ieO6fPvDDxENDWjPQ2nDIMb2DtBHLJUC4iZnvldkeW4O+d/8twgh+NYffhdx4wY0xfmn/+J/xNa/+fcUPr/LXsVha2OTrkQcWjIGnS5gqsLoQ726zfRHP8V1PbxckbODA2+Mv1gqou4/ZjObZXVlhcjwEH3RKMLvBgjmbWlxmchPPkJKzebGJhfffxdOnkLPzPKLv/lrju1lGfrB96C9DV5PmC86DpsbG7T19oLlny/kZz+kp/kw+ZJjDsVv/+9T/mOLzY7kSI7kSH6PxYTWlQgx0zPNzZw6NUK5XCZfymFZBqAkGo3S3dPF9RtX0Z7LxMQEr8anEcQ4c3qYRDxu2LA0pr9bS5qbmzlx4gTxqCEfaW1tIZWK1yiOeuixQDTCEGfjabA++gQZjTD59VuMXL4AP/uI4s4eDa6kWCywLTVOMsbey3ms10ukJ2dpdjTeq1n0n/8V6uZ5LKHB1VAso370Ecm/+TF33DLf/cH32P2nf0xLRwegqPR0EGttZXNnh/7/2/8Lb22V8W++z9f+yT9BNqUhGgGpsISiKBSZ1hTJP/garuuy+3oa1dKEDPqehUYJTbYxgTx3kuS3P8B9NYFj29CcqLlfw69dHmgl/cE1sCyK+1uUXk3QdPwYNDQi9wpst7fSuZcl8Vcf4U7PYHse7GaZ/9O/pvWf/TMY6UUIiee5WJYdpjPeUMOy3kP/Eo/0yGP9YvmPnZ+/7wLBIzmSI/mtljBHDqYPvKW1lTOnT+O4LpFYjFQ6TaVSYW11lfHxCVKpJOfPniESifD0+WseP36MJRzOnz+PVcMHLS2L5uYMZ86cIR6rxVl/C3jHYaIU0hKsrG/Se+IYI2fPQipp+Ld9pLHGkREav/ddcCoQS4EQ6JRRkol4HNrbqh6lEExPTJD5679hdm6e7/5n/wLx7ru0dPowqtIi1tBA9MoVGtbWUE0NJOMxQ65x8RKRaMx4uzW94WSa6bl6FZJJ+vsGEfE4yqkYnmlh8MrtWAxOj9Dw/gdc6++HfBEaG8082HY4H21tbYjr18C2af7sNjMPn9K5sgIjJ/mD7/0hbO6E7VLJ1TVzfduivb39QP94wJh2oL++dqJD+6kGMOXvU/6+r3+kiI/kSI7kt1h8RW4KvoTUKOXgKRfLFpwYOcHc7CzFQoH19U0e3B8jk2nh7KlzDA4eZ35xlefPnzM9nebcuQvhhhiwTiEUWrs1vcUGzOQN8fvItc85LXyea2JxckJQeOccfR9+C/G1D2B9HS0jVKTFfHOCkctnEN/7ujm/azi+vccPyS0skz3Rj/jjbxuebCEQOznc5+Pw63tcbM/g/Ot/SayhwaDE4Q9NebC2if7sLsV8mcbjx1j9xruIzmbTruV6UFI0FhwsJDhGmYrWDCgXPTsDd56iT41AxSVVdikpCcpCNCeh6bTpKRfC5OoV4ELME7hIA9MaEZSDRLbWOO9eJtb4dXTEH+f8JsVkhOjt+9DQQP8//gEk4v7UKn+qVTW3HU553QdfVQF95aq5v6McOfxHciRHciR/Z5EA09MzVCoVALLZLDMz08xMzzDx6hWff/45S0vLNDY20tXVjee5zM/Ps7CwQKGQp6mpiY6ODoQQxnNfWyOXywGwv7/P2toajuNjlf8GfcaxWAwG+8lkGuju6oaITWligrlXL8F16Do2QGtLi+/R6vDf4usJ2N5Ba012fx/96pV/6SrCmAn/13F3Kw3Ko5IvoB8+4ic/+VvW19exz53h/Hvv+Z6wplwuoZeWWF1bM9/L5Zh//pz9R48pP3jInY9+xqNHD2F9A5aWKZaKBoVtfoHdtbWDaGOOw+Lr17C5HTKJ6Rcv0GNPKRSLDPT3QVcXkUjEpC2CXPLCAqtra7iegnKZyefPTdW8PPIMj+RIjuRIft/EBnj2bIxUKsHg4ABaezx9+gwAjU0y2UCmpYGh4X6EENy9e4/p6Wks2/BjX712mSsXz2NZkM8XWV/fwI5Af383lpQsLCzQ3tbsK6O39Oz6OVsRuJCRKLHePsT/8X/Py49+SuLFBMujo1ijz/A8l48/eIcPv//HNL13DRFPEGJ0l/JM3/2cvd4WCpnL2Kk080/HGPrH3zXnTcVRfV28+t77tLW10i/wkcl8SFjPpZzdY+7FOJnWNhYGjtN9+TKJqCnux1O4+QKl5VVyrmLp2++xIiXWrz4h6+OyJ12Hpp4eCltbrOd3yQ71Yg9oJoq7RCamaE41QtSgsOlsjoU7d9nsbMRpvYqMxHj+9BlSSuzWDvL/y3+AuHoVkUiBlqa4XMPOs3Eq+SJzf/gB80Kw8YtfcrynD9Gc/kqdYmG//m+6Wo7kSI7kSI7kPzkRWmu9vDQRQrICSD/WqYWNlJJ0Q5R4PEGl7LG7uxuGwoUFiUSSpsY0AK5bYW9vj3Kl2hNtRyK0NDdg+YxdbxkF/gX9D/x2qN099No6rGz49Jx+HjgRha4uxFCHf7h/7lwWtbqKmF1GK42IxCAaRbx31RxXqqD3duHFFEQiiFtXD2KTuw5UHPTDp6bvO5GEpibEmSHzd8940frFJBSLUCoZw8SOVKMClgV9vQY6dm7eIId5nhnP+ROIhgaT55cStvfQGxswv2TOb/mteYGxc/YEorEB4kkfftQguOmHLyGfh3LZHNfaDL09iI7MgWl9k/0sIJmpI6n5MvkfPLR+ZFIcyZEcyZF8oXwB+5mhMVW5GoKLukrmQ+hIzceijskLQtzs2uSs1iHZCZjiKxmyaAXJ27dBkAVjCFjDahR+bRjZB0AxHquuoRkNgFVqaDD9EDng03bX0Jy69blj81MJE4YXIdPWW5DU/PlQaGRAJKI1EJCDiIPzFYTKLeG3tVn+vfr3LNyD5w9qDeqLBZV+KwNa7TRW5+vww47kSI7kSI7kP1H5MhrTSrmMpzzDTHaI2BETWq64ZeNZSsM4JlTAmGZj21bIeua5gQL1i9+EUfy2FTFMauoreHg+y5fnuCEzG8JUqwskkUgUYVv+VQLFaRSfclxTcGcLIsHYKxX/HiUiKMqzDAIdysO2bSJWxHjUrmOuq7VhT4v6/dnCIOB5rjk/YJDbZA01JyBtCw8X5c+D8g0hKSyklCbNIMSBCn7l59+lEOAJhBTYMetABXrYwy4EeC6OY+43YkWMlpdfEdzky0g+juRIjuRIjuS3RmyAX312x//1oKestSYSiTA8aPLjE5OzIXCM1hpLGAXa1tbK6VOncSoOExMTbO9kw78DeFqQSqcZGu6is7PzIK81UHURa64vJY4D46+mWNvYMUf5BNy2iHDxwgVamlIGg9wMNjzP89kFVldW6GjJcPrMGWIRm7GxR+z49KRWnYtq25K+vj5GhgdBaQoVGB+fpJDP09fXx/BQr1G60qJULDE1vcTGxgaeCiIVKpwXy7YZ7u4jGo0wvTBPqVRC+AaDpaG7u4fhoW4SyRQKZWBmtc3i0gozC8um6NA3dE6dOk5XdxdR6XOmq4BCVDI7t8Tk7BLpdJprV85gS8sYKPVUnrXTWytHyvtIjuRIjuR3QmyAfD7P5OQkxWKZTHOGnr4upJCUy2U2NjaIRWza29tZWlpifn6eaDRKb28vyViUnd1dpqamiMcTZJoa2Nvb49mzF2SzWZob0/T09pIvlikWCuTym0hp0dHW8aUDq5RKTM7MG2Q4GaGxsZFoVFIoFlhbXkcpjyvnz5JpyRyoXJ+dm+PRo0fMzsxw8tgwZ8+eBSF4MjbG/Pom7e3t9HSZ62ulmZqeQikXrTUjw4MUCkXGX03x+eefU8jnOX78OLGopKe3F601rueRy+eYeD1h2N0SSbr7DC3qyuoqpVIJdfEKJ06cYG1tjZnZGRzPo7urC6dYYmVlFUteoL+/n0TKMMOtrCzz6NEjVja2aWpqwsIUCWZzO9y4foOejnYsq1p1v7gwz+PHj3n2coquzi4uXzpFJOD3/ipypMSP5EiO5Eh+Z8QG+PCbX2N3e52lpTX6+3r45odfA6BUrPDixQs62zP093eTzZ5jcX6WRDTClUsX6epo4cnTJ9y9N8bjx2N865tf4/Tp06xt7ZKdeE1Pfw8ffO0DNtZ3uH/vHi9fzNLc2PmGIq/mgIPcrySbzfN49Anrm1u8+85Nzl84j+e6TE/PsLm6zcMHj2lpbiLd1EzE8iiXSiwsbXD79h1WVjYR2g4L7pTwcKXCQjPY18s3v/YeABXXY3tzna2dLJ4nyOcqjL+c4NHjMRrSjTS3ZNjN7vP5nUe8cytKZ2cjqVSCY8cG2N5ZZ31zi5b2dr7+vjnf+POXvJ6cBMujs6eN08UT7G5vUsiXuHj2HEh4+uwpY09e4bgWQwN97O/vc+/hGJvb+5w6PsS5c+dQyuVv/3abqYkputq7acs0kLASOB6srKxw585D5ufn/eJEiaUxhXhHTF5HciRHciS/d2IDNDQ0GJ5tIBqN0NDQgOe67O/nOHPmNI0NCaRlEY/H0X7YN5VMkkqniMVieK5LIZ/3vx/Fto0StWybdCpFPlECoOJUcL8K/7MQuJ5LuVzGcRwiERvleSwtLTMx8YpCsYjrODiOg9aaQiHP/Pw8d++NojxFLBaj7Fd0m1A69PT0ELETdHZ1km5oAMBxPYPAhkkjrK+vc+/uPTwN77zzDummNOPj44w/G0cIwXf/8Ouk0mkSyQSRSAStNBE7QjKRIBaL0dPbi+M6ZFoyRKNREokkQkikJUkkkvQN9JLL5Xj+9AXj4+MkohHGX44z8XqKU6dOcfLUKVpbW6lUSvT09mJZMRKJRBgdWV7d4O7duxQLZSJ2BK2cKruauYn/+BVxJEdyJEdyJL9VYrS3j42ulaBcctjc3KZULPH48RjXr10jkUjjuS5BxZzSgv39HLGoTbFQxo7ZNLY0YtkBaIlEa0GpWGJre5ts1uTM0+kYsbj1xiDe6G7Snl+3JRDCwtMWy6ubvHo9zV62iKckChshLErFMkvr6zweG6dcLnLlyhUmp+fZz+7i+aQhUimuXriI4zo0NzeFtKVbWxso5ZBOpEjG4hQrZbb3dsg0NtGaaaK5tZnZ6QjFisP27j7aU2asysP20/kVx7TcKa3Z3Nwkk2lhcHAIIQRKaSxpo/xC/qZUguZ0iorrsLu/R6FcZnt3j1KpQCIRoymdwrYkRGwuX7xA8USF5uZmXGWMjM/v3Wdvf49L5y+zvr7G/rPXaCVQ2uDSV6vnCR/rofN7JEdyJEdyJL8zYgf/E+Ctr62tcf/ePRzHZW5unnPnzgEHubidSoXx8XEWUjGjvFoyjJwYIRaLUSwUw+M2tzYZffyYQsFBSsnJk6fo6+v7SgNTAcOY1niux862KXg7OXKSV6+mDAqa1iwuLjH6/Ckbmxtcv3KZwcEhlldNWb7WmmKxSKwhSW9/X+ixeq5iZ2eHO3fv4Lkep0+fZWh4mP393fDa5XKFYqn09vF5CqU1Ozu7jI2NoZRifz/H+fPnaWtrM3MWIMn52PAIGbLDBdXoWmssywqr4BEC27bp7OwEEQHPY2FlkUePHrG4uMiVK1cYGBigkM8bHnIMu1osFkNjmOwOhcE9kiM5kiM5kt9JkcEPKSNoKYgm4rRmWmhpbsayooBE4aFQGB4QjZSSxsZGGpobiCdjOBWHXC6H8hTSkn6LtyIRjdHc2MRgfyeXL53h3JmTtLe21F3+EC5saaERSC2RWjI/O8vC3ByJmMVAfzepRASJi7AkWzvbLC+tUi4Zr/nx2BNWVtZQHuxsZRkbe46nFRrt847C5vYOn97+nImX04yMnOHi5TN0dWXQQqKFRb5c4fGzZ9y/+4j5OR9cpoZ4RSiNFIYrPRGN0dKcoTHdQDwaQWqFQJhuMK1Ae9giAh5ozPmF0kgdINYaEhYLgZYapV00tvmnNdgWuztZFhdWcYoeud0C488nWFxcxXPK5LP7PHjwkEKxgET4le2AIV873Bs/Ivk4kiM5kiP5nZGQ/cwQpyg6Ojq4fv06ruNgR5M0NzWZ1iqlwn7uWCzGqdOn6exsZlRKJiY/5fXr15w8Nmjy2b53397eztWrV4nFIggpjLcovrzXWdf8XUrJ4uIinZ2ddHUdJ5ms0n8qT9HZ1cm169eoVCoIv88cQFoyVL5VJSxZWV7m3oNHTE5OcvHSJa5evUpjY/KNa9d+V0hxYExCCKPILUlTcxMXL14Mc+ypZDI4KIxyaK2QlnXgPMpnbxO+l678lj4hBOVSmakpE3Xo6+ujsbGRS5cv41RcP9IgQq++2mdeNTS+Ei1p7TFHiv1IjuRIjuS3VmwIsEn8vnAUwpLYMsrZs6fZ3tpCSIeGhgbA5NKDMLCUJk8tpPCVt8TzMElaoQxCitRYdk1/+BfqGF8pad+pFBqtPdo62zh74Sxnzp0hX8ibnLMUaCno7u2lr7f9gKItFYpsbazQnGnk/PmzZoxCgPJYXV1l4tUUiUQDN69fpiEVx7IkyvOwMPefjNtcOHeKpoZGxsbGWFxc9j1bg86mtUApgSXAwoyxoaGBZLK/iugGCGHmB0z9wfraNmurmyRTSfr6+mhqamJoaJC93Tw727usrmwQj6dxHc2LFxMsLs7zzjuCi+dP0956GTCGhsbm7j2PxeVF4qkYV69fJZZIhMA0um6Sj3LkR3IkR3Ikv7tiA8zOzlAsFBBCsL+/z/z8PADlssPridcMDPYwMDjA+vo6YLzJ9fV1XLfI7u4uyUSStlaTF97Z2aGQL6C0IpfLsbW9TbSzA9uyvrrnp03leVtbG1tb22QyGRKJBJubm+zv7+N5Hu3t7TQ0NBCNRonZBilNeR4bGxuUSkW01jiOw97eHpnmlFGofvV3uVwmlU6TSiWxo1HQnsnF1/CMx2IxGhsbsW37gJFgqvn32d/fR3ke+UKBra1N0um0YWzz8+KFfJ7NzU1KxRKVisP6+horK4tsbGzQ3z/A6dOnaG9vMx0CnmRudpbx8XE/MmKxvbVFLBYjHo+bToCI7RsJivXNPXI50yWglGJ7e4eGdAMy+mYh4VvlyAs/kiM5kiP5nRAb4OnTF0QiMVpbWnEclydPniP9FrBCvoCnutja2mZ9fZWOTqOwFxfn2diMkM/lOHlskBtXLyIlrK0toyplOltacMsu8zPztDQ3YidT1bBvrRLRulpeXSPpVJorl8/jOkVKFYeFuXksC8rlMsm4zdWrV+nr7SRi++fz2+JmZ2Zx3Art7a1IFDNTrxkc6MJ40x6pdIKOzjaampoAHeLICyGIJ2w6Olp8A8FGSk1DQ4r29gwtrQ0IS5IvFVleXSFXLNDW3oxta5aWFmltayHT0h7e3/b2FlvbW8QTcWREsLm1QsWp0NXdzoULZ2hvbycSjRJPxLh25RyxiGJ+foWJ8QmEkMRjEU6dOs2x4T6ikQBHXYEULCzMUSzmaGttxrYjjD97Tk9XFxHbQMkeqegjOZIjOZLfHxFaaz01+eKtB1iWpDmTRgjJ5sZu3beNB5tOxmlrbcN1Hba3dygWTQ+3EIJEIkFra1MVXxyqyjz8WafIfcxw1/HY2toimy+a0LioVmN3d3URT0SrmO/aELYsr6xQLPtkI0oTjUbo6+82p0Wwv7fL+maWaDRCb0+7qfwWpkgsVyiytr6ObVl0dHYQtSLs7e2xvZsjHo/T3d3me8C75PJ5pDCtX4mYTWtLC7F4MiSfye7vs7uTxXFctFX16BvSDbS0NIV9+wH5zO7uDnu7eRM696vc2zsyNDSkawhtACFYW9ukUCiE8yalS29vr8GxP+olP5IjOZIj+d2TL2M/0zoHEJKg6AAkRXlGUeL5hB3SRw+rYTcD4yzW5IbDz0NlHTCBqSpRSPBTWqFXXFNEX1MIZqrAwwKtLwwJByxjQRjfJxkhIByhqhC1X91dw/Km/euBz3YWsKZpz88/B/dbY4SELHAyPA/ae5MFLpgnIU3SWilMabn/vQDYJWgfC8bt5/brnujBX2sMnK9U7Hbgu7/h8UdyJEdyJEfy/3/5AkV+UCOIg8VSpicZs9lLm0PF749GeYfQa9b9Hiq7up91EgC2BFXfodJ8GwRpTVX6gd/fOK7mesG9SRkWiZlKcCskQKkeKw8o/PDf2xTggQryWiVbe31ZY9SIkJTlwHWCez/s/LLKnPZGquI3kSMlfiRHciRH8lstNsCD+w+R0kJ5fluT70EqYbzivt5OOjs62NzNMzc3h/ZhVi3LprOjg57u1lC5VUpFlpfXTbW7iKK1oqk5SUdHBw2Njf5lVY0CMXjh4eeAFDaFXI7FhXX29/fB0gifc1zUKK3hwQEymQzSCrx1Q54yN7vA9tY2jY1pBocGsSO+9+1f11Mm1/769RRKawZ6+2hta0N5ilw+z+TUHK7rIrRjENqEJJ1Kc2xoGK09lpdX2NnZxtM+pauqRhQsy6a9I0MsFmN9bZtyuYwX0Jti2vza2lro6uoiEYsYkBg8NJrdrTzZXJaO9kZDqOJHIbSIkM1lmZmaxXEdgLBVLZlMcfzEINFoFCGU4WUPDIbAhhBBEdxBw8pzFWtrayyubZjvKJd4PEF7Rwvlcpn1jV2ampo4NtCLZdsUy0XWVtfY2Nihvb2dVDzG5tYWWR84x/TGm+fU2NhIb3eHD4f7FQBqtEb7xlVgSInAyPH/Xi9KBfS1XtXYOjRqc3B9Abiuy/rGNisrq2htajJ6u9qIxxOsrW+wvr5OQ3MzzZlmtje2yedyKP88llC+kWmed19/F47jsLKxi+M4CG3WqbH1FJ3trXR39+A4HjPTM5QrRQYGBsi0NCOlpFhyePnqFZ6rGBwcwnPKrK6u4mkLrVQ1aOPT9CaTDQwNDbKwMEc2m0VhI4WkIWlz7NgxInHz3ikfSGluYblmmqtz0NpqxhWLm9qKoFh0aWXDPL/ONtPu+VWLLoJnZNko5bG6vGlYAh1/zUrJ0OAgmUwaKS20MO+DpMbwDc5z4DnKquEcRNLMAgAh2d3PMTM7i/Kqz8VE81waGxvp7+sikUwdHONb1gXUBNJ8eWvXR3AuKf2x1ETqpCS3l2fi1Ss8jINQdUzMdWMx6O/vp7mpKTTyy6UirycX0VrR3dVGW2srSLNvFUtllpeW2d3P+XuhRVNTM4P9nURjMTPQ2mintg5GPlGgFNlskcXFRSpumYGBAZoaG5BSsruXY3FxCcd1ODZ8jKaGoJX2Lff/NhGiOh+AoorDEexbwc9wfoUgny+xuLhIuVymo6ODrk7DybGXK7K8vIwTfh5gkRz+/H4fxQbjoi8sLFAqujQ3N9PWmkEIgadddnZ2idgm1/zixSTPnz+np6sbIQS5bJblpSWkvEBHR0dYILe7u8v4y5dsb+2TSqUYOTlIJpMxV9SmYCsUIQ5tSSsWi4yNjbK+tk6mLUNjYyNCCCpOhfX1dcrlMomoYUWTUvhV6y6rK6s8GXvCwsICQ8MDDA4N1mwCGqQkn80xNTXFvbv3sSybZCxOJpOhUCoy8eoVY0/HaWpqIpWIGMS2fIFyuYwlBC0treb+xl+ytbNNQ0MDrZkmAHa29yiWSly6fJae7h7m5+dYWlrC8TStLa00NabZ3d1hYWGO02fOMNTfRzKdBmB3d4dXE7Nsb21x69ZlEskkYDaE/b19pmemeXD/Ie3t7USjUbTS5PI5KhUHy1IcO3YMOyp9WlR/XqWo2xAPbpRKKbLZLFNTU6yvrxOP2Bw/fpxEMsb8/DxPno3T3dVNRChaW1tZ3Vjn2dOnLC9vcPz4cU6NHGdtdZXJuXnyhTwdLW00NTeRzxfQWlMqDHPy1EkS8diXr8QQ6U6xsrxKMpWkMZ0O++QPU9DysN75r1KNrzVaKfL5ApOTr9nY2DYdBMkbRKNRZmZneTI2xtDxY5w6dZr1tXWmZ6bZz+bJtLTQ3JgkYtuUyw65XJ54wkZIwevXr9nY2MCW0NnZSTRqs7m5yVqmGaU08XiSR48esp/dw47YNDU3Ii2LYrHIvbt3qVRcYrEY6WSCqakpllc2AOjt7SaeiAOKXC6P63h0d3exvr7O1NQUe9ki6XSa86eP43outvaRl7WmVCoyPz/H8vIKtm2RybSQSiXZ399nZnaWSxcd+gd6sS2bjY0Nnjx9ytT0PC2tLThnTzN8bJhEIh6+O29E2WrFfw5aazY3t3jy9Cnr62u0NJn9ZGl1mVwux/mzJ2ltb/eRD5WfmvKfW40CCBWB55HP5clms3R1d5ntu+b43d1dnj9/TjQSZX9/n1KpQmNjA/F4jFQqSaYpbRR57bn/Y6QegyGYm+BzbVJnruuyurbG/MISFadCe1s7jY2NlEoVVlZWScShsaGR5ubq3lgslRgdG8V1HG5cu0Rbe7uZIyFQnmJ7e5ullVWy2Ry7u3sMDw3T2pKmJR73X++a1GWg6IKIqQCkZHdnh9HRUfZze8TjcRob0iAEu7u7PHr0kFw+T0smQzoZN7U89ZZMLQ7FYfOpDhrgtaig1WkLcDokpuhYk8vlePbsGdvb21y7dr2qyPf2ePr0Kfn9LFevXqWrIxNcyD/ZV3tsv8siAa5cuYJl2+zt7dHQ0MC16xe5eu0CFy6co6WlCa0slhfXePRolHLZ4dSpY5w9d5JYLMbU9BTPnj3zIUgFsVicrq4umpqayOWySCnp7++nMfDGD+TSA1HUW1Wu55Iv5Njd36GtNcOlC+e4duMiJ08No5Ugu58nX8qjhEJLC09pNrf2+fzOAyYmZ9na2Sebzxm89fAFsyjmy0xNLnD7swdsbuTY2y1TcUogFGtrm9y9+4Bcfp9jx4a4dPEKJ06cJJ1qZHlxlWdPn1Eul+ns7KSxsZH9/RxS2pw/f4EzZ87QnGnGdc3m3tLaSmdnF0opSqUC/QO9XLp0nu6eLlZXN3j+bJzd3X32d/bY3Njn5fgMT56Ns7WTNakFrUwqHs3GxhZjo0/Y3d1mZOQEV65c4ezZszSkm1hdWeOTTz6lUCiDthDY1ekMXzYf4s2Pmmi/D19GJB3d7bS3dbK/l8PzYGBgiHSqgUrZZW83y/T0LPcfP+PFxAyjY+NMTM6ztbNPvlgh1dRIW7fpCCgWynR0tnH58kV6e3vZ2dnm+bNXbG/uH0xHHPbP0oCL57rsbO/w4OFjFuaXDF5BbS0C1G2iwUZlevUPHPdFIgyhT3t7G/39A+QKRbL5Ivlyhe39LFs7uxTKFbTWNDSk6e7rxYpE2M3u09DUyIVLF7l09Qqnz52lKdOMbdt0d3XT3t5OuVymUqkwMnKSK1eu0NDQwPTMEs9fTJIrlNjLFdjZLbC1nSebK6KUQGG8yp29LMWyQ0dXJ4PDQ2zv7pPNFzl+Yphr165w5coVRk6OIC2IRCyGhoZJJBLksjlisRgnTpwgGokisBBYSGnR0tLGwNAxyo5LxVV09fRy8fJVGjMtzC8s8eLlBLs7u2xsbDA29py52UVsNNntbcZevGRmfplKuXzQy6r/F0IJWigNuzt7PHzwiPn5OVoyLVy+co5Ll89SLjmMjT5hZnYGlOfjUUjz/IJnGETohAVK4zke2VyR8VcTPHz4GNepGYOUoVPQ2NhIb28PkYhNIZ+ntaWV4eEBEsmYWSbara4Nafn/AmNXHnhfwtcFjeCQ9Sdr1lqg1Gq9c//YVCrGxYtnyedL7O/l6Ohs49r1K5w+M4K0FYWCgx9gq1G+YNsCO2IhpALthOeORqOcOHGCS5cukck0s7+/Ty5vEDXNGIK6nIjxxoPxEEQxTH1TxdPs7efY38+xtbVLIV8GT1CpuORyRfZ287iuCMelw//8GRESLS2D5SFqJizI3wbPUoKp3zGfm9swzzfA1zBrQIHQKAX5fJFstkC57JjPtYfjOGSzWbK5rCHDCtdeldr5911sgM7OLrMBCEE8Hqezw1hChVKZ6zeuE7VivH79mv39fVpbW2ltazOeQ0MDlUqFYqFgAFUsC8uySKfTJJNJlNJEo1HTjx2JHLzyF+VmtYFAjdgRYrGYiRK0txNPRQGwLOtAiMZzXba2t/j4F79mZWXVXwSEFeCBMnBcl9evX3P/3kMTKvVDcdK3dp1Khd3dHdJNjWQyGdINDcwvLDA7M4vruezs7uJ5Lq0traTTKbTWxGIxWlpMn7tlmTmMRqMkEwmampqw7QhSlmlsbKSrq9t46JUKuWyWbDbLy5cvWV3bYHdvj53dHF1dXSilQVoITPFdqVRiZ2cXgNbWFjKZVp4+fcL8/LzPGV/C80zYVSmvWvgQekiHe1GmqyBJyudFt22LxsZGYrFoWKdQqVSYmppidWWVQrHgs8oZ1Lyg1z4WMx53Q0MD7e3t7Ozs43mKvb09Sl+AV1/7vJXy2N8v8IuPP2Z+bpFMczOlUpFoJIq0LGy/yh8p8Vy3hsSHcE1UgYe+XKQQpFIpmpqawnqIfKHAwsIC8/PzDAwMcOnSZVpaWhDCNlj2WpNIJGhrayMej9OQbqK5OUM6GSWZTJhefimJ2DZtba10dLSTTKYolUohcZC5Xc2zp8+IRiWXL18KAZYCLyWRSNDU1OyjIUpaWlrp6OhEKY9kMkVXZ6fxpPy5l5YkHo/T6mP8h/coLZLJhEk/SYlt22QyGdra2mhsbMRxHHb3dtnc3GRpeZmJV5MMDQ9z8fxZVldWePZqggcPHtCUitHb1xssmjff3TCUq1Ge4s6dO7x89Yrjx0a4dv0aHW0ZPM8jmUqx5WMrICRaeZSdIlbNcxRCEIlGw/qPcrnM8+fPGR0bJRVP+OvP1LFIf79pb2/n3XffpZDPs7CwgJCCRDLBqdOncSoVGhuSRnF7BkGxUnEODD8mLYRlg1B4nuevLUJP1LyH2qxDyzgiwXGWz/So/N+Dcdm2TSQapb29HWmZ+2toaKCjo4PGxkY8z+XhvUfmu8pDK43rGlbDW7du4XmK9tb0AcM0Eo2SaWsjGk8wMzNzIDwdGlrSgFu5jlszpxrLtk10K/CEpaBcLjM6NkoiGuPkqZPh2gx+aq1xXQ9XB+fyDQ3L8pEzzXFOxXQphcZDeGHPvLfSPEvP9XA9FyGqqJuWlEjbD7srffCezCImQB3VSoccHEdyUAxEKy5B5bN5kIJCocivP7vLxYsXSDclEb7FpZXAkjaJeJJLl84zNNRPY0Oy2l6mFAGE6RsPpVZqP3+T/ozm5iY++NotypUyba0dRKMG910IEz425zWW3eraBp99+inzc0u8++67LCwsMTU1FV5bCYEQkoePxxgbHSUWj/Dht/6An/7sV3h4eFqAtFBCopBIISmVSjweGzWhnp3tmlCQwFMuWntIaWMWt6JYNAAwnZ1dHD8xiGVb/jFB1bwMK/EDBrlIxOLkyeP09g/w6tUExcIcFhZS2KDM5iiENFavFCbyoAUPHj7m6bOnbGzvoLRBmDM5ZbPpVOnP/I1I1YXB/M1YILCl8XxMfrta5CeExPJjVm6lxF6lhBYRhLDCl9zyn3MwL0qZSv/wHFIj5Fd48ZRkY32T27cfMfl6HuVpnj97zdLCIpaUROIJvv2tb5NujKO1YmZ2mYcPH4Try7Yl58+f5+SpEQIEPyNfoNiFAPyNAwutBJ6r2NvNspfNM3y8kbbWZiIR84ylqNmktGRjY4uFhQX6+/tJplLh3B4okgy+5yMdmry5Wbe7u3s8ePCQctnh9NlzaB1sbGaTDI4PIX2Vx+TkNJubm7z/wS0z/9JGCBuh8Z+Vf+9+OkIpr1qwGsyHlv67rNBaoJWgWHHY2dsnVyiRTDfQ1dNNxXVQ4xNsbe2QL+S++PmF76/C8xxWVzYp5Izx2tzcjBUxEM3f+vb7lMtlWptbQRuSoY8++gh8RWnZkp7ubt57/10QklKpyKPRx4yNTrCzk6UQL/Ojv/pbohFBNBLh5KkRTp85QyoRI5VMsOI4B/abxlQS0ilz3wocVzP+cpzXE1N4SqGFIplMcu3SeXp6e9ECFpYWGX8+bWpzwm4Qk8vv6Ojg5s2bpNJJ7t6/y9LiGkNDg3R1dfPo0SNKJUMYdeHieU6OjGBHbJT/jghhPH/lQS5XZGpqhlvvXqezqxWtBFNT0zx58gStFAqbRDLJuTPHaWyq5aYwOW5P+fuIz1ippTAesxAIBK8np3nx4gWViovWmmQszvnzFxg81heGuY2DE2V7M8vd+49wlQj32IANE2kxPT3Ns2fPcByH4H26fuMaQ4ODCEtTLBb427/6ub9Oa/c4iEYt3n//A1raW/A8l6XFDe7dv4/WJtoVjyc5fvw4F86fMkZg6JwFdVMyTLsGBFHybfrk91zCUvTgBVhaWuLnP/8FFafC3NwyJ06cQLZl6Onp4eKFi7yaeMWnn31GSyZDf38/J06cMO1p1RMBhA9FKfMS1IaO3shp1j8bTxGJREKmNCEspBCsb2zwZOwJhXyey5cv09vby+rKCqOjY6yvr3PznXc4d+4ce3vZKga5NEr87t27PBkbJ5lKcfPmNZqamkJLudbgUEqhtMlvZbNZ34ru4sWLF9VjpfCtcMXGxga3b9/GU4p8tsTIyRHa2lpD3nYwXu2Tp09YW11gbW2NdEMD586do729nWQyicbkUmftJQLcdSBMQygfCz8458bGBk1NTbS2tDP+ctxEFeSXKa0aCfKcUppiKv85qbr8Z7B5tXe0sr29QzLdxP7+Pqsrq+Y7/piEELiOiXbs7e2xu7tDIh7nxPHham3EF4kQJOIxurq7mZqaouRWyGQyDPZ3YdkWViSGHYmgtWJiYoKH95+wu7fHjRvXcRyX58+f8PDhQzzlcubMmS9PmYXGR3Xd7+/v+5ufw/Hjxzl79izRSNQYPP69AszNzuE5ZYqFIhWnYhAN/QIr5T+HbC7LnTt3SSWTzM3P09nZyZkzZ4hGo+FGpLVmf3+f8fFxdvb28VwvNJA81wmVuOu5PHr0iBcv4mxtbpNMJUMFHSARBt8zkadqjrRWiQspyGazPH32lMWlWVZWV8hkMpw7d47GxiTKXwdmXmSNQVdfz3KIYVbzmdJVA8S8VyY/K4UI32dbWKytr3Pn7gOmpqa5detd0qk0M7NTPH36lFg8wuVLl7Etm7a2Npqa1syaSiYZHBwkGhFEIhED6lSzr7zRbVIz7kIux8uJacZGR5HSZmh4mEIpz/LyMnfu3OHmzRt09/WQz+eZmZ3FqVQ4dfokq6srJBIxpLSYmppCKcWtWzfp6OhgcWGV58+fs7+/T0dHB7ZtMTo6yujjx3iuy/kL5w7M4YQf1dzf32dpeYmvf/AuqVQSpYQP1zxEoVDg8egzk5LsbT8498LUKFi1XTZW9Rk7jsvU1BSPHo3iuS6Dg8fwPJf5mTnu3ruLtrzqnlqTt97c3GTsyROSiQSFfD5cU0IIGhoaGBwcwnEdLGnz+PFj7t29i+s4nBgZplKpMDc3S6XicPr0WTzPY2d7m5OnTjE69gg7EuH8xXN4nse9u49YX1/n4mUzL/Nzizx+/BhJhXPnzofOX3D9hfk5dnZ2kdHE4c/1SEIxWOtE0cqvGJYS246iFLieA0JhWZKOjg4uXdHYUYUtLJ/UI4eUEfr7O83Z/BB2PcGICBZhcEx9dVuYwz5Y5GIFIRdfiT998oK5uWUGh3u4dOUsHW2tPHkyxtzsIq4HruMw8fo1W1tbaK3Z3d3nxfOXXLx4jtcTU2xu79IVi7OxvsXKyjqeaxbr3NwiTU0ZtPYQQlMqe0xOz1PI7dHR0UEm08r4+HjNcD3AML1Z0sKyLQiicb73HzhwSms8V2NbUSzLDqMVnuuitZlbLAsphYkO4IXsccqvAhfKQ6DwHMXL5y/Z3Njg2PAwjY2NTL5+BcJECBSOiVYE01s7n37fej5fYGJiAsuy6B/oJZ1Khznz2k3bVOtDuqmRi+fPkM/nEVaUyclJ1ldWQwY3Cb7xoXzv2KKtrYXkQD8njvfR2FQluXmbKKVIptIcOzbI/ft3KBbzdHa1cfbcCLFYHCUE0ZhAiAhLi6ssLq7S3t7OuXOncD2PianXzC8u09XdwZkzZ770erVrrlZhSdtGeEahBtXnptHBPG9QWLZASoGQGqVcFB7ajxAFKUotDGr/1OwcW5tbXLxwmv7+XhxH+cpXMTDQj+s5bGxssJ8tYjJAZh5lTeoIwLJM3lQIgecaJa6UhyE7UiY3TbV9sexUTNGdkHR1GzAkrTSWNCFfO2JjWzYVKn7I0niLGo+1tRUejD1mZ2ebcqGM0KLGSBCHFh2+TQLPv1BweTk+juebWH09veztZpl4NYNWNpWKQ0EWKZcddnb2mXw9zaWLV4yH3ttL2+wKs7NTpFJxzpw5FRYX2n5UJVjwXtD/Ic3arT5rj3KlyMryMqtra7S0tVNxHRzHIZfPsbezy/DxfTq7u9FamChXJMbA0CBlp0JzoylmXV/fZGpqhitXLtHX18fM1CJzs/NEozZ/+Id/SDwe5+XLcZaWVshkWjl/4VxoFGk/XSgtiR0NonUmxystRVt7hsamNDvbOzx9/grXcd5MiYX7qonwaL9o03ws8VzF8tIKC/MrtGQylMsOWmuKlTKrG+v0D/bQ3dUVri1hawYGBijlS+xsb7PuCVzXw7YxDUBK4HkGqttzXRwUrqtZmF+iq6uX48eHQUtcJXGVoKu3y0BgOyVOnDzO/YePmZyao627E+UppmfniUajlP1IQaFUZm9vj8XFZc6duxC+h6Dw3ApbW7ssLCzQNzR8pMi/REL2s0A6Ojq4ceMGpVIJBSQTCZTW5At58rk8Q4NDpl0CWFlepVJ5gOQSvb091ZCt/6JLWfU+gMMteq3f9MjrZGNjg2fPnjI7u0hXZyfXrl+ivb0d26dTHRwawnUcCsUipVIprJoul8tsbmyE92VHU0SjUXZ3dymWSnh+G10umzXf8cdhWtNe09vdTmdnZxiprYZGCZnMGhsbuXDhIgDLi2smt1ljzEi/7mBoeIjzZ08wNvaEhw/GmJubY2iwm8am5gP3GhgCtRumlFao/B89ekRbWxvt7e243kGgGPE2r9z33JTvBd6+/RmxWIxk8hs0NDSG1631+oMceSQSobOzk1gsxvZulpmZ2fD4WolEIgwPD3H+/AVsW/i5Ym0MlS8RaVlIKU2+VxoSnlgsRjKV9nNsVphHrFQcn+lOkEylKJfLRilVKjg1ecEvlLA4qXoPqXSKgYEBVldXmZmZo7W1lWN97UTtg7Udhh3wGrlcjrW1NZKJRN2pNalUirNnz9LU3MS4N06hYDgJIpF4OHcnTpwgkYzz/PlzZuYWq+9MTfGO1pqIHeHU6dN0d3UxO7vE/v5+6OkGIcwwkuJ5lMtlpuammZycpLujM1TkAIlkgmPDxzh2YoBROcr9+4+ZmprilJ+SUFqRL+RZW1sll8tTqVT8tsavWET4FqlUjGHxenqWcrnMB+++R0NDA6VSCSkl+/v7uI5jWjyPDdPe3hq+B9Fo1OSlASkl8UScZCrGgfbEmnfFMDVqM481f9MaKk4F13GolCvs7+8jpKa7qxsL43kGz8DzWzij0ShSmp9BLY7WCtdzifg58MDoM+9TCtu2qFQqpgANs7cG0cmBwQEuXrzE7u4Wlr/eA7Fsm4S0KMbjB6J5NYshXK6eUn4Iu3rPwf+Xy2Vzj5UK+VwOOxKhs6ODtrY2Mi0toSeuPIVlWZw6fQqpJE+fPmVlbStMrWqlWV1bY/zFCxYXF2lpbcWStjm3P4/1yjWYJ8u2wnurVCq4jlHcjusQiUTY398nEonQ2tpKS0sLLS2tIMx8dHR0UiwW2d7ZQQpTg7Th7+Ht7e00Z5r/zuvwd1lsACkU0s+TRyKSZDJGMhnj1q1bpgq7UGJ6Zp5ff3KHTCbDD/7k21y8eI5S0WF6eoZENEJnZw921DqgyJVfvFANrR9C6iHEGw56vbyamOX58yna25q4fPUS7R1t5mtS0jc4SFtnW7ipaa345ccldvfWybRmuHLjCpZQfO2Dd6hUKqawDZudnR2mpqaQQnBiZIjBwR7m59cQSmBJRaYhwaWLZ+nr62V6ZhEwVeRKgEbiaYHWHpYtSMZNQV5rxpCsKOWGuVClBJb0SCWiJJJRYnEL5bqUi6WwOh1lesx9FnI8ZZDhJAfbfYSwSCTSXL12nmPH+5iaXDCfKz8/7nE4aE5oQJmisnyugudJKp5CI6opEKnRljbeTI1RIC2IRG0iEZPvNZfwQXuUQmiF1ArLhlQqim3J38hzC8QigNs1VK3ZXJ6KU0HKCJnmZoNJJAVKuHg4obEhtcTy89xCWGGh1Jv9pf4a8dPJKDfMX1uWoCGdpNzUwKzU7O/vspPL0RqNmTy/UFhYxCNx4vEozc09NDe3UqlUqBQLxGIxIkphK0VMahqSUW5evUQxu8urqWniz8c5d/a0iZwoRSKZ5NSpIeIJm0K+yMbGBhZBbYk68FxTiTjpZILjx/opFUvsbG7RnGnGlua9FSgsYcIj+UKOp08nWFk1XpkWVSwoWyriMYtkLEHUttGei+eUQbkI7WFh09/dz/UbV1haXuJ+7sGbxYpCUKo4FPJ5HMe82+l0nFjMpD+QFs2ZNFvbUQqFItlsnkxTius3rjE5s0CpWKZYKZISKZ+SV3Pz+mVaW1vJZrMUi0Xi8RhSGERHobwD0QnX9dje2sFTimQiQTKZAuECuprbxYT4FYHy8yGutERKm96edm69cw3bjpDPm26N1taWagREKITQCAyWRID/gO170NrUbyvl4CkXYQvz7ghw/QiHV7P0NBIlJHbMJtmQIJXuojnTQDJpWgoVxvAIqsCFFChXo5AobfZnY3z6kU1tg7ZxtTL7kTK1DlXFKmlr6+DK1XOkGxooFRXFQoG29kYidgQhtSna15CKJxka6kVYLt6j56yvryO0RGjJxKvXvHw5QWtbEzdvXiORSLC1vWYIo7RJNwkpDA6AMsyRErMXSKERflrVluC65vN0Ms57t66bboucIbBqaIyjUDQ2xTl3/iT5nGkPjsfP0N3Tzb3P7yCE4Myl8wwN9NYsxqP+8UBsIAzj1L4sQS743r17dHR04nkuuVwOKaWxrKKmmrhSqfiVpL5ov/Kzxls8gNBWD436FaRcLlMsFRGimUQ8ju17SVobbvRYLPjdVDdG/HyqZVskEgkQgmQiSTJhAA48bYrZgiKUSDSKHYmYCkopSSWTvPPOOwwPDZr8r2csyiAPHeSsa0EOpBC+RylMEFYp34Kveriu4+B5BiwkKN5QWuM5ldDgCWoKXNc1nriPNBd0FHzzm99kcKgDOxLBcV1/zH6pwxflMP2/WbaFbVfR6yqVih+uleF1asPNtVZ3LQ581XtR4VoJfrelONhz/GUKveZ6QfrBc11mZmd5cP8+iUSaf/yP/1HYcx90LSjPzLHSpirXsqTJ2X/JegoqhT2lUP7z0EqTSibpOn+efLHMy5cvScZt3nvvPfN++PftKUWlUiEWi1EsFhgdHePEsT6GhodxXS98plJKUuk00WjUeEeFvPEULRnOazQa5fjx40Qjaf7Dn/85lUrFfN9TJrQvTBjfc11czyNiR1jYXGBsdJQ//uPv43kunmfy8kopf3255PI5PNczCsHz8HytYuogPLxgPQuBbdVg/mO8qqbmJnb8Ak8TDTpomO3t7fLJJ79mY30HrTVXr13k0sWL2JEI0UiUb3zjGwBMTk5iWTZfe/8dYrFYNbfrp3Esy8Z1HRLJBNFohIWFBUZHR+nt7aaz64/C99OyLKRl+TwHW9y5c5tSqcSly5e5fOlyzb2p8D3SSod5/zDa4b9zlmWTSCTIZrOMjo6ytbXLu+++S0PDsTfWvR2JmN/xo1WWSXdJUUWBDPY7xwe+sSMRIn6XRRAlCtarUoqIJUmn09RGhDzPxXWNtw8mkqeU2UsVfvW3Nnu18o2bwBDyPDc0ai3LDv8lU0lcx+HJ2DMWFha4dv0C5y+cP/AuKOURi8U4c/o0tkzwySefkMsZbouK4/g4FRapdJpE3BhsAU9EFYGzBtxFiLdGBoPIWyQaRSnFy/FxZmZnOHnquE8iFSOZSGBHIpTLZWMERCJUKg6xWJREIkE0HqcK6X0kgdgAf/Yffsjq+jauglevp9jZ2QKg4imy+1kyba2cGDnBO/kC9+/d569//BOklBTyJhfyzrs3sG1Ae2Sz+zx58oLXE68ByfraJg8ePuTq1at0dnUTVHmHm/vblE+NSJTh/hbSt/7M90SooDBFYWg++eQTZmbm0VqwurTGzz/6BT/4/ncOAIssLS3xy1/+Etc1ec5Hj0bRSnD8+HE+/NY3uHP3Dvfu3eXZ0xd4SlEoZGlraeWD924Rj9g8HX3G65eTCOWxtrLMvbsPuXHjBm3traGhMj83z+jYKJubmyAtbt+5x7Onz9jP7pNpb+Lypcsk02k+/uUv2VzbY2dnh1ypSNGt8OOPPiYajfLO1SscO36cvv4e3n33HT751V3u37/D41FjdGRze6QbUnzrm18zfPFv84JNWTtSapqaGvjWt/+AO3fucPuzuzx+9JR8fp+ujha+8fWvkWlqoFQsIVAG2Q7Xr5qXKKHA0mEuf35pnlcvX7K2uo7jKMZGn2FbMS6cO+VTun5Fj1yaatdIwuJ73/8OP//FL3kx/gQPjWVZxoKPR5Da5frliwhX8/z5c/79n/4ZWmu2tja4ePEMVy5d9POydTUXofiGhZKUiyUmp6a4e+8uTrmIFKZqOplKEI/HcVyHfL7Iyso6M3PzLC6voKXg5cQr1jZWsSyLSsUln8vT1dvO0/Fxnr54Tr5YJBqPmP5kP0dsCYHlV2Zrpf38pgtKE4vYNDU1oLXJ8IJi4vVr7t65AygqlRI/+/mvicfjaDzyeUOsUyhXePjgIbMLi1Rch7nFBf6///4vqDgVNjfXiUQiOBXF9PQcn332KYVinnxec/fuXcbGnpDNZenq7uDS5Ys+2IyZH5P793t48cfp52QDroVK2SOXzbO9bfaJQr6I68MXSsuiOdPErVs3AZicnGB9fRUhDUUyGEOlf6CfD7/zTX7yk5/wk7/9OZFIhL29HdKpNJcvXzbvq5TYkQinzxyj4uZ5+uQZH3/8c8rlIufOnWNoqNf3xg3IyaMHD1ldXsFzHF6+eEFDOs7FCxdIpGI0NqW5fPkcrmsAcn74wx1cv2Xs5MlT9PX1hKvERE1Mgd6VK5eJRWxmpmeMZ+5V01RBdfXGxg4//Mu/IWrbrK9ucOHCaS5fOc/G+hYf/fQjypUiQmiePRklYgluXL9WTZ8ByhNMTk7x+NGYWXe5HK7n8ejhKDMzcwwM9nL16lWKhRKPHj1icXmVvb09tNasLK/w0U9+QVtbG6fPHufK1Yt4rmJufp6f/O3PUcqACJ04cYKh4WEidqRqjPuFwAhNPBEjkbSIRDWaMsgKV66eRVNiemqBv/yLH2HbgpMnT+G6msnJCaJRyZUrl0G4SGkM4pGRkZqCOt87l5ITJ4YpFs34f/zjvwGgWHDo6OjgzJlT/jbuhe+GZeF3vCi/FiR4p49y5YeJ0FrrJ2P3jBeOREiBJXzPwg9F9vR0kWnJsL+XY35+PmwpktKmtaWVns4WU40rBJVymbXVTbZ3dtBexOSRm6N0d3ebNh3/zNURfLkiX17eZHNrk4ZU0kCbJuN1R/gvF5rp6Wmy++XQGk8mEpw8OXSgqnt3L8fc3ByuYyxqy3bp6Oigo6ODfKHA7MwMruthSdO3rrRHMplgaHgQ5Xmsr2+yvb0DGGu0KZ2iu6ebZNLwkWsBO9vbrKxsGssSibQkUptip8bGNN3dXdgRi4WFBYpZ46kry3iGwfwO9vbQ3NyMsKGQLzAzvYTreTUtGIp4Is6xoX7TJvU2vRlUv2mFUppy2WVhYYF8wfGfoyaZTDEw2EckYuM4Lmtrq2ysb9PSkqGvrws7EqFQKrO+vs7W5h6tra2kUzG2t7bI513/UWra29vp6mgx9xuM50sUelXfmmc0PT1LLpvFVYpkKsnI8KCfsjDPeXszy+LiomlvEwIPTVdnJ50dbUjLJqw8fEORV6/juS6bO1ssL6+gPElDQ5qu7nZisRhr69usr6+TaW6kuamJ7d199vb2DNCKFAjhp4uQROwI3b0mxL65to3resQTUYaHhkjEIiwtLbO1s29Y71ozPgSlw+DAQAhVWip7vHr5EqU1fX19aByWlpZQnu17lNpPCZn3MhGPMzg4yNLSssmZ+80ntjQKRqGxIzbtLRki0SirKyuhZyikCFn7Ghsb6enuRinF8vIKuVzBPL+uVnL5HGurGziOy0B/hw/oZDzaQrHC/Pw8+XwJIQTt7a10d3dh2cYgk9LCc13W1jbY3NwMN2HPM8+3q6uVrq4u8kWHiVcT2AG3g2V6rQcGe6s9z0rhadja3mbRh5qNxSN0d3WRaWk2j1lDqVhiYWElrI+xLYtMawPdXd3YUdOd4bmStXUDHx1U/MdiMTo7Okx3hVDs7uyyurbhGxu9pFMpLCnY2dlmeWUTgJHjBhL541/d5e7duzQ0pbl27RqJaAylNd3dHbS2mjUx8fo1Sln+vurQ0tpKf1/vga4dz4OtrW1Wllf9cZl5sqR5Xo2NSXp7e6lUXFZWVskVimGRopAmrJ1KJmnvaKKpqYnNzV3W1tZMtMYvsOvq6qalpcF0L+wXWFpewnU8+nr7aGxOYFkWe3v7LC0tU6m4HBs+RioVZ2t7i/W1bf8ZKgYGBtjby7K7s0u6MUVvTy+vXrxCa03/QC+tLaZdznFdxsdfYUlJR08nzU1NZPdNR4AhadRYVpzW1hY6OjP+8zZ1TavLm+zt7ZFpaaIh3cDq8hpSSjq72mnOtPz+euRfxn7mujt+rtMP+0kDeGD5PcGWbfnKQ+N6HsJX+EHIPAgTo7XfklRtiakNuVhWgMRTl9uo3+jrFLvrW8FCUz1HLeZyYAz4oc9qrYj5XqSuYMkL27n8kKLQB0JwQbgWTIhL+BeyLcu3xD0/72+F1com3FQd56HtXEohpOnPru3n9N6o4hfhuCxpUJRMmN7nTg/axoJwuBZvYo4fJjVYzOYe/Y8xxWnSssJweBAylzXoWRITRlSeWRM6VGjVewOwg4ItiZ+vtg5GC96IHATREs/f2DyU56GEWVuSoJWqGiIOwDg81w3nwbKDdWGDUuiaYksprapDXsMm57kewu+OCMbtoVGeKXiqbUusnfOgYlha1TSF8jxTca4MuE4wz672W4aEea+kNuAeZvJN2Dao37BsOzyXkNI/XobrIRiDbdvhPAUAPeZ0Ah2sQ39Ne+rNdVN7LxbiQCtbbYolWAO1hrDnv/fK81Bah2A9llVNcQF4nmOuQ7DWg9CrMu+LAtfz0DXvSSQSqa5haYNXfRdNwWPNuH0KYu3jAeCH04N0ifBTSJZlm6IzL6jZ8Q683xKrCkWqFJ5/nLRENZ3mvw/K84hEIkxOTvLw4RjTU1Mk081cvnKFK1fPmFoJKxLul5VKBWHZYcqpNq0Wyhv7pllH1a4T7aclBI7jhjUtwdi09qp7QU26L3hGIP31ZiKhnuOFf5eWRNoGB95zVfje25YVvl9BS6xlmbGHaVN/fMp1wrB5kOYx75Zr7kMYfeH5qSevpobItiysmlY4z+8aCd4lKWU4L9KSxlAP97ffsxz5FyhyGwhzzgamUOGhTLWqlmGIKRDbtglpSWvJDvzNWYIJ5QIH4PP86k2Jj7VeY5G+oXhqcrqAn1eUNXSmigP0pzXnMjljy8/5BwZG3Xz4uSXpb5r1doSImJBTENKR2h9ncH9hWMzHtD6kWk/6eb1wfFpj+jqMBW0OMt6WzVsUWw25TDAHoXFUsxmIgM/9K0Q3ghYly7ZDRz0krajZUM1G62M84ytCzzO5aKlBSBRedYOv3ZxC7Gztz1Uw0EOeu36zayFACAzIFoSfSgnOK6VE+gBEMharOac/d/76CWlwhTE6/adn7iXIm/rkHeY5mWclhDC50RoM8FpUrEMxu7VJA6B1OBdKmfkSBCAZZvMN5zuoDZCSWCwerregTiDY9ENcklrDVRllaAzImhy2EKaIr/aR2wH2ugLLorYwNDixVXs/9euo7n0Mc+d1udD62orqvlIzv0ISkICAMY4JUPtqr6c1ASlKsM9LWTfn4dgCA8FXvMH9htNsrl/tuZbh2lBKYZleq/A+LbuGZEhX1xxUnZbdvT1isRgnT51CYWBhbdsO982g4DIai6GFxAZTZX/Y+yl8YKUw/RfMq6g6Pr7ii0Tr8s9vKyL2xYy3dh/WYY67+pHvkNk29Wc6eGyd4xYivdV12QR7pW+san+9RaLGMYyICAG5TXgPwdwH5w72Sq0PFN6G+7/5xZ+m36yo9ndRbICVtS0saRmHTWs8/4HZ/gJJJk0rQT4fVLAGFr9FKpUkmYz4D8LC81zyuSLlcjncMOwopJIpYxUK8ZVCI67rkstlcR0PB2G8I30Q+CGdjvlFNDUPUkry+3mKhQKRhCFVqX/MWoPytOk3V5rmxiTReNx4GEqxt5vzPW4Zbn4GvtQAZxQK5YMFfjWKV0hBKh4zrFFS4JTL5IsVKhWHdDJOPBE3VmWw4QqACMVCgWKpYiIefmg9nUgSixmsaM/12N8rhH3IwseItqSkJZM+aDTVS6g0DXDL3o4JPyqhSKWSJifsuGRz2bAtxnVNK5OQAtdv55FChxZ+LBYjEo9QLBYRSuN5yn8XpalpsCwaGkw7Ti6Xp1wuE4vFDJStbQOC/b0dKhWHeDxJNBolly/iuE64boT0i+v8B9jS3EixVKJUNG1ACollWWQaokRiMQJeeIXZoLO72QMtabZtgDfMehGgXYrFErmCKWaT+C1OyZghrfGrhQNWtnDdW3Y1ZwcHWNpcz2NvL2eKlnwvKR6zSCWTWFbgOQdFgDXYCtoU6QkhIUif+IZFEFkQwgrZ7ZTQ7O/tUak4yKBSWwTvrU0qmSSajJnreW54mbzfVhaPx0mlElWDKzigXonXGC/FokOhUPDRDwWpdJJIxEYGhnsYMTH3kc+W/TbWoMPBYNcnYjZVDPC3bMIHaHrfUvMQAiYEud56RRnMm39veP57B/iGviVkGAkicBSC42rvv+66V65c4vKlK2G3hxV4j1ojAmfFP18VMEu8JWJW9+6G15TVnxozrjfmSdTMy+FdGm/3XIMI4pcdF4yr3uGqeT41yyi8xwDiNjjOB48Kf37Z9UID/WAEoKrAg++/3ZD5fREb4N/8N//GeALC5GhDMAWlSaWSvPPODSzL5he/+Dj4A1prkskGzp8/z9e/9o5v7QqyuSyf/fou4y/HUZ5ROP393bz//nv0Dw69OYI3wqxGdra3+enPfsby8jKeDwsqVXXBCyn49ne+ydmzZ7GEdWDDuX37Ns+ePmXw2CA/+JM/IRY5aIEKIdnZ3ebf/r//HVJafPgHH3D23DmklKwsr/CXf/FX5PK5sBpcC+jq6uZP/sH3UJ7i088+59XLlzUeiBUWMUWiUa5dvsStW7eIxiJsbW/zq08+Y2FhgXdv3eT6tWvEYr6l7W+ayvN4+vQpDx6Nks/nwtDf977zXc6dO4dlSTY2NvjzP/8RuVwOhPIrei06Ojr4V//yn9cYSYdY/GFo0iDR/em/+w9UnArReISbN9/h+vVrrKws86Mf/YhkMsXVq1fZ3t7i0aNH/tP2ITRF9X5PnTpNT183o6OjYa++JW08T2FL6Ovr42tfe5+Ojg7u3LnDs2fPOHX6FLfeuUWmpQXPcfj1rz9lYmKCc+cu0N/fzyeffmZyvgGmsn+f2u/Z/5f//J/x+vVrRkefAeBpAyv5T/7h9xgaOri2stl9fvbzXzE7MxN+1tnVzve+90d0tLUCpjtjdnaWv/3oY1zH8XONKW6+d4OrV6+aYkqqhmN1OjUBFKWoUbgACwsL/PKXt9nc2vR5ODSXL53jax98QCoRN88oiEjVRifq34eaZ1ldZ2btKuVRyBf48d/8mIWFBVB+KFyYqFd7po2b77zDhcsXDpx/Z2ubO3fu8Pr1a65evcr7H7x3aJj3DSYvf0yvXr3izp077GfzpNJpvvdH32W4bt7N5Qze96NHj7j/4AGeV8FT5ln+4E/+hFMjx8IK9gNrtn4v+KL1XLdnmIjLIYZIeA/Bpi9RSoeh71CB11/zLfuSOZ/CikRAmXdY1yhYHXzPxz1/4z7+LgxstaiY9WMM7q/WKAw92ZrjvijlVh18jRIWb56v/l6C3/Hn16eRfut16sdQe53fZE7C7wT3/NW/+rsqNsC/+pf/go9++hErS5ucPXuWd25eBqBQqvDg/n2U9jg1cpJS0eHjjz8mmUpx+dIlNrc2ePJkDK0FH7z/PnbUI92Y5sr1y3jC4+nYS7rau7h58zodHe2He+IHFkawWH1yg7KmXFJcvXae06dOY8ei7Gxv8+tf32Nneztso9F+KF0rwUcf/ZTXEzNkCxUcx3iPQVW0CdFKpmeW+Oijj9jfNW1ErtK4nmJ2fpWPPvopZe3y4Xe/Q0+X4Zl+PTXHgwcP+OXHn3D9xg2uXr2M1h5jTybo6+vjvVtXSSaTFAoFXr58ieMYruDFpS0+//wB8/OLVCoODx89QSmLq1cukEobL1ppj7v3H/Po0RgtLY18+OE3iETi/PznP+NXn93B1QZc4eGjh+SLJf7o+z8g02J6cCdeznP/wX3+u3/7p/yjf/SPaG5MmpdXBS92bcjYbKTt7e187/t/xM9+9nPj2aoIAgvPwyCPeYpELMLlixdwXMH9B/fp7mzl+vUbtHdkKJfLPH3yAqU8+vu6iUUs7t19ytbWJpcvn+PkyZMszK/w/PlzfvXJbd59911cJSlVFKWyh9JWiB3vuJKyI3A8l9b2dr77re/wwx/+kP1inhs3b3Lm1DC2bVMoVfirv/4rAK5fvw4yzueff04yGecHP/hjurs6wk3Ic11K5Qo/+dufsrGxwZUrlzh58jRzc3PcvvOAn/7sEz78+ru0tGR4Pj7BZ599Sqa5hevXbyCE5smTMT7/7CGVsuD65bNE4wlQXl1UR/ntycrfRCQIeDH+mvv371FxSvzhH36HTGs79+7dY/L1LGibDz64QSqd9h2J6kYZqphAAQjfKC6U+NGPfsR3vvk12js6q+MQQYrA5sqVa1TKitHRUVpbW7h85QoLc5PGW1Hegc3S034PeMnF8QiJjsIURpCS8hvttTAKUvrMZiMjxymVCty7P4breChV5WiAqmentOTzz+8wOvqE7q4ebt66ghSCv/6bj/n449uUC3muXLvmv/vBAiU02CR1yiJIrQQpPYvq+0ygi32FrDR+j5hB5gumWki0joCGiYkJdnZ3OXV6iObmDBLroLL8Mp0iTJrJhN7rbI9g7AeUd81JD1VYX+wxm6/WNqbXGYC1f69VjOH91xs39ddTbx5Xr3ABn46RAxOktf/7IayW9RGUN8b9FZX324pW31rM+vsnNkBPTzcRP1+cSCTo9tGgHM8UPTQ2JUkmEgYZSAhsy6Kru5vBoQGePBnj2dOn2JbFlatnSCSTpBsaSCWTBL2yTc3NxOJ1leaHhe+qSUCCVh0pBA3pBrq6u4jGYtiWFfZomtOYRZjN5rj92ec+S1uhSlRQJ9NTU3z2+UM2NzcN1WMNHGaxUGRzc5Om5hQtrS00NTUxMzPL3NwclUqFre1tlOfRnGkilTQ96YlEgo6ODpqbm034vKEBC8Hy8jKPHj9lb2+PK5ev0NLayuvXE4y/HCdiw7lz57BjER49esSzJxO0t7dz/sJpBgcHqVQ8otEoaxtbZHNZPOWxvb0NQGtrK+0dTUxPT7O4uEilYriNAyQpPM8UCdWLMMrGtm1aWlqJRiMUCxUqlQqzc3PcuXOHWCzGlctXDB2kz1onhOmPb29vp6uz1ayRWBrHdWhqaja88Ik4SmnS6QY6O7vI5cq4nsfu3p7fD2oiOEtLy4w9GePa9cukUylCsCBM9XC0JWoKWqSkIZ2mq6sT247geJrvfue7tLW1kUwlyTRnwvxxS0tLFSHLx6G2IxGuXr1KxXHo7OykuSnD3t4eruOyu7tLuVzG8xTZXNZUx2baaG9vQ1qmV39/f5+93d0DXvgXilZMTU2HEYwrV66Y/vB4knQ6TbFYYH9/v9pz72NmBx6KCD2L6ga7sbbKx7/+nIWFBZMeCLwZZaJckWiUmzdvEolGmXw9i9YGBWtwcIDe7jZSqfQbHk9jYyPXrl1jZOQUba1tYf6zWiB1EB8BasemSaXThtEvEqFUKlFbWGWKEQWVUon7D0d58uQpPT09XLp8maHBHoN5YFtsbm6SzWYPjk3pqrEdKPdapeIzelWLu1T4+cHz1Hi7tQrJT01UKhUmX0/y4MFDWltacZy+6vUOpVd+iyjvoIf8+1Z0dST/yYnBWpemQtO01ZhePuUpnj9/wfDwEI1NqfALpv9Qk4hH6eruYHW1jWdPXzI9PcvZcydIpuRblegBOWA51uU+MO0Uly6f5XhukMHBfmwf19yuBS7xi8Y2t/YYezLGk2cvOHXqFKur66b9IkR0MghZr6fmuX/vIYXcPteuXOLx6HM8TB+q1iIE60DbuBWYfD3N6NgoS0tLZlT+9YKWDqhWs2azOTa3NknE43R3dvHk6VMWFxeJxWIMHx9icGCAvb095mbnWFpaYXj4ODEtmZ5aYGNjg2PHjtHb200sHsEScOXSeY4N9TPQ38X2fp4At1oIzeTreR4/fsrcvAkbu9pFWzr0PN6QOgYyKYPKew/Pq7C5uc3c7DztHa30D/TT2NRMuVQk4Az2tOEgrlQUa6trSOHRP9BvCp60ac+T0sCxBpCsoib3KoQpyNrdyfLi+WssW3L50mWTA9cenjZ5cOVvuq72lZxlkS3kmHg1yfnz50nGfXYmfx2iNPaBgiuzjqLRKCMnT4afeo4Zg9ASPAFCE41FGOrvQ37tA5qammhsSJArOrjKIHuhHZNzlvpLQ3cKyfLqGksrywwMDjA82EcqGUMLj5Mjg6RiNk3NTcQjMVAw9vRFlUcaiCfiXL50mYhtlNLy0goP7t9n/MUUtm3z6PFzpmeW0Nqjta2Ns2dGiEWiDA8NHiS5kMYQyXS1hyNDa7LZIi9fvqTsuD7JjUVD2qdv1Roho5SKJebn51hZXTVdFUKQTDcyPDxEc1Py4OvpS4DRvriwyvLKComYxcDAAK8nptjZ3uXc+TP0D3QjLYGl4PrVs+QLBQb6B0Ar8nnHGD/apxWVhpL09OkzoDWOW2Zqaort7T3a2lo5OXKMQiHPy1ezuI5Db08H3T3d7OzuMTHxGtepDlAIQXuHIXZKJKMUCnmmZ5Z58OAhCwsrFEou1uPnpFKzRITL8LFjtLW1Velyv0ikOGB0HcmR/H1LuGqDlpz9/X0mXk1QLpe5d+8eTc1NNGcaDrRSBe0I9TzKKrTMa/N6f7fwR0NjI1evXfcvWMVEX1papuI49PX1kWlpMQxSL6d49vQZfX19vHPrHe7fexji8/qDMaHV27fJ5wtcunSRkZGTPH3+yhRxySpYR+AlVioV5ubnyWZzdHd1s7q2+gZuuBCCXC7HzMwMrucxPzfP8PAQPd09fJEE17D9tphaj0hKi2jc4tKli+ZgaZF9/vLA98fHx8nlcnR0dLC2tmZa1A7ksL58fk1lv2Z7Z4d8oUAimaS3p5d4TeRECMPwVi6XWZhfYG1libnZOTo7Wugf6A/PE8j6+joTE69ZXloznNztLSRTyQPtRbu7Ozx69IiIHQkBQoT0jShdnd/NrU1e+wQ4T8aeMjIyQjwWQaIOrCld65HVFQ15rsvm5iZbW/usLC8Ti8Xo6+sjkUhg2zaDQ0MM+jneYrHA6uoqxWKR9naDZW99RS9N1BhP9TjZw8PHGB48BsJ4q9NTU3x2+zbRaJR0OkWxUGR3b49oJMqJE/2kkilyuZzBmvbbz7a3tymWSoB6o+LYsmSISFj/PPzB+Zz1G2zv7rO1uUmhWOadmzfp623FsiyKhQLz8/Pcf/CA3Z1d2ltbKZfLOJ6mVCpx4fwI6VQapB3WCwTG9OrqKqNjYywvLXH82AC9vb3hMVrpmvanGNeuX/PbADX7e7u8eDnFJ7/+hMH+bh/Lf98URMbi9Pf3Uy6XefHiBVNTM5w7d46TI8fIZnM8fPiAQr7AzRuX6e7pZnt7h88//5xKRdHZ0UEymWR3d5f4tI2UFn39XXieYndvl0KhYJ53wcDi7u/vE7MVnZ2d0Nb29rx8rdTnkI/kSP6exWc/sxEYr2l+fpGd7XVDTq/AVG5XQ6C1Uruh1vcvGlHIej7qw16UsBqyrnhBBtWOFpVymZcTr7l79x5CCj781jfo7u7g3v37PLj/iHg8zvsfvI8lrRDq0nUM53G8tZmf/fRnrKzucfnyZU6fOm0Aa5RBKcvnS+TzxZAIRStBNptHCsHZs2dobGrhx3/74yrUZU0R0vbWNrdv3waMJzg8PFRzYxKlILdfZHs7S6lYRmnD2W1JO4RjrE6Nf/9B6C4ohqsp1Nnby1KpVDhz5gypZIqf/OQnSDQWQTuerIYmRa1y9wtSZLU1qlKpMD83j5CClkyGa9ev+cAf1fsTUrC9tc3de3f9qACGQ9kfUVDdX6m4vHo1yatXkxQLJQYGBrh+/RpdXZ08fzbup1kMdGQx7/DxLz41Hl1NxWlQQCal5NWrVyzMT5o+Vs/cSthDqn3mtSAy47cSlUtlKhWHhnQcKSWVUplX4y95/mycilMhnW7k/IWztLe0VA0eIXDKDsuLqzx+NEa+UOS9m9eMISUt/1nUPKTDiqCE6SQIIjtCRFCeIFcoGXhXPCLRKMVCgZ/89Bfs7mT5xje+wfCJYVZXV/nJ3/yMv/qrv+Vf/+f/nFQyzclTI1iW4L/7dz8kEonwrQ8/oNdHyzLFVUGxHWGHSe0c1i0q2jpa+OMffI/19W0+/fTXvHo1afLbvuztZXn8eIyF+RVuXL/O195/h5XVVe7ef8DExCu6u1pINzSatagUAgvlQTaX5cmTMRYXlxkZGeG9928eaEkzvb+mGwb/2SrlIbFZmF/iZz/9GM8T/NH3v09TUxO//vU9Pvv0U375y1/yr/7Vv0IIiwA9TXkQIOWhbcAGy0IDyo8ytLY28t77txgc6uPB/ft8/IvPiEYek07doruri6uXLlIpFrh37zGD/b188PWbtLe3V9trv6hQq16OFPiR/Cckb8SRLly4wHe+/XVKpRJ//hd/GWIKe26A3nV42Lwe/CQ4NuTWri8AqZXws3rFY373XJfR0VHu3LtPMpni+9//Y7q6ukEootEIkWiEXD7Hn/7pnwLglE0b2dz8HH/+53/O/+J//q+JRKPEYjGePXvOq4kXeK5LuWzwqG/fvk2hkKez23gT2VyWn/38ZzQ1JLh48RLSMiAHIYiLrvJw9/f3893vfAPXdXj+/DmWdXBKNzc3jbKVEsd1DwAs1PI+h/OlPCQBpvJBnvFyucyf/dmfYdt26PkEPdI6LHDz50+IN4t2ajzHALv9ypXLJJJJfvbTn/LDH/6Qf/AP/gFdPglN8Jy7e7r51offIhaP8OTJE4NuFrZEVXHD33vvPQAePngMgOs6uP66kVJy8uRJ+gcGePjgEWtra4i6tpGgGhzg3Xff5dqVc6yvr/Ozn/zMLwTzQkOkeh9+P7CnePr0KTMzM/yLf/5PQGuSyQTf+MbXee+9D3j58iU/+uuf8NOPPuKP//APGBgcMMWGyqAB/vqTT3Cw+NoHX+Ps6eGDKYq6fO0bRTtUDVmT8lE4lQo///nPmJycxHEqnDp1kks+LjjA7du3uX3vNlJIAx5Dtb/bzMVBdqvad8KgyxkqTMAHKQoiYPV9xtUK7NoceGC0AmGIPwRSkZKhwUF6+wYwPeNuWNQUjKlYLPDTjz7CcRyuXr3OOzffIZVMUSgWDsyJ9nvxledRcU0IPSKr47QsGbKDBd+p3WOCc9RHYQJCJvNIrAPvkdYq7CmvdUKqOfbqXBl8BPfNZ3skR/JbJKHWqVVSti1IJGJ8//t/RDKZNOhXovqyGKYdgetqHEehtYcdsWp4tLWvlPAZqeo9mPoWhkDZBx44hOhtwP3HT3k0+py2tjbeuXWL9rYMQnigBOdPnaG/b9BHGzLHf/bZPV69eklfTx/f/c53EZbg+z/4PpWSeWFdNLl8jr/8s79BSsHNmzc4f/48SysrmDy0RTqV5vr1y5w+fYqZ2YM58gNFPpbEtgWZTCs3bhoMZdcpY7jNoaU1wzvv3KCzs5MnY0958vRpjQeniMUiBgDNUyhHgScolCr84ue/YGVtncuXL6MsAdLyoV5t3v/6O5w9e5q5uWWUqEmB+0A1OlTCvudWiz0e2lXa6CqhkBGNjICHh+M5eNpFCYWSLlq4RIUgIqGtuYFb16+glUS7EiV9hCgff11YktOnT4OIMDo2yqe3b3Pr1i2Un/9W0qWzp41vffeb/PSnP2V9fTNcAsqrKi6lFFJIIpEIXd3d/MN/+k+IxGMoAcKve1DC/HOVh+tJ7t9/yKOHo2RaMihhUKSUsrCk4YYXPgqYq5SpORcSx9PMzMzwq09uE4uluHHlPAMD3XjKxVMuEcvHTMf0Gns+6UUI1hIUiwGWEIYsxnMpexWsqMXXv/l1pC0ZH39NxQUtJOZpeNy4+S4jJ4f9ezf33dHRQrWuQPptTRIPhetVQmQ0W0T86xq+gVrAplrUuur7ZfkesR1G2MAHSBEirFUQMqiX0Sjc0JaRUhOgngXPKB6P8/Wvv8fi4iJzswsIYfP+uzdM3YSPCqa1wHOVQVzzND/64Y/Z39/n0qXzxOMJPB/BUAah+OC5cgjaIaAx70FwTPi5dg32gpYITCto0A6qtGciSQdKKQxfufIMkZH2XCKRyIGCuiM5kt8mMexnvqUciOf3f8fjccaePKGtrYXBgYGQUQigkM/zcnyDyclJ+vv7jUWeToXeasDyBVXIUxko8MMUu/mfup9GcrkcuVyOtpYmmpuaTEGKUqAF8WSKWKrBeHJC4bkeiXgcIQSxaCzkr21pbUG7wjC2KRd7yw5z3g3pBuLxBEEldCya4MqVK4ycPEEsFgshLg1rmAkPBlzgyjOwhgHa1cz0NBHL9ovgFNFonObmZjo7Okgkk36Ew2ym8UScW7duYRFhaWmJZ8+iXLp0Ca1MLnlre9vkrxtSSGlhRyLcunWLkZETJJOpUPkFfM2B96UJUJMOL8gJDC2tFRE7wtDgEDffucnTJ095/PgxgotkMk1VqEXlhZgAlmUxO79IoVjg3PlTuK5b3TiBZDJJQ0MDnuuxu7vrQ4/KcA6jkShtrR18+OGHfPrpbVaWV0LFWPE5jqU0xwcsY7FYjE8++TXXr18h05IJz6X9UG+lUmF3b5fdvV0yLRlKxRK3b9+mUlGMjJykv783VHB2xOR5KxWH11Mz3L9/DyEE586do7WtjZfj4yyvzDMwMMils+eMspYGGnN8fJzpmWksadHW1sqpU6dpaWsDrTlx4gS7+wVTmT86SuLWLRqaMz4jXlU5RGMG7SqVTJJpbmZvb4+Hj0cRQtDwwQ0yzRnAeI+WH31wXYfHjx+zsrJGd1cXN27c9MPcJvIUwqvWPIcDz9vncg8Y34Lah0ql/EbO23M9KpUyu7t7vHo9SaVS4fLFc3R2dxumPs9FSgN7mmlpoae3lwf3HzI3O4stFTdv3OCD99/n888/Z3p6mkQiwYVzpxBCsLW56ddkHCORSIZwnpVKBcd1wuda6zkH0QNPVVkVbcsO16+quffwOzVOSSgBNaxfqKq1Zmt7m5evXlHI7XPmzFkGBwe/Wo78SI7kPzGxAe4/fMzefg4lXNY2V7h9/yFaGSrN6elpLp47Tzy2zeTUK6QFjlvh9etX5At5otEI16+d5/jxLqS0KZdKLM7Nsb66hiU8CvldZufmiMWiNDY1H947GOqbuhC7L5Z0iUV01ZMNjAG/elT4fo5S8PrVBFvbG1i2ZC+X5cmzZ9y4esFAXUYEeA57O3s8G3uCh6GKnJmdorEpTVtLhksXzjE9PU0+t8XEK6OwNza3aWpqYOTUKayozcLiCmvrm4BLNrfD49FnpFIpsoU8a2trdLV3kGnJGMY2DJCKDJiwbGk8aztKLBJlaHCISqXC6OgYUzPTlCplpJTs5fYZHu6jr6+LWCLJqZHjvHjxAqec5/XL11iWxcrKCqlEjCsXzpJKGshS5QNvHKiqlT4imIZcLs+LJy8oFcpIKZAWtGYyDPUP8nT0GavLq+wMDpLPFVmcniUiLHKFAk9fPGd2IY3reiwsLJBOp2jraGd2bolcbodYVGIJjdAetuUipYMUpstACk3Mtoha5phYVHJsqI/x581srq0itWR/N8vszIzBktYei3OzKNfBtk3Nw7NnLzh16jS7u3nmZqaxhEZ7iiejo0SjNlvra8RsC1uCZUex7RgzM5PkcnnW1pbZ3NykIR3j1MgxGpqacTzF5tYmS0tLNLe0sLmzzvbeNjOzM2xtbhGJNXDyNCStKFI5OG6ZleV1nj19iSUlQ8PDDB8bBoMjR2tHGxcunkVrh6WlNR48GKOhoYm15Q3wXCwBqUSMi+fO8aBYYnZujnKlyM7uLrOz05w/f95QigoBKBqbGrh29TxPnz7h+dMJNrc2kRKOHxsxMQmBYT1bWGB1eR5bagq5fSZejnPu/CkampvD92RvN8f09Aybm5vs7++itcfq2gr3H47RksmQaWnhxIkT5AsFVlaXuP8wQnZ/n42NDXp6eg15kJKsr60xN7dIubSPJQUSl76eduY6MswvTLO4vMA1rjI43E3FucCjR6OMjz8jn99HSotiucDIyeP09fXRkG7g2tUzjI6O8WxsnEQywdbaMt1tGS6cO40tNVbM5sTxQbLZLFtb69y7+wilPPp621m1XJYWV5nvWgopbBEuQnqgJZYVRQgTXRSWBGkhLY/BoT7W19cp5HZ59vQ5+/v7dLZniEaififE3wGw5UiO5O9ZbDDVxr29vfT2GtL2rc2t0Jvu6Ogg09KCU6kghOTChYuhpdvR0cnAwABnzx4zZ9OgtKlybmxs5Pz5CwghcB0Hx/0CWNYveXHa29s5dfo0LRnj4YS5rNq8u5TgKfb2dmltbaW5OYMW0rBWBef3e3edSoVCociZM2fQWhOxTGXvwMAA7777LpZl4bgum5uGpjESiXD58mUuXrqI53osl5dpbGw03rPWFItFcvkcSElTUxNd3V2kU2lTaR2Pk06n0VrT3dXF2bNnaG9vJxo14VHleYyMnEQIyfT0NIViEYD+gX5D1Tg4iLAiJJNJhBAUi0VKpVI4rosXL/LB+7f8MK/2yRYOGkJBNbxyDT1joVhgaHAIO2bafQAaGxs4c+Y08XiChoYGstksqXSaixcu4CnzTEulon9sI729vT4sq6a3p5dIxCaTaUFKSbqhgVN++1dDQwPd3V24zjm6etpDshBpSfr7+7Eti+7uHrRWFIpFRkZG/DFrdnd3wvzniRMnSKXSrKwsE41GOH/eoJblcnlA0djYSEumjZbWVqKRKFevXSUeTxq2ti3Tg3/+/AWuXb9GQ7qBcrlMV2enOY8UPuSuQ1dnF91d3fR094QeMUJgSYvunh4uXbyEEIK2tjbi8SrOu5SWwWOI2CSTk+SyWTY2NmhqaiLT0kxXZyeZTIaOjg5cx2Nnd5ft7R2EFAYd8etfJxKp9kW3trXx9a9/DYBy2aGttY2h4UHOnj1LFQpVUSqVSKVSnDt/DoBCsYDjur5CApSH47hsb29RLBp2s+CZ7+3tYUlJb28vZ86cQUrDxre7swvAsePHOXv2LG0+y1ipVCISiTA8NEQ8kSCVSqG0pqOjk5GREdJpH1JYSE6eOgVIpqam/GcEx4aPce36Nbq7upDS4v33P8D1PEqlEuVymYaGBk6dPMWVqxfDtXvmzFmkFWdycpKNjQ0aGxu5ePECbW2tbGxsUCwUaW1t4fRpQ1iSTqeRlkVLS4Zz587R2dlFLBZDo4lEIhw7dgxLRnn58hXlcpnW1lbOnT1Fd09PdR85pN7nSI7kP2URWmuN2vd/q1F4tb8H//+2tosvCkfVvxz1BSW+B/KFUovgc1ho/rDraY3JbaqaiL0gYMUyxTZBwU+1orY6rJqQY0hKoqsGhJR+zlmhZbUwzAzh4FzUYnEfMEBq76feKKkpqFI6yMtWiVxqYUNDJCzrLc8hLHqvm5cgJB/ct8bPs3vVqu5acpr69RGSPIiDayAE7Kg3KlTdWqnDeH7bHH3R2tMGUvhgB4XkYPV2FUgkMAxq5y/Egq5dV4Fndtg16+Tg8jxYmGXOH8yTP68hmY8/rwEYCqIKFKNqno+um1vBm8Wj9evpwHsl3zy+9p6EePNc9ccFxyif/KgmXRBcpfq4gvmXNaerr66vKXCrxfp+2zMI7/8t7//bUnZao6VhjdO6mtaqFtMZbPuv+qyP5Ej+3uQL2M8OVnbUbqD1L0Xwt+AfvLmx1x4XSHBMwB71d31JgjHVbu61Y6zfhMLj5MFjwkI1dUBx65ocWj22tjlAvbm5wxtV1GFBYA3rVjimMCVQF1Gov7+6ewmUuFJe3SZUU0hYi+v8tn9veOo1bYVac6DqPZg7VUMgUf/sg1BkIEFIX8jqvNSH+es35PrN8zBlUrvO6r2lQ4yo6jwdrNIPyVjeYP+qGdthhlb9Wjhkw6+eW7zxmTm2RkkF0Kk1ayW8v5DCs2aMtXNVw9x24PPadVQ7ttp1W6+4g3fSV9AH5qH2uNr1C9QXhBkmtGrVffBe1eIjBPNRjy8h6t/P+mcQjO1txnv9Ggmkfj5qxl37jNTb1veRHMlvkRwOY/Q2i/ewkPbbjg8+Dzb7+s3ngHxJpaius8xrv187jnpvP+hD13XsVf44QvQxbc4jasYYcCibdL3xgpTSyANkCDr0kA7aLgFNoqlcD3KaJk2uwk00oD/VnjpQeRyK7/0Iqwa+8q1zpM1gDzWW6je5Ok80fJ6e8QLDPT0Iz+qqdx3QJoZz5R18HkHvNbWGm6bWq6+21fltP2H//CHPuVbJhBGAg96iqP//+ueo645TLoYes8bYODA/bzFcaukihX/vWvu0lYQ0qeEEah+TPZjHIOIR1Hr45xMB29YbpBIBtroG5VULRuvHKAlOXv2b1phQgWX+dph3W3uPbzOqap+XqD+//72gfSswgsNWTWWIZ8J9wLC6qdr1LnXV0DtsX/Dfzdr35g2jr/b/6w0PIRA+dsObhfABhv4Re9aR/HbL4Yr8bVbp2xT3F4X5vkjxflWp8wgO/b4Q1RBZdWB1x9d97zBs5i8QeZgiOUTe8PTqxxmcI3Sm32LICNOao+qu9+UK/St8Vvu3WsWp1MFnpn0FEYLUHK5MDw6wBtjGv4/Dr+177/WbcO1zqfVSv+wZHbYua8dTO76A8ERI3lgXb5vDN57rb7qOA+PmkL9pffDzmvURPI8DSrzWeD0sNXXYO3fYu/dF76r/+Rvrvv49r/1OLfZBffSFYMiHR8m+UA57T+vvsf74L/Xi6wCojuRIfkvlKwALfwV520sTIDEJyRsKLLTC/Vzzf5T4b6Lldxn75xMBH6s4uNGFl5M2Gt/L/irnf5PZ/MB1dL2+CO2HwIM/eB2hDv+8XmT9dX/TjScYl659BrXPTPodAIHirYlgHHiudR488AYzU6285bHKkOzCqnpc9UribYbCVzIE6z3jukLLA4aKF/J9v8m3LOo+fttzqv+83jCr+bvyqo3/YUi9di5rvxZ8Xg/yUh8Gf5sBo6uX/zKwky9UpnXzWf95LV/0gfoOXT3uDePwq5z/Nyg6+6LweP36r41YBFG5IzmS32L5aqH1Wm8N3kS3UjUbfPB3FYQP35IbP5CP/RJF/jYvom58Gj+UGiJZHP6ChsAj1CmLw0KP4d/9UOgBD5a3e1j1432bx/NVvJEv81oObJLqzY3/sPEc8O44eF+Hnb92rPXhy/qIwmHKuH5ua+/nsPPXfvabRHBqn0etV18fsqfumNpThCHqUAN88TW/6vjC8PxBaN4DkYkD0Qdx+PP8TeYkUFT17+tboxc1c/S264RrrX5MHIyg1H5ee403rvXVbuUL5YuMvfC6X/K9IzmS31Kx4TCH+OAHoj5Hres2hjDX6H8hLPAKclw1f3wjDM/B/wdjQWsNyuRitfThYb3ggBqlFYxBGwVt+qWDzdrP1wbV3EEo1Tc8ZOhRcMCiDw33cAPyB6X9g2t/1jhEVQekPmRXqaly9zdrpX0vuOZ6CvOZcv1cc81DCDb2ICzs5yCN2NWiNOn3Irs1yuIwRXtAobm+sggiJzXzFc5vjdKuDb9/kfKv/3v9s9ccrIp/a0i7xlg4oIQOeoTaT0QHuX+FKXAT9eOv2+Sr9RD1hkRN1XetSAiqssWB+wlSO/78WD6/dziR/jNRHFSk4fOpMzREjTI/MCfB4V+i0AMkv/rnf2j07BDjJjz3IUWBtQOpQQw8+HyDz7/AEA/m679PqZ+TI97qI/mdkGrFer189dD6YRZ78HltnlMroGYTr/dGD9tU6t+zr0IRGHqSKqyQVspFSAlBJDXA5lauf51AwdadX9Sc0xyACPOotV5ScFygVAKM5hpkNYJNnprip+CaVlWJa2UMHVFtKzMVxjXfCUK+OrjfGgPGw0QcgrkXfq5U+dbFF3nltV6frFkctRv0AU/wkFqCL4sk1B9/mOceVsV/8ane7qEHESJzgnC+/VRFiMF9WETjgCF6yN++4O9a13Y7+EV0tVXp5uK8tVbiwLtzyM2Hn/8GXvcXKvQjr/NIjuR3WQz72Rvv+SGeyBduBr4SClvMaqq63xbmqpGgelvUeuZCgDLQscIJO1X9YQU/LaMMHFOIJVFm6EGVuq0xXpA/Bv98BDCW0v/dNeAsBFza0g8/Bhu2K815rUBxYBSQ5ysnx1fotmHnEuGE+t93/OMsz/coIzWeqAA3UAa6es3Aw9YabRvPTtZ6ylqbSIhS1er8ryoiCCUEOdqanHhw71BjuPjXkz77WGgp+S1Sb+jB2nYj06NvSDo88xm1rWHVCMnbx/sWIyLE6K8LgYch9aDqOzAoazzEMOT7tuvXGlFvy4GrNw6HYD78NS3kwS6Aw+6r/rzhOxMYw8HzqL1IrTEtqgbrkRzJkfzeiQ2Qy2UP/6u/QUajNtFoFE8pisUCAVaztCS2ZRPzOaw916VSKeO5pj9ZyCrwhpSSaDSGHYkc9HjgUI/MrVQgV8BxnTDVreo8LjuRIpJMguNSLOTR2vU9MJtEMo5Mx8L7KOzvIxxDbyp9r9ezzMZneTaxRBwaGvwLGSWqPUXFqUC2jGXZWE0pQ77huZTLZXS+bO5Te9h2BJlKISN21Uv2Ma69fNH0Nif8uQo2auVRyBeQZX/cQlHfwx6Px9HptAnh+orczecN5Gyiyh3+G4kfqVCexvMqaBeiiaTRPZ4XeuJepWLu09IoT2FZEaLRKHYkiECY9rhcoXDg9AGefDQaDYlFSqUSlYpBpNNaY0lJLBbDsu03i/neGK8ybXFa41QqlCtl/w81yrJGUsk02vMoOeUQ899zXWzb4LZblrme43iUy2VjANZfUmtisRgRO/JGdMPzzPcQilgsbqBVfcxw13MNMYvykNIiEY8TsWNvnL9cKpm1LSXJZOrA35xymXK5jFKOTz5y0JCVUhKPJ6opJKVwyw4Vp2Q+/7JQ+pGHfiRH8jslBmv90TPK5TKeZ2AMbRtfoRhUsZFjg/T19bG9u8ezZ88olzTK80imYvT19XFi5BhKeeTyZaZnpllf20Z5HnYEbDuCUh6xWIyBgQG6u7uJ2BZhtbMwfZ5G/A2r4qK397D+r/93omvriMZWsGyIRMBT6M0142396/8JemgQ/XCU2P2HQNR4lLkcnDgO//JPIBFH7+2x8xd/SdfD5xCxER3taKWJlAtQKkHcQp09i/zX/5m/Mfre2vNpIuMv0b/6BNHWCv/VfwnJJHpijsjLV3D3McRi4JShIY348AP04CCitwsAvbMP6+vIf/tDxMYG4jsfoM+dRYwMmb+v7LH9+ed0f/wJuA4i0QDRKCQSADiVPPr8ecQ/+h4iHodyGUol5L/7Ibq5CfUvvm8U5VfZlw+Ecc08FgsVFhcXATh1+rQfCTG1AIVCkeWlNWZn54hELbRSWFaUvr4+Boa6sSwLpQ0f++T0PIVC3nd8BZ4LqXSaY8cGaG1twXFc5ubmWV7eQCtFQG5zYmSI7p4eorZ1sGXpsIJArQHJ5OQ0szPL2LZNNCbDVeO6Dp4WZDIZrl+9yH4ux8uJaXK5HLY0tRPxeJLTp07T1JzCU4q5uXmmpqawRQTLtpBCI6TEqXg4rkNnRxunTp8mlYr5aGZRPNdlcWnZnxfJyMhJOtpacT2PuYU1FhcXwyhEpVJiaGiQ/oEe4vE4gSIulxxevppkfW2TTHMzF86fNeQqvn20vLzKzPQ05bKJGMVigSHgG7ARi5s3bxKNSZTn4biSlZU1VlaWuXTpIslE9M1nfyRHciS/s2IDOI7D69ev2dnZo7Ozk2PHBwBwHcXc3BzNjUn6+voMTnc+z/iLKbTWDB3rp6enGzD5SIBSscTszAwbGxt0dLYwMDBIsVhga2ub7Z0dbNump7vrSweWzWbRdx8wNTVD57mL9A8PobUml82ye/sOuVyB9IffoEd5eJ/e5tGjx1y+dJ1YLMbU8+ekZmfZPdnLuXdvAfD5559z7FcPOHF8mERLBq01dqXC2J17bLtFvhnwiPvRgnK5TOTZcz79xS9I/Oo2J04cI1EuExcC/WKcT3/5S/oWNxg6c5ri5jYrT5+xYStuffgt6Os2IBlrazy5e5fmn/6c7e1tdnSBPwCcnnaiqRQoheO6ZF+8ZH5hiWhvLyPnz6J8L3Z8/CUXU2nDAhaNQrnMk88/p/C3P+HmzRtmvLVVwV9FtEZpD6dSYXpmmhcvXpBpzhhF7kul4rC6usrjx6Ps7O4yONCH63msr82zs7NNJKrp6+9nZ3uHFy9eMDE5S2NjI62tzWit2dzYZWZ2lmIxy8WLF9jZ2eXx48eUii5tbW2AYmpqimxuByEE/X29XzzmmgK1xcVFHj0aJZ1Oc+HiGaQQuMpjfmGB5dU1hoeGuXTxLK8mJnj+/BWxWIyujjZ2dnZZW3uJ63pcvHiGaDTKyuoqDx8+pKWplYGBAZKpOE6xyNLSKssry4yMHGdgcJBUOo7ERJzW1tYYHR1lcnKSxsY0Pd090NrCxsYGz58/Y3Nzi67OTuxIhKmpSba3t9C4DA8PE43G8VyXyclJnoyNsbKyTmNjI1JoLl++jJRVzIDNrS1evXoNwIXz50k3GIa/nZ0dtrc3uXLlCpZtFPny0gajY6Ps7+8aLPZ6RX4kR3Ikv9NiA3z3O99kbXWR3a1t+nu7+faH30BrTalYZqwpRVNTI9ISdHR0cvOdd5ieMl7csWNDjJw8EeY+m5obOHXqBGur22xv79HV3c03vvF11ja3+OUvf8nride0t7Ub5e97WCZcHGBOV/uYXQVNnkvS8Sj+4FuIb38b2dMGc3P03b/L9uYeslzGXVvjqVA0f+M9+N/9F1iNjRz/n/1vmP7kNvv/oRU9cBzScaTnUbQF6fOnkf+n/4MJnb+aZmt5nt4nL6FgSDMA9OwKkadP0f/P/5pjr2awhaZxfx/hSnTeYW1/G9GYJPu/+h8j/+APSPz0U/b+6/+G9F/+BC2iiEunUFvb8N/+OwbuPeD1YDsN549xaew1emUXK5VCnz6FGOpluO8f4v3i18SX18hdOI78z/8F1uWzYNm0/tmP2E830DS1gNrchPFXNP5//j1iYxuGh4yxIAEiX/iQtcTcr4ZSqczy8gbZbJbRx0/Z2NigJdNGyHyqDevd3t4eoLh44TwXr1xgb2+PX378KRNTk2Tamuju7WNjc5dXr6epVBwuXrjAqTMn2N3ZYWzsJWOjo7x48YLu7i6y2TwRO8axc8c4deo0ruuwurbCi+eTtLR009PViRXgih9W/KUgAG4xIWtBc3MzH374DZAW5bLHxx9/zNrqFiiBcly2NzZpzTRx/vwFjh8/xvj4S6am5nj27AUDA720t7cjsQBJc0uGG7du0t7eSi6f5/Zn91heXQMpjA8sLTzXZXN7hwePRnk5YbzldKONpy2wbLZ3zXyNnDzOxQvniMVi7OztMzk5SVNTE/19Q2jlsLi4yK9/fZtoNMrQ0P+vvTN7juy67/vn3Nv7vmJfZgDMcDYMOSQjUWQkkzSdlBOXS664HFdSSSXPecpT/hmV36I4D36wYlFlyYojS9RCcjjkkIOZAWaAAdBYe9/7dve9Jw93we1GAxgushOxv1XkoO9y9nt+y/ktizSbLd77xa8Ih6IsLc/hDwRYXJyj1+vw+NE2Pq+PV159idm5OfR+n8PDQz779AGgcHRYoFgssr65zdraI+ZnpzEM+7uyB26MMcb4XYfpfiZP8v6aLlxmYo5Sucz169eIRMwzPHd85MEEI3Yyj5OCT2Iqm5uKYseiVi44DzVfJhQK4lm6xHWfj0o2C17TrcqwszpZZQdu3+afrd4GVUHEYvaNk/Zaf69cWeFSswfTUwPGU04MbuvMWtM0vPc+5ic/+hHv1JpkUnFKxbJTnkjEmXr7LabeehORSTiGVIo75rpQePjwIemf/xKv18ur//pfIa5dw/iL75P7+S/Z/uV7fHtiAhZnLEt+sz2qLXn2dfJbz5i7cQNSKXj0mE/ef5/bDx7TbLbM/NPWfNmq8OeBoZvZsh48eICmadRqNXTDwNAHI7AFggFu3brF1avXzKMWv0qtVsOOza6opvGaacAmnbVQKBT45OOPebj2lEajQToTR1U93L79Ijeu38Dn96AoCqVyeWi6n1+lkEqlWVy8RDqdwu0toSoK0krhGggGeOvtt5AoeL1eZz2761FVlUg0yuLiJSanJp2sXdIwz+/tdSGszGhHR4fc/fATjg6PCFu54OEkStnKygqXFi9btgEeMwOZvRysca3VavzsH35GuVzi7bd/nxs3brCzs82P/uZdfvSjd/m3f/5vmJ2dAaEOricAadBsNlBVlTfffBNDSjY2NigUChyXqk5e7lPvjTHGGL/zMHW4UkEaprV5p93lcO+AXr/HBx/e57XXXiMRS2CZLqMgkUJBKpb3k21cK13/KQaSLq1mk8PDA8qFErLXJRELEw76sUzLrSacuJ9JK+ax8EkCU2m6/+2/omka4akJRDSK3Dok/nibkurDWJihNJshNZmGaBw0DfmLj0z/6VqLaCxBfnEOIiHERJLF//wf6XaaGMkEitaDfh95/zGLxQb7y4tcXVlGbuzifbBG7y/+kjcB8WffpXacR/nvf2VKZwJUj4pYnkE3DJQnB1Aqw+MnZJttcksLMDsDPZ1gs02k3iIYCtFcWCBy+RIi4EfTddLlMtSrOLHaDR1VwHSujLz/BPlkl+Df/T2FP/sjMpkU4tVVFi7PID55TOl73yPx4KmpIkdxGKTzICwjOYEkEgry+muvUKvV+U1PJ5fLOS7kto+2oggUr4rX60HTNAr5GoVCmb40iMRiBIMhpGFbvZsZxbq9LuuPtnj27ABQUBQvJn+g4PMreH1eOu0OzVaLYr6CrhskEkki4bBZv9vD4ZQZvGXdD1y5uszC4ixerxfbX7tardFoNghF/KQzCRQBwWCAfk+n1axTrXeoVKp4VEEyESPg9+DzKlxZmWNmOonPHyIc9qPrfWq1Go1mDX/ASzQaMVXXuSM+/ewB+XyeF65do29I1tbWTtpn6Ph9XrxeFU3TKBZbtFpN2m2NWCxBKGwbs5nfF5jn3qGQl0DQi4GHVqdHX+roSFQFdMwIcH3Zp1iuIRQfz7a3aLWavP37byINya3bN2i129z/+BGlfOE5PvcxxhjjdxEDfuRCCOesr9fvcXR0RLfbtQzAdNyinyPdCGGqeC2pw5R8TOmgUqnw4MEDeloXv9/PypUlZmcuOA+1G+b14pmbIygleD3IThv5+DG//sUvueX1EXn7DTIrK6akLiWtRoPKL39Fq91k8uCQ7OwMkdVVx6UsPj1pEgRFhUabg50don/zQ7w+D2+88Trixg3Y2+OHP/gBqwdHLHz7DZidw1Ms0VcFaF3KpTKZaAQCXqShw+4u9z74kJufriMNyfLyEmJ2BouCmYZfvR6VcoXI4TGy2UTX9RPfZieil4GUBoV8gdSvfgN+D48fPyZR+w4ZoUAoTDoURpbbqOrJlJ0bc90Ny4BM9XhQVZXshCmB2rnBRz5voVyusPboMZVKhXanzfT0NBMTE440DqDrfer1OoVimWQiwcx0mMeP1wfapygqpXKZrc1NSqU6zWaLpcvLpor7ohj2rjPyRDKFrTI2dINKpcK9e/cplcosLy9z+/aqPTgYhsH+/gGbz3apVqoEggEuLy0RCYcdiTwSjSKxVOeFAhsb65RKZVZWVrh58yaapvHo8SN2d3eZmpxuU3SDAAAg3UlEQVRkZmaa40LJrN8wqNVq9LoZvD4fQgjq9QZPnmxTKhap1+tMTEwwOzOL3++n0Wg5XgnNRoNypUKtVsMwBhPiGIbuPGcYOhvrG+RCOQqFY8LhsKlBUgxS6RShTodYLGZqHQw5oCkbY4wxvh5wqIK9MQdDIbLZSTRN4zhfxuOxA8BYqnGswCMDPrS2rtulkhQKgUCAdCaDTxUEgyGmpqZIplKcFfBFuIR0hDAtuAG5uY989Aj5V3/NpaNjHv6nP+cbb76JXMiY1uxSIkJejOsr0O4Q+vn76LUKtf19wrdugceKqqYroGkY7/6U5E9+yj/kcrzzzjtU//13SWazGH/9Yzpbu5SDAWbaLTy//g29ZzsEdQnVBvX3fkGaNxA3r6ICxnQW/wtLeMsN2qUSgaM8slRGCFNSDvR0eq0OwR/+GJm5C2uPSTY7FDAt46WlDkZ4AIVmIoSyMk8nEqJSPSYS9IFHQdruXopKz+czGSUBoi9NtfyFAVUsv3GXpOuknLQke4mCFLbPt+kLbhgGvqCXTCaDEAqVWotms02r2TTftQz8tU6Pra0dOp0GS0uXCYWi+AOqw9TZUdCCgRCJRAqkh00hqNVqtNttIGk26lQErhEBfOy1aBjUqm3ufnCfra1NZmZnuXNnlcmpLHYUPkVRCIdDZLNpDKPPweExtVoDTesRRQHZA6Gg9/uUymUeP37Czk6OTCbDSy+9yOzcJLlcjmq1TL+v0etr5HI7HOXLaJpGvy949uwZU9kEU5OTCMWHzxsgkYyhqLC7f0S73abeqNLrazhpPKXC7u4eHa1FrVazunXCxAzkShcKyVScWCxGX7dsOJzxUFzBDU+OxsYYY4yvF05J5Jl0mhdfehG9rxOOxohGo0OS48XnmbZUkEqnub26SigUPJG2pHEx4QFLA2ASMPnwIT//yd9x5eiYqW+8yvQfvIOIx0+kU0MnGAoy9+1/bm7M7/6U7Z+9x9NP7jP99tsnfuuGwbP1DZJ/8y7rGxu886d/injzTZIzM6Y72+wMf/In30WpdExJvlHD6/OafVZNxgSP6TMshECdn+fmwiJG34dn7RGPHj3mjevXBrrhUVVCwSCEwuDznmy2ip3uUXH0HJOTk4jXXyc4leWtdJr+0hLCsmQeyHNtRzJzbACe44zZFUnObVA2Kn2qnc8bIJlMkUxMcHh4wN7BMblcjkuLUywvLztt0DSNXC7H0tIC8/MLNBot5559ZiulQTKZJJlMUi5VefT4ETs7OywsLrK0ZHkxuKMAmi2xGz9g1wBQqVb41a/u8nBtjReuX+fOnTtMz07YHTDH3qMyOzfH9Ow8jx495pOPH/D06VNeuLJIJpt1mNNypcL9Tz5he3uf6ekpbt9+kdnZWYTSJx6PcevWKgsLi874BAJtFKEghOnn7/V6TbsF2ScajXItFkPTNJ5u5tjc3GR6Ks7VK1cspsZsv9fnIxgMmn76Q4ytY7MiBB6PypUrV5menmJmZoZ6vX7Kb3743THGGOPrBYeQS0Mi0VFUc/NVfCrXrl0z/WKNHul02iVx25uqwkBGrRFWsuZGbuASHc5ujROpSwVUnKxKP/47pn/6M47++TeZ/hd/APOTZsCtjk5re4fAP3xoEsk//A7C78c+9FUVFZdlHNS7dO49wPj7X/NyOon+X/4D3kgE8GAIBeWNb+B54xsO4yI/W6f7o79F/fUHkIow9Z1vQTiE8cP/DeUK4soyLF8GRaWNQLXV5VatbY9CMBSh8e/+hNC1axjVGqXDY8ceQekDsg+GxKtLuqoHvD7E4gxicQbvr+4ha12UW1fAoyL7PaK9Hl5dgC4QbQ10AwI+V6KaEWMsBE48fCd6nIEiTFc0Ka380VYAoG63T6lY5Oi4QCqZZHpu1krEZWpipDFILDxelcWFOV559Q4L8/Osrz9FUST9vo5h9NjLHVIul0gkEkxOWT72VsAgc21YUdcsgv1sa9d0P5SSSCTC4qW5Iat2hWajzUd3P8bn83Hj+hVmpjNOIB+t32drcxNdh2w2SyplSvxCURwi6Uaj0mLzyTa63uPS/DxzcxMgu6BLEvEkiVjqhJkF7n+6xsFeDp/PywsrV0in0xwdHZEv1AgEAszOTllaKR1FMcz5xtRSKYqCUCRLS5e4tXqVnZ0dPr2/jq73XcakJxK5YY21qnqYnJwkFAqxsf6Ey5cvO4F53IzeWCIfY4yvHzwAT548odUy1aXlcomnT54ghKDV6bK2tsYLVy+TTqVoNhtsb2/T6/fQ+zqlcolioUA6kwBFodvpki/kaTTMsmq1GoeHB8zNTuHxeFyS1ueHMiSRAWCYlvXqh3c5OjokkQ4SDodIFYpkMylYXHAiggGDBM7eLHUdVI/JcDiqfYWepqHu7nJwdMgcQLvD4dYWk1OTsL3Dhx+8T2f9Ed/61rdQ19cxDIP5+TnIToJhmNL2UH3oBoZb+ur32N3cZOY4j67rVCtV5Gefsaeb43f4wx+zsrKCLx2hUq4w9ekjWq02IUAeHbP90UfEYjHid26fRPkaFXfbJgpWRLLDw2PqddNATEpJrVZjY30Dn09lanoavd8nn8/z6f1P8Xq93Lp9m2arSV/vk81micfjCEUQCUdMv3AdEskE7Xabra0tjo4OURSFyakMoXCYcqnEJ5/cJxwOcXlpCWkIut0eExMTZlnucZKS+598wrPtbaSUZgCaxdnB+bP5PSkda20n1ryU9Hs9nm1vc7B/yNzcHPPz8xwdHeLzepmZniZgR8SzQ+BK6VihSzfD6W6XpVkoF4sUCgX6vR6GobN/sE86FaZSKbO29hgpDWq1Ffx+P+12m3Q6TSqdHplzXrGYYrv/tmV9pVJmb2/f+Z3L5eh0OkhpcHR0xNbWFpOTU9TqFarVKpVKBSklrVab7WfbVONhUqkU0VjkVJ1jjDHG7x48ABsbT0gkUoRCUYQQPNl4ap2dSjwelUAggCEl9XqT/f1DMpmU6Wfe6ZDP50lnk04QlXKpjM/nZXZ2Bp/Xx+HRERPZpEnI3ZvZQIhW828r4jjCySNt/tN/6TYFo4984SpMZU9CXwcEmZvLqO+8wcavfk3i/3yA5vVwb2mG5Xe+TfbPvouYSJvZzwwdgirKwiQbf/AtMpk0s4pqxQ8/nYfb0DWMfJ6u3mfv975JMRCg+3SHqewMvPUG/lgA/wcfkfvle3T7OoHVa2jvfAexehuCAZiaZPut1/H7/cTicVBVei/dpNipE169BlNpZKlG6ePPaM1maCZexRcMsvtknf7uNgDdXodIJIi6f8zmp59i5PaJzs/TymbYikXRf/oLYtkJ5EurF0yzYhEsQb+n82TjqRVkJsjc3AIe4eXJuhngJJVIEwz6WZibp9vRePZsi51NMwBQJplgdm6OleXLKMB0NsMrt2/zaGMdTWuzs71rqdp7LCxc5srVy6TTCaKRKPV6g6OjQ/ZyOQwpyWSSXL16naWlJSeMq30mHk8kSDca6LokHkuO6I+Bz+fh8tI8iqLgD/g4SaBi/r558wYCL/Vag62tbTqdDleurnDnzkskE3GcDGVAIOhhZjYLUiEciYxgOC3XDCmpVMu0Gy2y6QxCVUwr90ab+blFGs0u29vPyOX2URWFUDjA5cvXeeHKZfwBD+22ZGY2SzQadVw6A4EgCwvT6IaB3xdAoFAqmcR5fmEaIQTH+UPK5QJCmFbxiWQSw9DJ7e5TKhXp9/osLCzg9arkcjlq1SCqqpiEfBRjN8YYY/xOQUgp5bOtR9jx082EIXaAFjNmdjIeIRyJ0G51KRWL9C2jHZ+ASDRKIhUzo5T1TCm93elb6kEzNGsmFR+0kHZvLkJgb8IOIXf2HYvAf/QAWSgipiZhesr03wZAN8+aH+3C/h6ybrr24DEQ2Szizk3zt8+yem52kKUS8t5DCARQ3vomeOzY7wYoVmAVqYPeR37wGbJWh1bDPFaYn4WpSQj4oVBEbmxa4+QxQ6jeuIKIx0y6WS4j7z9CeL2IO7fMULGfrSNLJcRECiYnET4fcm8PubntqG0B04DPGn8xOQnhEOTzyELJGjuLaPkDCL8f+eY3TyS+8zZuKen1ehweHpkqW2GG/pRWsg2/30s6ncbn96L3+zSbDcrlihlxzJCoPj+JeJxIxLZ5UNA6bSr1Gq1mC5sQC6Hi8/pIZeJmrHhDUKmUqdfrJxI0kEplCYdDqML2ejDfzx/l6XQ65qlBIEB2InGiWrfQ1TT294/xqCrZiRR+K6wtUoKioOt98scVM2a5ta79fj+pVBq/vRQtl7dWvU2lUkEIlUQiQTDsd9l0DGpzatUK1UrbvGXZKmRScULhMNVag3qjTr9nfj+GMEgkEsSjIVTVg6Z1KRYKaB2ddCZDJOozmeFjU6KenErj8/qoN+pUK1XAY6nYrVj8VtpUj9dLJp2hUimbxoLSY9lLWLYBikEymSIcCY1eB2OMMcb/f1AiuBOZFQoFFEXh+9//vknIMWonD7s3riGVp3NvRE7nAbWu+/dZ57ZO49QTxuGLQprqcXSXL7KLMEpFN63t9b55T/Vaqu7BQCgDEAL0rlmOwCL0FgWwGBnhYngc/2dLxWsYxomPt50SVbjG1n5ecdkZ2PmqHWbKOhZQToz6kIaVX90A6bXadcH42P2zc3nb8+Nui/vvUcyAfQZvz6l7vodzlMPgGrB/u9vjXifntfk8l7RRddoEfzhnumGcrRF6jvoMwzCZpVFj4+6P21bBXd9w/aPqUsDo91GsPhi6HGTQht8ZNY7u+RljjDF+d6CEwJWT3E3IT+cjP2+zOWuzGz6bdee7Puvc1sZX4fcq7M3TJizqQH0CgcRA2FGv7JzdwwyJG0PMgFmH9axqGRU5Y2X3U3V+KspQxDWhcJL+0wXDjo3KiTW/YWUgkwyOneM94L5vuwOeg2EbgWEGbfjvUWPipDY9bUF+illzP+MmKsNW6ecRm/MYQMsDYaBM+293StJRDMxZzMMF6udzfd1HMULDz16gKTHbrjtEHCFQVGVwvNzPDtdrY0zExxjjawd3dJHTm4b7+kVwS3KjNrCziMdXAjHwz8mZt1W3AU4YVvs5V7+G3ZftkLMI1XzPkbBswmWWL+3fcuhs326GTZ8dAyo3MRCudgymqUQMGwYOSnjSZhisPOSn88l/Ppxy377oeTnkDjdc/7CR31lr6zyc690wtJYuCigz3J4hfN7+nyr+yy5n5xtRT5hFLGZzWDN2EZEeE/ExxvjawaV/vkBKGkWgR0lg9vWzpHfjAunxi8Bd56i6zyMgozZ224XMJujuZ88IZuPUM1SnEMpge0YxNcPtdur6ihie89TXz7nxn+W7PPL6eeM/isif9f7w32ddO6v85ynvOftvMi/nnGGMWv+j5nV4vocZ3fNU6edhlJQ+JupjjPG1wGnV+vNINcPPPQ/ReR516hfFRXWP2hzdauEzErkMB+owBWPVkeCEMfietPzspZSmwC1N/3npEHPbx9zM5OVI2g7BG+qP1d4TidFkLBR58tvVsLNxgTpYyHMIFGAH8RG2MdtAW8+p7yIV9nmq5vOeOe+456LnR6iqn8f3WmCq7c980l3/l2E04PTx1qjyhr+54TE/bwz/sQn8eeMxxhhjfGkMEvLfFrEdOOc944zyHwOj2vBl2zLUn+eKrDVq0x15rHGawArbcO7L4NQxx4ixGCA+blsBcZowDdgCjGDqLtrIv4o5GC7vvPX2eer7PJqRs6To4XP888q7iBFx12Pf+6rV7aPaYDMXozRqwzYxz1PeGGOM8ZXBJOTCMg5zf4OOYRWMFrs+B55Hxf1VwC7e3k/FyY2BWNZDErgTUM6mZ07EEeeJgQeFLsHKACex5GIhTs5KnbEzNzanPGxjOP2kfMW1sSvyhGgK4QjajsQ85O8uxZc4Ix9gIvTTBPksSIY2bPH5iN1Z7fgyOItReF6m0bFZdEuxhuvmRYyTelpF/nlgv6cwZPxpey2cesFSnVvtG2bsXFHonq/+55jD553f52HS/qk1BGOM8TsGK43piI/UMcx6ztjoz4Pf1gfrSNfDly3VtByMsjYqTOfnq+9kkzTLsTdB+5xTZTTzYl9zbbSGWzsw7B41QpJ8XoJ7HobVrhdJrOc9P7x2nkeifN57XxTD2paL2jiqCcMeC+dXeFLmRW5mZxF7IcyGOK6KCgwbcbrLcMo859v9PLhI/X+etm6UO6K7nSOi2o0xxhhfHSxCfgYHb18XI9S+A8/JwQ8Z12Z06izvK2YM3O5bw32x1IDCJqxWW9xnvIahnyQhcYjqGQ2UtmuQLQm7zqildPmTm4Ub0vYDHgrWorqC0Lg3bmeYhiSsgXF1XT4xiz+9mQ68P6RycEtxigdD75luT2cRHIlrfbjcvhyipZxIkqPc4YYJv12e01ZjdLu/KEap/h3XQ33onjSbKwTOuAy5L5r9MwbD/YLLm8Hqj6Fb2pJhBsLFWNj9H4DNnLk1L651YQx9m+62GIYZh98d/95en8KdRU1Y6VEtzwdpZboTwtQuWe+bcffNf8HKlaDb/eKM9WW3rz/k0umxuq6fzwiMMcYYZ+JEU3w2TEJubVy53R3y+QIAuqHj8/pYWloiEg27Sj1HgjMMut0uudw+1WoV3dBRFRUpDQKBIFNTU04Ciy8F12ZydHzM4cERut533Vacjcrj9bB66xYIhWebmxSKBSduu6KoXLlyxYyAdd4GY0sV0qy7p3U5Ps5zdHRk1WUSB6/Pz9TkJNmJSZAGtVqVo6Mjmo2WSdSFmcksnUozNT1FMGhG3srlchSLJStxhoLqEea4h80Qm6VCgVwuR79vprE0pHTGNRgM8cK1qyfBSi4aN0Brt9nc3HLidwsBsVjMDPPpN6Oa6bpOoVBgf2/PmnIFv99PNpshO5EFw6BSrXCwf0C73UFVPUxNT1n5xYfaYRN8w6DRbLCznaPTabO4eIl4PG4m/zjP//kiAj9Cg9DtdtnZ2bHShFqMmtWH+flZorHYqXe1TpuDg0NKpSLpdIa5uTmazQb7+0dO6taBbkmJx+NhYWHOCVdsr0N7vm3E4wnSmTR7uRyaprmargwQzbm5OXq9Hnv7e+Y1IWDIGNHv93N5aYnd3V2ajQY6JxomOxmNoqhks1n8fj+7u7vWPeNUvZFwhGQyTb3eoFqtms+IQUZMkTAzM4uUknw+76zDk/E22xcMmfuFPxBgd2eHQr5CIplg8dLciR/+qDP2MXEfY4wzccp7agSsM3LBbm6Xex8/pFqtkk7HMAyDg4MDmm2N69eWSSSSZ35w0qqo2zXY3T1gbe0xzUaDZCoOQKPVodfrcanW4oWrV0mn49abX9BoyyVddzodtnb3LULXZ35+Hr/fj1AErWaLZqvJ9Ru32Nvb5e5H92m126TTMfq6zuFBHl2qvHDlshn7+iyVpLD+Jwx6Wof9wzxra2vki0VS6RQqZgzsdqtNvlDhlqLg83nZ2DDTWHp9gmAwiJ2gZDe3z5W2xvz8PLVajY/urdFutQhF/Bi6TrlUpdnSuX79KtFoFK3XZ//wmM3NHfq9HpNTaaLRKPV6k06ng6J4WFpawuuz4tnL/kDzpcPLCdqtFhsbT7l//1P8/iDRaMTcwA2JgYfZ2RlUj4d8vsCDzx6Sy+WYnJig1+/RaXeYnplh1eMjkUjQ7vTZOzhme9NMcPKNb75COpU2A5mYC8OqVnU28Fqtzscf36dSrhAOR0gkEieaBIuYH+wfEwwGicYCVhz2wfCsF6Gn62w83eaTTz9DKIJk3EweonV0arUazXaHlZUV4omIRQAVOp02Ozs5Hj58iKZp+AJhekaPnt7nKF/kyZMnNBstkqkUyWQETdMoFc2IiL5gAI+qsv5kh2LBZISnZ2bw+QT5fJ5qtc7i4iVefTVCvlhhY32TTqdDIhkllUrS6/XI5fbQ+/D2228TDAXY2Tlgd/cAVfUwNz+J1+OlWq1SLBXJpDNMzcyRL5Z48uQJjXqbcDjE1HQGTdPIH5cBWH3xBtNTU+xuH7J/cICqKCRTKaKRCOVymWKxyMzMDLdf9FEsFXn8aJ1qtUo8HiedStPvG+TzZrjc117zEouHeLabYz93hG4YTExkCIdDlEplqtUqmUySqZl5/KEo5WqDh4/X8fv96FJy+fIlVI9iaQWGPq+xLdwYY5wDW1s4aMdmpok291oF4PBgnw/ef5/9vT0mJia4c+cON2/epNVq8emn99nf2zffHGVZjcnpK4pKvVFnbW2NXC5HOpPhlVde5datVSYnJ517O5Z08KVhEfOpyUnm5uZoNBrUajUuXbrEnTt3ePWVV1leXiYYCCKE4O7du2xubRKPx3n55Zd54epVqtUqH310l8PDA/fonF2fYdBut1hfX2djY4NwJMydO3dYXb3NxMQknU6Hhw8fsbm5SS63x4MHD6jVaiwsLHDnzh2uX79ONBoll8uxtrbG8fEx9z6+x8b6OoFAgJs3b7K8vEy70+GDD953MmDF43Hm5+dpNZvU63VmZ2e5/aKZM/v4+Jj33nvvRMrT+yOabhr76f0+nU6HzU0zRvzKygqrq7fJZrPs7u5y9+6HNBpNet0uW5ubPHr4kGAgwPUbN7h69QV6/R6PHj5ke3sHIQTJZIrp6Rk8Xi+VapVOp3O27YHLn97r8eDzeVFVM9StPba6YVAqlbh79y77Vt+fby0YA/9pmsa9j++RL+SZnJjkpRdf5MaN66SSSStL2RpHR0fO2Jj51Pd4+PAhtVqN+fkF5uZm8Xq9xGJR5ubmCAYC1Ot14vE4q6urXL16lWAoRLvdpt/rMTU9TTabpd0xmdaVlRVefvll5ucXEEJB0zQCgQDXr19DKGaylUgkzOrqKrdurRIOh8x3+32mp6acNV2v11leXublV17m0uXLANQbdbw+HwsLCwSDQRrNBl6fj1deeZWbN28Ri8XQtC79Xo9sNsvC4iKaptHXdebm5njxxReZn5932uXzeZmdmcXv91OtVAmFwrxw7RrXr18nFovRbrfpdDpMTEwwMTFBt9ul3Wpx6dIiL7/8skmkFcXS8JhzdunyZWbn5qjVaty9+yHHx8fo/dNrc4wxxnhOnKO58gD84AfvUilXuHPnFb752mtEIn5arRaK8FGrtmi2u0j7OB3D8Sd2yldMlbHW7VNrNNF6fUKRKKlslv29fZ5uPSNfKBPw+mh3usjhkKQX+TGfBQm+QIRoOIxHUegD8WiMyUwW1eMhFokwPzuHVFSK5SqdrkEgGCUzOYPqDWKgUK7W6XR1pPA4ZQ6fRggAw8AQKj1dUGt0aHX6RCNJsplp8vkjcvt7HOWrGIZBvdHF45FUG3X8fj+J1ATJ9CTP7t1je/eAWr1DMNym2e5SqTRpaV2C4SjpzASqt4JQfVTLNdpaF62vEwyFiKcSCFVFRxKJx0hnMhSKZXq6zlG+TLcnMaSCEB6GNR2KIpCGRAidcCTG66+/jhCKmVnN4+FgP0W3a1CrNdB1g37foNnsUK+3mZkJMTkxQb1Rx+cNcFg7ptlsYBgGPp+fWCyB6gki8SBUj6mdcdbH8LwqZCem+b2338EwdKKRKIrH76R2bXc0/vbHPyW3e0g6O40uFVRURoU7ODU/nCgAuv0O5XKDfhcikQTZ7DRbW894+PAx9XoLRfHSbHYReBGKIH+c54PffEStVuPFl15idfUG4bApxSseiEajeH0+DMMgFAySyWSYmp7G6wny0UcfIRWBPxAgFAmjeFQ8Ph+ZbJbsRJKXQyF0oNVsIRVBMpPG4/NiCAiGw6Qnsni9Xv5l9A/5Xz/4ERLwh4PEUgl0JIoiiCbiTE5PEwyHQRHcv38fFEE8mcTj86EIQTAQIJNJk0ol8XoCfPbZZwghCAZDpFMpFCHwqCqxaIypqSnrSMPL0eEhqhogHAoRCoVRPR6CgQDpVIpoLIw/oNLstJGKwBcMEIlGUTweFGkQTyZJZ7PEYjFU1cOzZ1tW7nWVWCzJnTt38Pl8/PrX7/Puuz/hj//4j8y0t0NqwrFAPsYY58AA7Eigrq/FsFJlCyHMpCk72+sIoZBKpglHY0AXaUgO9o8xpCSVihIKR63XR312poGT1u1RqVTo9XRisRixaJSO1qZYrtDr9fEoCvF4nKiTlcnt4vPFoXU053xyZnrGzLRmGy9Z2D/I0e9BOBImnYrT6/c4PDxGCEEqESEUjpiDZaesHAlBv9ehWm/TarWIRqLEE3G63Q6lcomeZqo6orEgiqJQrVbxerzEE3EC/gCVSsXJAe7xeIhGo7RaLTrtLvF4nFg8RKfToVyu0+/1SaaiRCIRBKB1O+TzZQzdIJ2NEwwEabU6lEolFFRmpqdRPB6r/cNHFrYBn33dwFRX64Ck1ehTLJbw+iCTzqCoZtsbdY1QKEgqHccwdIrFCv1ej1g8RCQaBTz0tA61WgtN04jFA0SicU7WiNtATrp+23MjXffB0HscHR3R60rS6TThqM961pU5byQG16RhSA4ODxBCJRaLEQkH6LTblIpldMNAVRQSiQShSBAQ9DSNYqmIlNLMfhYKucoV9Ls9UyXf6hCNREyVvKKi9wxqtRqegEI0HKXeaFOv1wHIZrN4PWZ/640GmqYRT0Txqj6O80U67Q7xRJhoNIoizHk7zhcJhUJEwmG6PY3DgwJCCLITSQJ+s03tTpNSqcTMzAz9fp9qtUqnpZnEN5uymm3On6oaRKJxelqfYrGIEIJYLEbQWuvtZh1N04hEIuZ6rZkZ6iLhCIlkAkVVMPQ+hVKNYDBIOOyn1W5Rq7aQUpJOJwn4A2ZZrQatZotEMoHqOZmvdqtBuVQFYGp6AkUdxZSNSfkYX2c87/q3snNaR42ns5+N8VvAeQzBP0U5n7eu30a9/5h9+bz4f7ltY4wxxhiDKJSKAPzP//GXeL73ve8BnDqPdNI2uiCEQNf1U9fte7Z/tq5LJ4WnrTZVhIIhrdSe4gsauZ2DUe0dvmcYBqqqntmHs8pw3HikFYIV831p2OFYDez8626XH7dGYPA6TltsDI6/4TxvjplnZDl2e4fLPm8Mhp8VQqAbPWe+RpdlvWcIq/8957o7v7iqqta7o+fXmX/XuNjv2/Pj/tdtif154D6nH55r855xqkzb6E1KaUXtHVynw2vDnr/hObX74m7HWc8M93d4nZ7V71NziIpu6MDpNg6vZ3fZo9bk8Boxr41shnlfGqh4UBUFfcgi3fYccWwen2OdjjHGGINwvmPH3dhMk90zdBQhKJVK/F8BHCip3f6n9AAAAABJRU5ErkJggg==
- data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAR8AAACpCAYAAAASszmRAAAK5mlDQ1BJQ0MgUHJvZmlsZQAAeJyVlwdUU9kWhs+96SGhJBABKaE3QToBpIQeQOlVVEISklBCSEHFhsjgCIwFFREsAzrSFBwdARkLYsE2CFasAzKoqONgQVRU5gKPMDNvvffW22udnC/77rPP3neds9Z/ASAnscXiDFgVgEyRTBIZ6EOPT0ik454ACGABBVgCwOZIxczw8FCA2PT8d3t/G4lG7Ib1RK5/f/5fjcLlSTkAQEkIp3ClnEyE25HxlSOWyABAIQyMlsrEE/wbwuoSpECEP0wwf5LRpAlOmWL6ZEx0pC/CjgDgSWy2hA8AyRvx03M4fCQPKRlhWxFXKEJ4M8KeHAGbi3A3wnMyM7Mm+DPC5ki8GACyMcKMlL/k5P8tf4oiP5vNV/BUX5OG9xNKxRns5f/nq/nflpkhn97DFBkkgSQocoqh3vSsEAWLUhaETbOQOx0P9QrkQTHTzJH6Jk4zl+0XolibsSB0mlOFASxFHhkrepp5Uv+oaZZkRSr2SpX4MqeZLZnZV54eo/ALeCxF/lxBdNw05whjF0yzND0qZCbGV+GXyCMV9fNEgT4z+wYoes+U/qVfIUuxViaIDlL0zp6pnydizuSUxitq4/L8/GdiYhTxYpmPYi9xRrginpcRqPBLc6IUa2XI4ZxZG654h2ns4PBpBtFAAORABLiAByQgBWSBDCADdOAHhEAKxMg/NkCOk4y3TDbRnG+WeLlEyBfI6EzkBvLoLBHHZg7d3tbeHoCJ+zx1RN7SJu8pRLs848tuB8C1CHHyZ3xsIwCOPwGA+n7GZ/Rm6q6c7ObIJTlTPvTEDwYQgQpQB1pADxgBc2AN7IEzcAfewB8EgzCkkwSwGHCQfjKRTpaClWAtKATFYDPYDirAXrAP1IJD4AhoASfAGXABXAHd4Ba4D/rAIHgBhsF7MAZBEA4iQ1RIC9KHTCAryB5iQJ6QPxQKRUIJUDLEh0SQHFoJrYOKoVKoAqqC6qAfoePQGegS1APdhfqhIegN9AlGwSRYHdaFTeG5MANmwiFwNLwI5sPZcC5cAG+Ey+Fq+CDcDJ+Br8C34D74BTyCAiglFA1lgLJGMVC+qDBUIioVJUGtRhWhylDVqEZUG6oTdQPVh3qJ+ojGoqloOtoa7Y4OQsegOehs9Gp0CboCXYtuRp9D30D3o4fRXzFkjA7GCuOGYWHiMXzMUkwhpgxzAHMMcx5zCzOIeY/FYmlYM6wLNgibgE3DrsCWYHdjm7Dt2B7sAHYEh8Np4axwHrgwHBsnwxXiduIO4k7jruMGcR/wSnh9vD0+AJ+IF+Hz8WX4evwp/HX8U/wYQZVgQnAjhBG4hOWETYT9hDbCNcIgYYyoRjQjehCjiWnEtcRyYiPxPPEB8a2SkpKhkqtShJJQKU+pXOmw0kWlfqWPJArJkuRLSiLJSRtJNaR20l3SWzKZbEr2JieSZeSN5DryWfIj8gdlqrKNMkuZq7xGuVK5Wfm68isVgoqJClNlsUquSpnKUZVrKi9VCaqmqr6qbNXVqpWqx1XvqI6oUdXs1MLUMtVK1OrVLqk9o+AophR/CpdSQNlHOUsZoKKoRlRfKoe6jrqfep46qI5VN1NnqaepF6sfUu9SH9agaDhqxGos06jUOKnRR0PRTGksWgZtE+0I7Tbt0yzdWcxZvFkbZjXOuj5rVHO2prcmT7NIs0nzluYnLbqWv1a61hatFq2H2mhtS+0I7aXae7TPa7+crT7bfTZndtHsI7Pv6cA6ljqROit09ulc1RnR1dMN1BXr7tQ9q/tSj6bnrZemt03vlN6QPlXfU1+ov03/tP5zugadSc+gl9PP0YcNdAyCDOQGVQZdBmOGZoYxhvmGTYYPjYhGDKNUo21GHUbDxvrG841XGjcY3zMhmDBMBCY7TDpNRk3NTONM15u2mD4z0zRjmeWaNZg9MCebe5lnm1eb37TAWjAs0i12W3RbwpZOlgLLSstrVrCVs5XQardVzxzMHNc5ojnVc+5Yk6yZ1jnWDdb9NjSbUJt8mxabV3ON5ybO3TK3c+5XWyfbDNv9tvftKHbBdvl2bXZv7C3tOfaV9jcdyA4BDmscWh1eO1o58hz3OPY6UZ3mO6136nD64uziLHFudB5yMXZJdtnlcoehzghnlDAuumJcfVzXuJ5w/ejm7CZzO+L2h7u1e7p7vfuzeWbzePP2zxvwMPRge1R59HnSPZM9v/fs8zLwYntVez32NvLmeh/wfsq0YKYxDzJf+dj6SHyO+Yz6uvmu8m33Q/kF+hX5dflT/GP8K/wfBRgG8AMaAoYDnQJXBLYHYYJCgrYE3WHpsjisOtZwsEvwquBzIaSQqJCKkMehlqGS0Lb58Pzg+VvnP1hgskC0oCUMhLHCtoY9DDcLzw7/OQIbER5RGfEk0i5yZWRnFDVqSVR91Pton+hN0fdjzGPkMR2xKrFJsXWxo3F+caVxffFz41fFX0nQThAmtCbiEmMTDySOLPRfuH3hYJJTUmHS7UVmi5YturRYe3HG4pNLVJawlxxNxiTHJdcnf2aHsavZIymslF0pwxxfzg7OC643dxt3iOfBK+U9TfVILU19xvfgb+UPCbwEZYKXQl9hhfB1WlDa3rTR9LD0mvTxjLiMpkx8ZnLmcRFFlC46l6WXtSyrR2wlLhT3Zbtlb88eloRIDkgh6SJpq0wdEU5X5ebyb+T9OZ45lTkflsYuPbpMbZlo2dXllss3LH+aG5D7wwr0Cs6KjpUGK9eu7F/FXFW1GlqdsrpjjdGagjWDeYF5tWuJa9PX/pJvm1+a/25d3Lq2At2CvIKBbwK/aShULpQU3lnvvn7vt+hvhd92bXDYsHPD1yJu0eVi2+Ky4s8lnJLL39l9V/7d+MbUjV2bnDft2YzdLNp8e4vXltpStdLc0oGt87c2b6NvK9r2bvuS7ZfKHMv27iDukO/oKw8tb91pvHPzzs8VgopblT6VTbt0dm3YNbqbu/v6Hu89jXt19xbv/fS98PveqsCq5mrT6rJ92H05+57sj93f+QPjh7oD2geKD3ypEdX01UbWnqtzqaur16nf1AA3yBuGDiYd7D7kd6i10bqxqonWVHwYHJYffv5j8o+3j4Qc6TjKONr4k8lPu45RjxU1Q83Lm4dbBC19rQmtPceDj3e0ubcd+9nm55oTBicqT2qc3HSKeKrg1Pjp3NMj7eL2l2f4ZwY6lnTcPxt/9ua5iHNd50POX7wQcOFsJ7Pz9EWPiycuuV06fplxueWK85Xmq05Xj/3i9MuxLueu5msu11q7Xbvbeub1nLrudf3MDb8bF26ybl65teBWz+2Y2713ku709XJ7n93NuPv6Xs69sft5DzAPih6qPix7pPOo+leLX5v6nPtO9vv1X30c9fj+AGfgxW/S3z4PFjwhPyl7qv+07pn9sxNDAUPdzxc+H3whfjH2svB3td93vTJ/9dMf3n9cHY4fHnwteT3+puSt1tuad47vOkbCRx69z3w/Nlr0QetD7UfGx85PcZ+eji39jPtc/sXiS9vXkK8PxjPHx8VsCXtSCqCQAaemAvCmBtHLCYh2QLQ0ceGU3p40aOobYZLAf+IpTT5pzgDUeAMQkwdAKKJR9iDDBGESMk/IpGhvADs4KMa/TJrqYD+Vi4SoTcyH8fG3ugDg2gD4IhkfH9s9Pv5lP1LsXQDas6d0/oRhka+fUjMtFZjZE5KdB/5hU98Af+nxnzOYqMAR/HP+E8R9IgX6GUmeAAAhuUlEQVR4nO3de3hU1b3G8e+eiYk1yRDBiEJSNTElEy7iFbFewCYgaEQ9autpra0KSAMpKmqprYKtcqRVweAFULT26q0qICqJgrRHQAVbGzLBELBJ4AgRJLODJZOZvc4fm9mZzC0Xkkwm+X2eh8dnZs1ee83GWay19qx3tEavUikJGkophBCiJ2iahi3WjRBC9E/S+QghYkI6HyFETEjnI4SICVtXLTPrOpxxgZfa2vA1Ti/ykpJj/nlmhS+k3FWpGJwXvkwI0ff02Mhn6RMJHNiWwNhhPXXGyDweKLiiazu67qhTiL4sIdYN8HPmauyt6DXNEUJ0s5CRj3/6dNfPWqZJd9ztbVXmn1q5KhVZZ7aeapW+a4Qc15a2pmSB5SfmRZ7aBfJP44Lb8vgSHwOHe9m4HWYvUKTkeBk4zMu69UbIuYLbM73Iy5x7vFa9/ra0VacQIgzdqxSg/NxupbLObFaXTWlWSilV4TJUxohm9d46n3K7lRo1tlnV1BhW2WmjzcfRjvNralIq//JmtfxZrwoWqWzaT1rq7IhpPwl/nrbaESjw/fnrHHl+s2poaHnsr6O9dQohzD4n7JpPyrGwrMQOQHaWRu4pUL2z7dFGZ4+L2DHqsOFDuHt2x5emhjs1Zi9QTLqqfaMvv9KylpHbuYU+GptalxdP1XA4NMBcx7r1ZnuH2yaE6MO32otn2mmsSuCOmTZScrzt6oR0HYrnGqxabqOxKoGPVtlJSeqBxgrRD7XZ+by/weCfO2FigflSTzPsqFZ4PFA8J3RkEOm4zkhKgozBsHBR59dOCvJtfLTKzvZ/Y60VJSZC1ilQUdl6VFa3W9F4uOXxopLI7y9YpDqFEOGF7RkaD4PzUh8pOV6+W2Tw4pM2MjM1UlNhxk0ahVMNBg73cuo34eS0to/z34YOXpR9ZoUvalliIrz51wS8Xjq04OyvM3D69PNZGpmZmvWa2bPs/HE1rRaHnbkaky+Gwqnm1MtQrd9fW8LVKYQIT9O9SqUG7GrXdbhwopfVL9pbfViFEKKryK52IUTMSOcjhIiJkGmXEEJ0N5l2CSFiRjofIURMSOcjhIiJDuf5SByFEKIryMhHCBETYTufeIijiBb9Ee184d5f8IiroxEebbUl2vk6c82E6BPcQZEaSsVHHEVbER6Rzhf8unDHdTTCI7gta0t9Kt3ZEjUSGEPidiuVe07rqJHOXDMh4hmgwkYH+uMoXl3p5a3X258uWFpmcPWMlhHLcce0Lg+OozhakSI8xo+LfL7Hl/gYkQ3jx5mDPv9+ruqdinPONiM8nvxNx2ejgW3JyNCs3fB1uxVfHDT3vPklBlTf09dMiN4i7KdM4ii6Tl2dYvAA2LPFvKaNVQkc2J7A+HE2uWaiX4v6T3w8xVG0N8KjIN9GeTXWmpKrUrFmgzly6ooIj2Dnj7FxqAleeiW0zqO5ZkLEu5BPajzFUUSK8IjGmaux4jGb1c5vT/HxQomN8eNsnY7wiCY1FVb/yc69v1VWnaPGenG71VFfMyHimeb2KuWIw71dEv0hRPySvV1CiJiRzkcIERNxO+0SQsQvmXYJIWJGOh8hREz0SOej6x5Gjl5CbW1DT5xOiDaF+6nvo6lrcF70PYIdKYtWZ2/VmevZ4UiNvqCsuoy0eYNImzeIIQsyqHXXWmWu+kqGLsgkbd4g0n91Eut3rY9ZmYi90jKj1ffOOtIpLH0igQPbEhg7rGNl/UZDmI2lXc3tblIjzihRNTUHu/U87VGxz6VyHvmWqmmoUUopVbqjVI1ecqZqONyg3E1ulfPoMPXMx8+GvLany0T3Ct7EG8niEq8aNbZZ3X6XuWn4qWVeddV3Wx63Jdqm6c5sqO6t2ns9/Qj3W+3+KdKcu9/Gnno/9tT7uf3Ot1qV+adPLlc9p5z+21aPB578UMhxfqVlOyKW9ZTd7jpy0nPIdGQCMCZzDM2+Zrbu2crm2s0kJx7HdSOuBaCsupR97i9ZW1Xa42UiutIyI+KUJZLAaJNzC82tLM3e8EF2pWUGo8Z6OXwYLjoPmpuhvl7RcBDGX9jypda2pk+dEa3OSHE34craGxUT6biORMX4r2d72ukXdpu0fqiJ8vK9+PT5uFz1jJ+4gisLcznn7KFRL9pjiz9g4a8ncOst54St86WXy/Hp8yktq+b6H7zIHbMvIDNzQNQ6u8Mndf+g1l1LpiOT57c+z96GegBc9S6GOIbgSHIwY+UMNtVu5vLhk6ior+Dr5kM9Wia6lq7DFf/t48E5GrfebMdVqbj8Bh/HJLTsKwz81ryrUjF0MBx7LIwepeH1weIlPk49RePrr1vqXfpEAiUeuPyatjdft1e0OheVtLyH4Pf3vZt9fPyO+Y1/XYfzLvWSnWUwfpyN6UVeanZDY1Xrj7yrUjHhOh9/edLcYuR/nJ1lcM7ZNhoPQ3mleVxpmcH3iw1un6VIS9PCXs+22hko7IJzanISy5deBUB29kBG5A6munp/mxdteN6JTJ+9issm/y5qnRlDHThSEtusrzvkZ+czd/w9jHx0NGnzBlG+t5zBA9JbvWbGyhnUNNTySdFWHEmpMS0T4RXkm0kA0f7nDrRps0FyElx/bej/8sOdmvUagHdKzf86vwXbXObo4JKLbPxpZdsbl7ubP+4mOGkiMLolJcfLyWd52es2y3TdjIq5e3Zo20vLjIgRMxA5Kiba9YzWzkBdeiV/WjwWnz6fO++4EHvq/WE7od5g1vmzODhvPwfn7Wf2Bbfj8XrIHpSNM93J/1Zv5LjEZN68cTUen4edX+0iLz2vx8tEz3Hmarg+g+pdiuk3aax9T7HNpcjL1Vq9ZucnCWRmatbrYyFS3E206Jbe1M5Abbbs/Q2fs+XTPUyckANAk8fLjuoDeDw+Zv30TdyNnpBjCvKzKf9wJq7P6nv17XWPz8PsNbMpzCsk05HJmMwxZAwcQuGwKwDY8PkG/rWnnAk5BT1eJqLzr/mEW0sIJyND46tG2LJV4fFA8ZyWNYqMDI39X8EHmxTXXWMjzQEVVWbMSm8VHHcTLbolWlRMtIiZaKJdz2jtbCX4bpfb3aROOf23ypZyn7Kl3Ke+MXC+em/dTqt80eIPrLJbpr5m3cVqavKq7xQ8Z5XZUu5Ty5/5yKoz8G5XRcU+9c3s38Tk7leTt0lNeH6iGnD/QDXg/oHWnSa/in0uNeShDDXg/oHqhAcGq3U718WsTERW4TLUic6ORd4uLvGq5NObVfLpzerRRV4r3tYfg+u/g7W4xKvSnc2qeqcR9m7U2lKfumxKs3W3yl+n/8/yZ709VhbYNv818ZcFRvAGH+uP+fW/H//zx3+rJeI3OAI4+I5WpOvZVjuVMvscrcGr1ICAvV267uGCi5axZtWNMVkMFqI9PEcWZEfmwaMLJV423sjeLhGX/L94Ih1PfJO/ORF3imfaKZ4Z61aIoxUy7RJCiO4m0y4hRMxI5yOEiIku7Xym3faGtXfrmWc/bndZLAXvT+sOxiwfPqf5x3iu636WR4h41qWRGsuensJ/9t/H+LGndaisL1CVCt+ogE7mmpZ9LrYSO/Z/2tFyYthAIXoZudvVBVSlwrjBwFZiQ7uk934rVojeJOK0K3CadPxJD1nTksDne9sUqr0Coz9GnLek1RaRtmNBqrv0fYeMmAKmZRHLdDAu8mHMDSi7Jz4S74TwCzvymXbbG9TUHMSnzw8pW/b0FJY9PQUwP6iXFf6OiRNy4ubb0LruYdKVL1jRH/734BctFiQSLVdDu1XDuM1AGwS2NXZwtKcxoKYa2NbY0DI0s1Mp8KGyFNpZWtQyDgPbwe6yWyMvNVnJyEvEjZDOR9c9rN+wi6VPTgl7QGlZNZdd/YL12JGc1H2t6wabNteSkpzI9deNDFvujwV55dVtvL3mppDygvzssJ2yrcgGRWA8YeAb42tXJ6R2K1QDqIKARWgbaG2UAXAsaI+bA1ctS0PLBLVTOh8RPzp0t0vXPRQVr6Js1Y/w6fMp/3BmzHJ5usvRxoLYimzYP7RDExivtnFna7dCc4B9sx2768ifbXazA4lWJkQfENL5JCXZ+WZGGg8v3BDy4rq6BtwB++YfW/xB2EiN3ixjqIMvD3zNlq17OhUL0p41H7VbobzmiCQa7TxbxE4qWlnI+f5moD4HrUA6JhE/QjqfxEQ7a1bfiNerQhacnc50rpycS37h89hT78cwFBknmfMKj8dH/oTn+cagB1i3cRfTZ6+yPqTRynqa05nO3DkXk19otmfypJyQ9+B/3yPOW8Iv545rcz1LvWtYC78+pw/jagOtWDNHKR4wrvThO8OHqgK1ULUsHqeC9nsb6jHVcuyFPnATvQzgMBgF5nmNYmXeacuQzkfED+2gV6k02dsVX3QwJvvQ/iwdjohPsrdLCBEz0vkIIWJCpl1CiB4n0y4hRMxI5yOEiIl+H6nRXsE/FS2EODq2rlzq6c+RGu2x+PGNIZ1v4EbW4wY9wLr1u6yywO8dReqww9XZ2fMJ0ZNk2tVDSsuqWfLUJs4afrL1XOAmV58+ny1/n8GPbn2V2toGdN3DiNEl3DXnwogddrg6O3s+IXpav4/UCIzNCJ5ahUs5LC3bETFuIxL/nrgliwsZ4DjWej54k+va0h3U7dV5Z20VqamJfFYxm/Hjwnc8kers7PmE6GlhO5/ASA2fPp+vvvi5tcVg2dNTrOfLP5zJrxasj7t/Of2xGf738dgjk9p1nH6oiZdeLrfe+59f/rRd05Y773qLyycNC+lIKir2kTHEgcORxLTb3mD5io+5rnA42yrqO11nd51PiK4W0vn4IzXuufvisAf4N1aGC+KKF/7YjI7uWE9NTmL50qsAyM4eyIjcwVRX7496TGlZNTU1B6N2cP7Ovvwfs3A42o4oiVZnd5xPiO7QLyM1jjY2o708Hh8PL/wbpX/biT31/lYba0eMLuHUU4+n9G87SU5O5O01N+Hx+Ni58yuG56V3qs7hZ5Tw4EPvd+n5hOguIWFigZEawcP2vhCpEcgfm3FZ4e+orW0gLe0bNHm87Kg+wODBKRHjNgDe3/A5Wz7dw3PPXh2x/sREO2Vrf2Q99nh8TL7i93zvuyO49ZZz0HUP2ZnHc2VhbpfVGagrzidEdwnpfPyRGpOv+D321PsBM63w04+KWkVqAPz4hjNbxVFMvuL3rNtoroH4/8VduqiQH954ZsSyjsSVdoXgdgIsXVRorWkV3Tam1fvbu6/Rep1+qIlT8x4FICnRzpuv3nhU8bGpqYm88er3+faly2lobGpVp657GHlWCbVfmBkaXXHNop1PiJ6mfdWs1PHHyN4uIUTPkb1dQoiYkd/tOkrB06NA/mlNpO/qCNGfybRLCNHjZNolhIgZ6XyEEDHRI52PxFGI3sZVqcg600ttrSw3xEq/HPm46isZuiCTtHmDSP/VSazftT7WTRK9lK5D9lleUnLMPwOHeVm3vu3fUhNts/W3fl/36Ez5w1U8MGE+B+ftZ8Nt65n22nRq3bWxbpropRLtsGq5jcaqBObN0vjpXAO3u799crpe2I2lI0cvYc7db3c4ciJSVIVfZ+Ioutrm2s0kJx7HdSOuBaCsupR97i9ZW1Uak/aIziktM0jJ8fLMCl+7j3FVKgbnmSOYcwt9NDZBsxcKrgitp7TMYNRYL7reupMpyLfReBgaGkLrDG7P9KKW54PLgo+7425vxDL/cboOZ1zg5a6fhT8u3oSddumHmigv39vh6IhoURWBcRRvv/ZDnv/jJzFZA3LVuxjiGIIjycGMlTNYseU5Lh8+iYr6ih5vi+g5ug5X/LePB+doNFYl8NEqOylJcEwCZJ0CFZXK+nDX1ipclYqhgyE1tfWPMi4q8THsFMjM1NB1+N7NPj5+x05jVQL/tzWBR55S1rRs6RMJNFYlWOd7qERZa0yLSlra0liVwKMLza/cuSoVE67z8ZcnbdZx8x9rqbPxMJRXQmNVAq89ZeMPq4nbdauwnU9noiMgelRFYJ0ZQx0x3w0/Y+UMahpq+aRoK46k1Ji2RXRcQb754bz1Znu7Xr9ps0FyElx/bej/8sOdmvUagHdKzf86v2WWe3xQONUcaW3cCi++YJ6zbrfii4PgvNRHSo6Xk8/ysjfgu6b+0VngSCvwnLMXKCZd1XrkUlpmMCIbxo8z2+nM1Zh8MVTvNDuYlGNhWYl5/owMjZQ4TkTp0gXnnoqqOBrOdCf/W72R4xKTefPG1Xh8HnZ+tYu89LxYN03EiDNXw/UZVO9STL9JY+17im0uRV6u2Sn513w+WmVnbwPM+7U5DaqrUwweAHu22K0RzIHtCYwfZ0PXoXiuYa0V+UdafsUzzWPumGkjJccb0gn1B212Pv7YhYkTcgCsyAmPxxcxcsIfVeH6rL7X3V4fkzmGjIFDKBx2BQAbPt/Av/aUMyGnIMYtEx3hH1W0d80jI0Pjq0bYslXh8UDxnJaRSEaGxv6v4INNiuuusZHmgIoqyM5qPeVy5mrc+xPNmuqcP8bGoSZ46ZXQu191uxWNh1seLyppPfLxK8g3O7Xt/zbrLMi3UV6NNc1yVSrWbAhtS18Qdm9XtOiISJET0aIqdL33ZP6kJqby8g0vk/9MAYeavuYY+zG8/IO/kOnIjHXTRAdkZGgkHwOuz9r3emeuxl3TNQqnGoDBr2Zq7HvRnMpkDNXYr8MJgyA9XWNEnsbr6xWnZ4d+4H98k53FK7w8VuLj0YUJrP6TnXHX+Ji9wOwEs06Av79jt6ZL/vPdUAAnp5l1eDxw+TVeNm5vqXfRXI3MTPN8Kx6zWccl2uDVpTZrNNWXaAealRoYsLdL1z1ccNEy1qySnBfRe/k/wCPzsBZrRfyQvV0iLj2+xMfA4dLxxDv5mxNxp3imneKZsW6FOFoh0y4hhOhuMu0SQsSMdD5CiJiQSA0h2hC4R6sje8lEdP1y5CORGiJY8CbQE/Nasn6WPpHAgW0JjB0W40b2Mf0uUsPj8/CLsl+wqegDDs7bz30F93L7mjtwN4UGwIv+ZdHclo2e+yoSrC/9ie7R7yI1Eu2JvHrDK9Y3mp3pTva699HQJFPCeNLRSI3AHevQdUmG0WIzAjeWBkdgRIvU6C/6XaRGMFe9izMzRsv2CsHsBcrqDEaN9bYrMCxSbEbwxtLXnrKRdQLM+4W5Iz1SpEZ/0m8jNQDKqstYsO5hnp7yVKybIjqoo5Ea7RE47fp0YwIOR9vTrmixGdFEitToT/pdpIZfyaYSfvjSj9hctFFGPaJTosVmpKbCxee15AB9t8hg8QKb1aFJpEY/jNQAs+NZsO5h6XjiWEcjNQA8zbCjOjRSo7OixWa4KhXbPmvJ+vHn/AQLjtToT/pdpIarvpL/WbeQr5v+w8hHR1vPP1L4G245++bYNUx0SEcjNVJTYcZNWquIi30H2j4uOP5i4wLF7AVeFs3VuPVme8TYDGeuxvBvwZCzWxagjzsGtrxjZ/BgLWqkRn+h7W9WapBEaog409sjNUrLDL5fbLDlHbvVqUwv8pKc3Dvb29Nkb5eIS/EYqaHrULYRK5pVSKSGiEPxEKlxycU2zsgycF7aMu2adjVdencu3oVMu4QQorvJtEsIETPS+QghYqJLO59pt71h7d165tmP210WS8H702JBVSp8o3wYz4X+BEus6lSVCuMcH6pOpuOie3Rp57Ps6Sn8Z/99jB97WofK+gJjlg+fM+DPqC744HrAuDK0AzFmhT6n3jUwromvrJluuWYibiTIX3XX0e7WsP244/25lqth/7SDd0Eqo//NdarOGOjsNRPxL+LfeuA06fiTHrKmJYHP97YpVHsFRn+MOG9Jqy0ibceCVHfofat3DXzOgJGKDsa5Pox7zFFK4L/+gaMZ4wkD3xk+VBWohcp8zXAf6n0FbXxXJFKd6GBc5MOYG1B+T8toyT9V8zl9GFcbqIAvpgeWWfVGGJmpdw2MC33gDnPcPW2Pztq6ZqJvCPs9n2m3vUFNzUF8+vyQsmVPT2HZ01MA84N6WeHvmDghJ26+Da3rHiZd+QILfz2BW285x3oPfv5YkFtvOafDdauFCt9C8wOiDQLbGjvad2zYlhgYtytUgUI9bMClYHvYHJXYSuzmh/ja1h8sW5ENph55/urWowNVfmTUo4Mx2Yf25yNlOUStE4DDwHawu+xmJ3G7Qs1SaAM01I0G2u3muVSlQv3A/PCrSoVxg4GtxIZ2iWY9VlkKTsEchQW0RVUCJwIOUPe21NlV10z0DSGdj657WL9hF0ufnBL2gNKyai67+gXrsSM5qfta1w02ba4lJTmR668bGbbcHwvyyqvbeHvNTSHlBfnZYTtliDyF0L5jQ5tuYBQYaE6w/fXoPkRaLqh3QX1owGmgShV83c6DjwXt8SNtHKqhJZodmfrQgCSw/Vdo+9W7Cu000C7RjpxfQ7sQ1M4jo7AaZR7PkbaA1RGSq6EWKoxVvrDvu6eumeh9OjTZ1nUPRcWrKFv1IytorDfk8nSl7owF0U7osqoAUDtBu16Dj2O3cqflAlVmW/iBBu8pcyR0ZGpoK7Jhd9nRijRzKtXBRfGuvmai9wjpfJKS7HwzI42HF24IeXFdXQPugByCxxZ/EDZSozfLGOrgywNfs2Xrnk7FgnR0zQfMNQz+rLD91QZe2r92kUjLtCbYHmCzQrvYBg6gru21oKiGaqhDoD5R4AF1d8uaj/YdDbULc70Jcxqm/g5algZDNThotsV2jQYDgKojZQG079iwvWaDGtp1R6vT10zEjZDOJzHRzprVN+L1qpAFZ6cznSsn55Jf+Dz21PsxDEXGSQ7AjNTIn/A83xj0AOs27mL67FXWhzRaWU9zOtOZO+di8gvN9kyelBPyHvzve8R5S/jl3HHtXs+yFoYDbhurdw2MYoX2oA3SNbSFNtRbRz5MRxZsgxeWAxdwtSLz9a0WnIdqqK+BQZgdT4aGev3IAe2oMxwtV0O7VcO4zVzoJl9DG9BSZvvtkTKnD+O/DGyLzPUfbagG+pG2pGvg1FB7gOyAtjhbFrEp0tAyWjqmDl8z0WdoXzYrdYLs7RJC9CDZ2yWEiBnpfIQQMSGdjxAiJqTzEULEhHQ+QoiYkM5HCBET0vkIIWLCJt/uEULEQsjIJ3j7gK57ODXnEStaIjhyIvBbytNue4M773rbKg+M4uhN2noP4SJD2roufaEtQvSo+malABVobekOlTb4QVVTc1BNnf66mn3HGqWUUhUV+9TgzP9R763bGfbx1Omvq+FnPK4aGg5bj5c/85HqTdzuJjXijBJVU3PQepzjfMx6D4EqKvapb2b/xnptpOvSF9oiRE8CVNg8n4L8bOb9fDyn5j1KwUVZVrTE2tIdjB5xEuPHmVGo/r1e1dX7redmzxqLw2HGbPhzf3qTuroGdu91Wz8HDeZPQvtFiwyJdF36QluE6GlRfzQwLzu9p9rRY+p2uxkyOJXPt99pdZJ+gZEh48edFhI05tdV16U3tUWInhb2bldpWTXLV3zMe6U34/Uqay1hQsHp/KP8C9at3wWY6xUr11SSnT2o51p8lM4fk0njIQ8vvfyvkLK2IkMiXZfA8o7s1u/OtgjR6wWv+awt3aG+MXB+q3Wd40960FpTWFu6Q9lS7lO2lPtavU6p3rnGE47/PfnfR/A6lf/5W6a+Zq3JtHVdAp+bOOn5mLdFiN4MUFq9R6n0RInU6Aq67mHkWSX84meXdCoDWoj+QiI1utDixzeSNuRBrr4yTzoeIdpBRj5CiB4nIx8hRMxI5yOEiAnpfIQQMSGdTzvpHp2znjibWndtrJsiRJ/QpZ2P/6dnevvvt3t8Hib+7jLS5g3i2S0rWpW56isZuiCTtHmDSP/VSazftT42jRSij+t3Ix//CObOb9/BmNPODSmb8oereGDCfA7O28+G29Yz7bXpMtoRohuEzfOJFo0RKQJi8eMbQ34U8LhBD7Bu/S7zy3ejlzDn7ret42K1HSA1MZXy4n8x7rRxIWWbazeTnHgc1424FoCy6lL2ub9kbVWp9ZqyHe+SNm8QafMGcefbc3qo1UL0PRFHPu+UVvH59jvx6fO57qrhvLO2Cl33cP0NL/LPD4vw6fM5uOdeFj7yd9at38VPi8fyn/33MX7saSxdVIhPn8/X+++zdrvrh5ooL9+LT5/P26/9kOf/+Emvy/px1bsY4hiCI8nBjJUzWLHlOS4fPomK+goAGj2HeGXbKxyct59XbnyRP3/yFxkVCdFJEXe1h4vGcLnqo0ZARJOanMTypVcB5u+lO1ISO9vmbjdj5QxqGmr5pGgrM1bOsJ5PSUzm6SlPATDUkUFKUnKsmihE3IsaqREsWgREX+BMd/LLt+eRe34ub964Go/Pw86vdnH9iOtj3TQh+pwOLThHi4AASEy0k5V1PNsq6rukcT1tTOYYMgYOoXDYFQBs+HwD/9pTzoScghi3TIi+p0Mjn9TURN5a+UO+felyps9eBYAz+wQ+2DDNGgnd/tML+Paly3l82SaSEu28+eqNnHP20K5veSfpHp2znziXfQ1mB7l510fcueouHin8DbecfTMv3/Ay+c8UcKjpa46xH8PLP/gLmY5MdI8e45YL0bdo+zxKnSgbS4UQPUg2lgohYkY6HyFETEjnI4SICel8hBAxIZ2PECIm+n3n46pUZJ3ppbZW7vYJ0ZM63Pl4PFBwhZdnVvi6rBHdUacQonfr9yMfIURshI3UcFUqBud5Sckx/9xxtxeAx5f4GDjcy8btMHuBIiXHy8BhXtatNwCYXtRyTEpO65HM9CIvc+7xWvWemGdOddqqM5rgdvrPp+twxgVe7vpZ6HsIPu7cQh/+HwZt6zghRBfa62n9i6VKKTXtJ81q+bPesL802NSkVP7lkcv9KlyGOm10s6qpMaw6R57frBoaWh7762hvnYHcbqVGjW2p3+1WKvecZvXeOp9yu5XKOrNZXTalWSml1NpSn0p3mq/1l/nPFdjO4OMqXIbKGGHWKYToOoAKu7druFNj9gLFqyu9vPV6+7d/lZYZXD2jZcRy3DGty4unajgcGgBLn+jQtrIQdbsVXxwE56Uto6vEgElkyrGwrMSM+8jI0Eg5sgl/02aD5CS4/trwM87A47KzNHJPgeqdivHjjqq5QoggYT+BxTPtNFYlcMdMGyk5XiZd1fbUQ9eheK7BquU2GqsS+GiV3frAd4e6OsXgAbBni9nWxqoEDmxPYPw4WcYSIh5E/aQW5Nv4aJWd7f/GuhWdmAhZp0BFZevVorrdisbDLY8XlbSspbQlUp3RnD/GxqEmeOmVtteGAmVkaHzVCFu2KjweKJ4TuZ3vbzD4506YWCAdmhBdLeRT5b/t7V9wPbfQx89naWRmatZrZs+y88fVtFocduZqTL4YCqcapOR4MRScnNb+hoSrM5rUVFj9Jzv3/lZZbR011ovbHb0Dc+Zq3DVdo3CqwcDhXiYXaK3a2XjYnMql5Hj5bpHBi0/aWr13IUTX0PZ6lBoskRqAOXW8cKKX1S/apcMRohtJpIYQImak8xFCxIRMu4QQPU6mXUKImPl/fjBvgxQLCgQAAAAASUVORK5CYII=
- data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAlgAAAHFCAYAAAAudofcAAAWpWlDQ1BJQ0MgUHJvZmlsZQAAeJyVWAdUFE+T79kIyy5pyXkJS84555xzEIEl55wNICoqKEmSBAVUEFFAEERQCQYUyYigiBJERFExIAgqN+KJ3//73t29q/fm9W9qqqu6p7q6uhoAdg1KZGQogh6AsPDYaDtjPT4XVzc+7CsAAQSgAgIAUHxiInVtbCwATH/af9LXx7A0TGOSv3T95/f/lRh9/WJ8AIDcYeztG+MTBuMu+PnuExkdCwDyBswXSIiN/IVnYMwUDQ8Qxl9+4YBtjKL6hb1/Y65tGQc7fRjLAECFp1CiAwDAa8B8vnifAFgPHraFYQz3DQqHzUfCWMsnkOILAFsjLCMRFhbxCz+DsQgsD39nR8FYxftfdAb8Q7/3jn4KJWAH/57XNlEZBMVEhlKS/p+/5v+msNC4PzbI8IMPjDaxg1tB+P9NhkSY7+BwbyvrPzjId1t+GwfGmTj+wT4x+m5/sC/FwHynb6iVxR/sH2RkuqMn1tThD/aLMbT/g6Mj7HZs+Ufr6/7BlOi/duNCHHf4gX6mO/qTAx2c/+D4ICerPzgmxN78r4z+Dj86zm5n/H7hxnp/7RrtzD0s5l/mG2S60zc20MFkZ+6Uv+P3C9f9qzPGZWdsvn4Ghn9lHHfkI2P1dmxFhtrsyPuFGu/wY+Ltd/rGwovzb1+bnX8YTDGz+YOBBTAEBoAP6IMgEA78QBigwG8G8FsMiASh8FtSrF9i7K+J6UdEJkUHBQTG8unC0efHZxruIyXBJycjJwfAr1j+vTw+223HKMQy9JcXBfdXUwUAUf6XRxEHoF0CDqFLf3mCSgDQlALQMe8TFx3/m/crJAAa4AAdYALsgAfeKUSAJJADSkAd6MCjNwPWwAG4Ag/gAwLh8UeDBLAXHADpIBPkgAJQAs6As+ACuAyawDVwA3SDe+AhGAbjYArMgAXwFqyAr2ATgiAsRICIEDvECwlB4pAcpAJpQYaQBWQHuUJeUAAUDsVBe6GDUCaUB5VAlVAtdAW6DnVDD6AR6Ak0Cy1Bn6ANBBKBRzAhuBFkhDRCBaGLMEc4IHYjAhBRiGTEIUQWohhRhbiEaEV0Ix4ixhEziLeIVSRA0iBZkCSkJFIFqY+0Rroh/ZHRyP3IDGQhsgpZj2xH9iLHkDPIZeQ3FAZFRPGhJFHqKBOUI8oHFYXajzqOKkFdQLWi7qDGULOoFdRPNAHNhRZHq6FN0S7oAHQCOh1diK5Gt6DvosfRC+ivGAyGBSOMUcaYYFwxwZg9mOOYckwDpgszgpnHrGKxWHasOFYTa42lYGOx6dhT2EvYTuwodgG7TkVDxUslR2VE5UYVTpVGVUh1keoW1SjVItUmNT21ELUatTW1L3USdTb1Oep26iHqBepNHANOGKeJc8AF4w7ginH1uLu4Z7jPNDQ0/DSqNLY0QTSpNMU0jTT3aWZpvuEZ8WJ4fbw7Pg6fha/Bd+Gf4D8TCAQyQYfgRoglZBFqCbcJzwnrtERaKVpTWl/aFNpS2lbaUdr3dNR0QnS6dB50yXSFdM10Q3TL9NT0ZHp9egr9fvpS+uv0E/SrDEQGWQZrhjCG4wwXGR4wvGbEMpIZDRl9GQ8xnmW8zThPRBIFiPpEH+JB4jniXeICE4ZJmMmUKZgpk+ky0yDTCjMjswKzE3MicynzTeYZFiQLmcWUJZQlm6WJ5THLBis3qy6rH+sx1nrWUdY1Nk42HTY/tgy2BrZxtg12PnZD9hD2XPZr7NMcKA4xDluOBI7THHc5ljmZONU5fTgzOJs4n3IhuMS47Lj2cJ3l6uda5ebhNuaO5D7FfZt7mYeFR4cnmCef5xbPEi+RV4s3iDeft5P3DR8zny5fKF8x3x2+FRIXyYQUR6okDZI2+YX5HfnT+Bv4pwVwAioC/gL5Aj0CK4K8gpaCewXrBJ8KUQupCAUKFQn1Cq2RhcnO5CPka+TXwmzCpsLJwnXCz0QIItoiUSJVIo9EMaIqoiGi5aLDYggxRbFAsVKxIXGEuJJ4kHi5+IgEWkJVIlyiSmJCEi+pKxkvWSc5K8UiZSGVJnVN6r20oLSbdK50r/RPGUWZUJlzMlOyjLJmsmmy7bKf5MTkfORK5R7JE+SN5FPk2+Q/Kogr+CmcVphUJCpaKh5R7FH8oaSsFK1Ur7SkLKjspVymPKHCpGKjclzlvipaVU81RfWG6jc1JbVYtSa1D+qS6iHqF9Vfawhr+Gmc05jX5NekaFZqzmjxaXlpVWjNaJO0KdpV2nM6Ajq+OtU6i7qiusG6l3Tf68noReu16K3pq+nv0+8yQBoYG2QYDBoyGjoalhg+N+I3CjCqM1oxVjTeY9xlgjYxN8k1mTDlNvUxrTVdMVM222d2xxxvbm9eYj5nIWYRbdFuibA0szxp+cxKyCrc6po1sDa1Pmk9bSNsE2XTYYuxtbEttX1lJ2u3167XnmjvaX/R/quDnkO2w5SjiGOcY48TnZO7U63TmrOBc57zjIu0yz6Xh64crkGubW5YNye3arfVXYa7CnYtuCu6p7s/3i28O3H3Aw8Oj1CPm550nhTPZi+0l7PXRa/vFGtKFWXV29S7zHvFR9+nyOetr45vvu+Sn6Zfnt+iv6Z/nv/rAM2AkwFLgdqBhYHLQfpBJUEfg02CzwSvhViH1IRshTqHNoRRhXmFXQ9nDA8JvxPBE5EYMRIpHpkeOROlFlUQtRJtHl0dA8XsjmmLZYIPTf1xInGH42bjteJL49cTnBKaExkSwxP7k8SSjiUtJhsln9+D2uOzp2cvae+BvbP7dPdV7of2e+/vSRFIOZSykGqceuEA7kDIgYE0mbS8tC8HnQ+2H+I+lHpo/rDx4bp02vTo9Ikj6kfOHEUdDTo6eEz+2KljPzN8M/oyZTILM78f9zned0L2RPGJrSz/rMFspezTOZic8JzHudq5F/IY8pLz5k9anmzN58vPyP9S4FnwoFCh8EwRriiuaKbYorjtlOCpnFPfSwJLxkv1ShvKuMqOla2V+5aPntY5XX+G+0zmmY2KoIrJSuPK1ipyVeFZzNn4s6/OOZ3rPa9yvraaozqz+kdNeM3MBbsLd2qVa2svcl3MrkPUxdUtXXK/NHzZ4HJbvWR9ZQNLQ2YjaIxrfHPF68rjJvOmnmaV5vqrQlfLWogtGa1Qa1LryrXAazNtrm0j182u97Srt7d0SHXU3CDdKL3JfDP7Fu7WoVtbncmdq12RXcvdAd3zPZ49U7ddbj+6Y3tn8K753fv3jO7d7tXt7byvef/GA7UH1/tU+q49VHrY2q/Y3zKgONAyqDTYOqQ81DasOtw+ojFya1R7tHvMYOzeI9NHD8etxkceOz6enHCfmJn0nXz9JPTJx6fxTzenUp+hn2VM008XPud6XvVC9EXDjNLMzVmD2f45+7mpeZ/5ty9jXn5fOPSK8KpwkXex9rXc6xtLRkvDb3a9WXgb+XZzOf0dw7uy9yLvr37Q+dC/4rKy8DH649an45/ZP9d8UfjSs2qz+vxr2NfNtYx19vUL31S+9W44byxuJnzHfi/+Ifqj/af5z2dbYVtbkZRoyvZRAAk/CH9/AD7VAEBwBYA4DABu1++z9n8TEj58IODWCZKC3iLKkR4oUTQW/RGzhJ2gekE9i1vDowlkWnO6WPoKhgkiDZMWczJLA+siuxgHhbOIa4gHzavI50fK4m8SGBV8T0YI04rQidLAO9838XcSs5JjUrelW2TOyebI7ZMPVnBS1FESUyYqf1dZUO1Xu6pepnFQM1jLTltLR0KXV49Fn96A2hBl+MNozXjF5LXpjNmk+aDFXcsbVs3Wl20u2tbaXbS/7NDgeMWp2bnZ5arrVbfmXU3uV3Y3eDR4Nnm1Ubq9+32e+L7y++K/FUgTxBLMHyIeqhimHW4a4RjpF5UQfSKmOrYzbjL+YyJ1El+y8h6rvT77EvdnpBSlVhyoTDtzsPhQ9uH09D1Hoo76H3PLsMrUPa54QiSLK5sxhyaXOo/mJH0+WwGpULxIoVjzlGGJZalj2a5yn9MhZ2IrUitzqirPtpzrO/+i+ssFqlqui9J1epccLwfUJzYcbSy8UtVU19x8tb2ls/XutQdtA9dH2sc7Jm9M3Xxx62Xn267VHuRt5jsidzXu2fT63E94kNFX9rChv3tgZHBm6N3w6sjG6PexzUfr46uPP068g1fb/NPnU5PPRqcHnt9/cXfm3mzf3Oj89MulhdVF6DV+ie2NwFupZdV3+u9NP5ivGHyU+8T66dPn3i+nVkO+aqzRrr1Yb/iWumG7Sdr8+L37R+5Pry2Zra1/+F8KzYf+DPv/DdUc9UcaHF6IYEgbSJdN38PwmSjJ5Ml8iuURG4HdkuMwZxfXVx5xXk++46Sr/I8FvgjRkbmEySIkUTYxGrF18TmJQcl2qbPSx2XiZb3kTOVlFFgVfii+VOpTblDJV01W81DX0yBrUmm+1RrRbtM5q5url6afYBBq6G3kZGxuomUqayZgzmyBtVi3fGP1zHrE5r5tj90t+w6HNscWp0bnOpdq10q3kl357id2H/FI80zxSqGkeWf4nPQt86vxbwxoC+wKuh88FDIe+izsZfhyxHoUJpo1RiJWL84lPjzhYGJR0qXkzj2je1/uW01BpOIO0KbhD2IO/jz05fBS+vSRkaN3j7Vl1GWePp5zIi0rITssJyA3IC/4ZHR+csHBwsyik8Wlp6pKaksby1rKb5zuOfOw4nHly6rVc5jzbNViNRoXrGo9L0bWpV7KuVxR39Bws7HvynjTi+bXV1da1lu32jDXCe1MHRw3+G6Sb0l0yndpdpv1uN4OvZNy9+S9mt72+wMPZvo+9aMGWAbJQ4rDeiMWo/Zjzo/cxt0fe0x4Tno98XpKmaI8o0xTnlNe+MwEzkbO7Z3PeFmyUPeqY7H/9fTSuzffl/HvON6TP0itSH8UhlfA1ufZL92rFV/3r7mvq31j+/Z1Y2yz8fuJH8E/jbYE/s3//3P8DxJxTBrMMXD8f4Dj34ezlOsRD4FXgy+EVMR/S2BO8CeZQZgkIiYqKiYsTpLgkKSXopYG0p9lFmUn5e7LtypUKxYoHVSOUtmtaq6mrC6gQauxrjmvNazdpdOse0GvQr/UoMAwy+iIcapJommkWYC5h4WDpamVlrWSjbStqB3ZXtCB35HkxOvM5cLuyuLGuAvvjt0N7f7h8c1zzWudsumD8KXyo/NnCeAKJAWRg8VCpEPlwhTDVSO0I42jbKM9YyJjU+Ny4ysTriR2JQ0lT+95u3d9PyIFl4o/QJ0GwVn05aFHh3vSG46UH804FpdBybQ8rnJCIIsu60f2u5y53Gd5kycn8icLnhROFk0WT5x6XPKodKxspHzo9MCZwYqRysdV03CmWzm/UYO6QKhlvshTR74kdVmhXq1Bu1H/ikGTYbPBVb0WnVbNa2ptytfl26U7xG+Qb/Lf4unk7OLs5ukRvC15R/mu3j3LXuf73g9C++IfpvQfHcgdLB46PVw5UjVaMVb2qGg893HmxKHJfU8SnkZMBT7zmnZ9bv/CZsZ21nnOez7qZdpCwasLix2vB5Zm3nxaRr1jei/4QW5F86PBJ6PPRl/0V7W/qq8prct+E98gb/J9Z/9B/EnYwvzy/+87l1+EgWvKc3CecDwCgEUuAKfVASDjAMDTAmBDAMBBFSD0sgFCXh4gZM7u5A8ILjypAT1gAyQgDpTh+tgWeIIIkALXlFWgBTwA0+AzhINIkBrkAEVAGVANdA9aQGAQIggLuNYrhuu7ZSQ70gSZjGxAvkYJwpXaOdRrtBRci/Vg6DBemGYsFdYL20HFRpVI9ZRam7oGrpP2497ReNKM4A3w1whihNO0zLQn6KjoDtOj6Y8w4BlOMnIz1hKVib1MzkyLzEksNCwVrMqsw2yh7Dj2Og4rji+cZVzGXJ+5K3gseTZ4a/gcSWhSK3+wAEngqWCBkB2ZSB4XLhHxEhUWfSfWLJ4koS2JkRySKpUOlFGRpZF9Idcqn6MQqmihJKfMo0JUpVWjV2fVIGlKa2lr2+sE6x7Sq9TvNpg3whqLmZibBpkdNq+w6LCctFqzYbfVtPOzz3bocHwLr2Vr1zS3q7sWdrN4GHkmeNVRZnzYfe39cv1HAolBLsEVIcth6uFZEYtRhtE1sYS4hPiXiQ5JvXs097bul0tpPCCb1nRI/vCVI5JHqzN4MotPELNycxhy809y5FcVShZ1nLIsmS9LOS1wZrjy8Fnd88jqBxfyLnpekqlHNjy9crU5tyXqmu11mQ6aG3O3WrrSe1zuSNxD9E49aH1YMBA/5DaiNyYzLjIh98Rxqnh6cyZ+7vvCkdesby69M/rw8tORVem1ZxtZPwy2948//mfd9r8S7H8b4AHCwD6QBSpAM7gHpsAKhIV4IGXIBgqB0qGzUDc0g4AQAggjRAgiD9GBeIUkIvWQcciLyJcoEoqCOo9aRiugU9ADGG5MBOYOlgsbjx2Da+l8qm/UXtR9OGVcNQ07zQk8Ep+M/0gIIszS7qKdoHOim6DfRT/HEMKwxniYyEKsZdJiGmMOYt5iKWKVZR2AvU/L3sThwongrOdy5yZwd/JE8wrxTvJlkDRJn/gvCFAEuQWnhErJHsKCwm9FWkRTxSzEWcXnJeolk6SMpJmkF2TaZLPk/OR1FLgUNhWnlW7D+axStUStVL1Ko17zJryfvdLZ0uPUVzNwNzxgVGs8YvLNjMdc28LTcp9VufUtmzk7ans5Bw/HE063nD+7irp57yp1H/PAeep6JVKueL/1FfEL8K8NeBekELw/pC+MPTwkoiuKPTo+ZiJOI/5cIl3SvuT3eyn7JlNsUwfSLA4OHLZJHz1qd2wk0+p4X5ZJdm+uad5gvmPB86KQ4o2S42Wk8o4zrhU/q+rOeVSz1jyqLahzu0yqX2683pRx1aNVoY1wfbGj82Z+p1+3wm1wZ+Be2f2wPp1+1oGVof6RurGs8fiJgCcBU8nTNS/ezum+rFrELcW9XXjvtjL62Xp1eN1p48WPsH/4/3+O/+fb8c+/Hf/h2/F/F45/NEIYYY6IRBQhOhFvkCxIQ2QCsg45h+JGuaFKUM/QJHQAuhH9HWOGKcV8wBpiy7HrVI5ULdSs1Hup53GWuHYaEZpiPBW8ApYJnoRHtBa09+j06Lrp9ejvMVgwjDNSGD8Q9zPRMlUwyzHfY3Fn+cKazSbB1s8ezkHk6OD042Lk6uKO5OHjGeY9wCfH94pUym8vQCvwUDBTyJLMQH4iXCUSJqoqhhYbES+XCJJUlsJKPZGulzks6yGnJs8uv6HwXLFXqUW5TuWCar1ah3q/xqzmhjaLjqKui95+/RqDMSOksbyJj2mOWbv5nCW1lay1m80R22t2Sw48js5Oec7DrvRu9rsK3Sc9ODx3eZVRnvsI+Ab7XQ2AAm2CqoLXQq3D6iJwkWFR4zF6sU3xwgkVSVzJpXu59lWliKW2pOkffHQ4MP370ZwMUmbjCc2sBzlOua9OJhbgC88Va52aKt1TznP6TkVEFe/Zx+cLatxqhS6uXrpff6Yxqcn5qnIrZxvi+nLHxM3uzpru9Nued2V7ofvDfRX90YPGw7wj38Yej7dOlDw5MBU+7f3CczZgPmnh5GLz0uQyeC++4vbp+Jeer5vflDfjf1z/5f8Yf3m57fQB4fUAQD/f2vpMBgCbB8CP3K2tzaqtrR9n4WLjGQBdob/v8bdzDT0AeWQWDLj80D7hP+7Qf9/x/0sd8+8t2M5Ev+hXJtpu4awE/gtIy3Ss+LPLjAABAABJREFUeJzsnXd4FdXWh9+ZOSW9kp7QSeg19CJFehMQRARFxX5R7BUsV0SUYkEQFFEQUUTpvVfpNdTQWwIhvZ4yM98fkzk5CQkW8BO88/r4cDJlz957Zs5eZ+21f0tQVVUFkFUZSZBYf3Y9uy/v5uUWL6OqKoIg4I6iKIiiyK5du5gzZw4TJkzAZrMjSSYAJElAUVRUVfssCAKqCrKsoKogCEXbtfJUFEW7jiiCLKuF5YiUuPRtw/XtKaqrooCqqixceIwlS44hSQKDBtWnXbuKOBxyYTuL2q6ff/N1UpFltdQ6qapKXp6Td9/dQEpKLmFhPrzySkuCgjxxOBQEgRJ1EpCk27TzDf42HA4HZrOZ119/ncTERAYPHkxcXByxsbFIkvRPV8/AwMDgptFtnZ+P/ExGQQaPNXwMRVUQhdLH4dGbR9OhUgeaRTe74XGlYboVFbZaTUDRRd0HZ33AN5mKV0o33kSxyOAAMJlu74G97PZo2xVFwWQSuXo1l8WLT3DtWgrR0YG0a1cRs7n4IOXe7purk9aX7n2nmc2awSSKAt7eZn777QJbt55HkiQefbQhQUGemM3F23Gr6mRgYGBgYPC/zE0ZWPogfuLENRISUvH0NFGnThjHj18jPb2Axo2jqFDBH1WFNWtOc/ZsBkFBHrRvX5nAQA8AEhKucujQVWrVCiE2NpgFC47hdKr06ROHt7fFZbjcDuh1sdtlli1L5MKFLCpWDKBbt2ouo9JkEjl06CqVKweyePEDtGr1NWaziKqqrF17hvT0AqpXD8Zsljh48CoREd60bFn+Lxs2Wp0EsrPtLF+eyNWrucTFlaNjx8qAZjDl5zvZsuUcEyd24fvvE5g2bRcWi0hBgZMNG86Sk+Ogdu0QbDaZ48evUaGCP02bRt+yfjMwMDAwMPhf46YMLFlWAJg16wDvv78CszmA//63Pe+9t4G8vDS++GIgDz/cgPvum8vixYcLL+ekZs1wZszoS5MmUXz44RZmz/6NWrUq4uVlYdeuc0A2X389lEcfbVDqNOU/gTaTKnDxYhb33z+X/fuvYLGYyc7Op2vXanz7bR8CAz155ZU1fP75VgoKZAIDvZFlOx4eJpKTcxg8+FeuXLlEt26NiYnxY+rUVdSoEcf27cPw87O62qpf6/earU/nHT6cwqBBczl9OhOTyUR+fj733VeX777rQ2JiGoMHz2PnzvNIkhVPTwmTScJsljh5Mo0+fX6ioCCVwYPbYLM5+PnnzbRq1YCNG4ca3iwDAwMDA4O/yE0F/+jTZM8915z33++NJIls3HgGq9XMhAn9eeKJeCZN2snixTsZMKA+Bw48zQcfdOXIkYuMHLkeWVZ5//32NGkSx+HDl4iLK8fKlQ8zceL9tG1bAbh9vFeyrMVLvf/+JrZsOcrzz7dg3bqHGDiwLosWbeOnnw6zfftFPv54LVWqhDB7dn9atIgBHNjtMuHhvvz6633Ur1+VM2dS2b37Iu3aNeTnnwfg62sBcMWrCcLvG1caWp1ee201Bw9e4L//bc+aNYNp374aM2euZ/78Y3z88VZ27jzGSy/dxdSpPTCZBGRZIT/fSa1aoSxadD+xsTEcPZrEoUNXueeelnz77T1uhp6BgYGBgYHBn+WWxGAFB3vy5pttSEi4yo8/rqV//w48/3wzAHbvvozJ5MuLL7akbt0w6tYN47PPdrF792Vyc+1UrBhAQIAH4eFBzJrVB4BOnaq4yr49vFda0LiiqBw9moLJ5MPq1adZtiwRs1miQQNtOnPXrstIUi4vvdSCQYPqEBsbzNKlCYBmKLZoEcMXX/SmZcsvAYXDh1+gZs1yrmB3/TibTQbAai07sFhVVURRJD/fwcmT6Vit3syde5jvvz+IJIk0blyTS5ey2Ls3iXLlIhg16i58fS2sXn2auXMTMJu1IPiOHSszZkxX+vX7BrPZl82bH6FcOU9X7JaBgYGBgYHBn+fml6+hTVV9990B1q8/S69erVi27ARjx24FoHr1YJzObObMOUh+vpPZsw9x5UoqVaoE4uVlJifHQU6OHYvFxOXL2aSm5uN0KreV90QPXhdFgQoVAnA6c7n//tqsXv0gEyZ0ok2batStG0ZYmDeybGLVqlOkpuazYMExJEnBbtcMprNnM3jzzTXEx8fQoEEMjzyygJMn0xBFwbUCcMmSE3TuPJ233loHUGY/CIJ2jqenmYgIH2y2PJ55pgkrVw5hzJgOtGpViTZtKhIQ4EFqajpr1pzm3LlM9uy5jNVqoqDACWgxcB9+uJFWrWKpVCmABx74lUuXshGEsq9tYGBgYGBgcGNuyoPldGoxWBMm/MYrr8wFAujatS2LFiXw2ms/kpKSywsvNGfZshN88sk6pk7dQ35+DkFBPrz/fntEUeCuu2awd+9xwEJU1IfExIRw+PDT+PreXgHu+vTdq6+2Ytu2czz33GLee28DOTkObDYbzZvH0LdvDVq2rMOcOduZN+8wsqwZn+++u5EmTaJ49tkVJCYeZPDgrhQUOJk3by01ayZx+vRzREX5IQgwe/YhNm5M4OGHmwKa7ENZK+T1vnnvvXb065fE4ME/ExTkQ1aWDXAyYEAtXn65BVu3nqZv35kIggegoqoZvPLKGj79tAuNG39FQcElhg/vxcGDV1i1ahPx8UkkJj6Hj4/5troHBgYGBgYGdwo3ZWDpU0gdO1ZmypTBeHt70Lx5DN9+O5CCAht16kQQGenLihUPMn/+URIT0wgN9aZr16rUrBmCLCu8+WZrrlyphySZsNkcBAd74+WlVet2GthFUTOwatUKYePGR/nllyNcuJBF+fL+NG8eTXx8JACLFg1kzpwELl/OoFWrily7lo/dLtOgQQSjR7cnI6MxdetGY7M56dixPBaLlcBATwQBsrJsbN9+kfr1azNoUO3CacCyO0Hf16pVebZufZwFC45x9WoulSsH0qpVeWrXDgVg7dphrFlzAg8PK/HxkRw/nkJsbAhhYd5MmdIdu91O48bluXYtlwceqI6PjzeenrffPTAwMDAwMLhTMOmTQCX/Lfm55DaVogG+fv1I6tePch1TtWpQ0fGqFqM1bFjDYuUoiookifTtW+Nm6v//ij5tFhXly7PPNi31mKAgT555pnGp+/r3r1ns7zZttEB+fSru8OEUzp69yty5gzCbJWRZLdN75Y6iqFStGsRLL7Uotl1VtbJbtIimRYsi2YX27Su5Pg8dWr9EaVUwMFBL+d/AwMDgTqcsW6e077iS/oU/+114S4LcbTYHoii5hEM1JXctCFuSBJfKuGagUExctCjeSvu7NBHP2wlBENzU54t0qHQdLPe2an9r/0qSHmel9QtocV3audrfcXHBLFnyEJ07V3Up4f8RRFFAVpSi66q4+l6L1VJc9dDiybRzJElw9b8oCiiqCoXtcb8HqqqioklCCIX3SUV1GYZ/Rtn2n0ZFdb0ht3IBhV5uyX4yMDAwMPjf5JYYWKIoFFMpLzmtVVJlvFgFbmNjqixKts/dELpxW0ueV9w9FRTkSffusTe8tiwrxdLtgGYASaKIe8Yd3fiRVRlB1KwuAQFFVZBMIqJQJIzqqk8p19O1uXSDQU8VICD8IQNFN7ZvRTqgm8WlqVai2ioqiqpcZxSpqIiImpGqyK72qqhIQlFvuZdbsp/0/YpSNN1qrM40MDAw+PdzSwwsVS3yZrjjPgBrx2iDTMnthUcXW7l2O8gz3IgbDZL61JzWhOKaVu794K55pZ+jTQsK1/WTTmmGiiBohtP5zPNk2bKoGFgRP4ufdrxQIj2PPugXGly65yXfmc+lrEvE+MfgYfJw7RcEgeScZDLyMygfWB4vkxcASdlJ7Ly0k2CvYFrGtCzTc6P1UwnDxe1ZKaa35Wag6F4z/Rh3zxlq0bH6cX/EiyYIWnvPZpxFRaVyQOXCywrX9VNJJLH4fr1/9HKdipPT6adxyA4qBVbCy+xV7Lp/Vyq/st4rbZ/7c1hUF627Vbe/jQlAAwMDg1vNLTGwLBYT189Wuufn06ag3JMP64ZHyUHhdjes9DbNmLGfQ4cu4e3txZtvtsbDQ+vKIgOpqB16+0v2Q/GBj1I9U0WGp3bMt98eoHLlANq0qYCsKEiiyIWsCwydP5R1x9eBCpVCKvF9/+9pEdOCaXumcfLaSVRRxSbbqBhQkR6xPYgNinVdQxRE3lj7Bp+u/ZS3u7/NO23fQVZkJFHivU3v8d6691AKFOIi4pjedzotY1oy6+AsXl3wKjUr1eTw04eLGUCa4aPVd9euSxw4cIVHH22otYM/ds9LGmsug48iD5S7N+1G6Mf9dvE3hi8ezp6kPXSO7cyKwStAhQxbBlN2TyE9Px2n4sQm25BECR+zD0/EP0G0XzRjNo8hoyADM2YaRjWkf63+rj5KyUuh/0/92Zi4EVSIDYvl237f0jymOQA7d17i++8P4Olpol+/WjRpEnVLVme6G+NQpOxf/J0rrW/B/X3Vj7nd3z0DAwODO4mbMrD07+OkpBy8va3k5jrw8NBisfLznURE+LhirjIzbeTk2LBYTISEaL/uFUUlM9OG3S7j72/FbBZJTc1HFAWCgjxvu6mUIs+TyujRm7l0KZ3XXrurWLyVJAk4HApXr+YiCBAZ6etqhygKpKbmk5FRgLe3GadTJTDQA29vMzk5dmw2GT8/K6mpeagqRET4FJarFnoj4IUXVnLvvTVp1ao8TqeCZBHZcHYD606sY2KvieQ783ljyRuM3TqWBfctYO6RuazduxYxUMTb7E12djbjg8ez6eFNVAmqgiiI7Li4g8m7JmOymkjPTwfAJJpYf2Y97yx7h7vi7uK+Ovfx7NJnGbZwGLsf381jjR5j5oGZ2GU7GQUZZNmyCPcJxyJpqvSyrOmG/frrUT7/fCeDB9fFYpEQEMhx5pDjyMHT5Im/1Z+0/DScihN/D3+skhWA1PxUcuw5CAiU9y/vMqKcipPU/FQ8TZ74Wf1IzU+lwFlAlG8Uf4Qm0U04l32OfGe+tkGAHEcOk3ZO4vLly3gHeRPhG0GWLYurV6/SIKIB0X7RfLv/W04ln4IC8Av1o3lMcyJ9tZWj47aOY+PRjcwYNINqwdVo9VUrnl3xLLse2wWA2SySkpLHjz/uwGIx06RJFIqi3PS0qSRp71VWlg0Pj6L3Sn/nZFklOTnHley7oMBJaKg3DodCRkYBJpOAn5+VzEwbigI+PhKmW/KTy8DAwMDgL3/DK7KKl5eZ48fzqVPnM5o3n0509ATi47+idu3JVK48nm+/3Y8gwIQJ26lTZxLR0R9TqdInDBu2mOxsOzt3XqJ69YnUrDmJJ55Ywhdf7KJWrc+Ijf2UH344pF1Huf2mLwRBwGqVaNu2Km+/fRcWi8kV9L5p0znatp1OdPQ4oqLG06PH95w8mQbAnDkJNGw4mVq1viAubhIxMaOZPfsgqgrduv1A/fqTufvumUREjCMmZgJPPrmU7Gyby7MligKBgR74+VkQRQGrRRsNO1fpzG9P/caIZiN4pMEjWH2s5NpzEQSBT7p8gsnLxLSe08h6PYsutbpw+eJlTmecBsAhO3huxXPcVfEuakbXJM+Zh6Jq+mY/Hf4JAYGxncbyVPxTPNHkCY5dOEbC1QQCPQIp512Oq1lXqT25NhXGVmDI/CHkOfIALbZLFAV8fTUZCg8PE6IocM2RROtvWlPz05r0+KEHMw/OpNG0RsR9EseIFSMAeHrp08R9FkfFiRWpMKECDy54kMyCTADGbB5DlfFV6DO3D//d9F8qf1KZ6A+imfDbBABkRb7ufunTh82jmzO552RCfUKRVe04WZWJ9o3mo44fYbKY2P/kfr7q+RUTO08kqFwQZtGMJEgsH7yc6JBoGlVvRJYti8UnFrvKFUURQRII8wkjxCsEX4svniZPAJyyQoMGEUyY0AWTyc/l6bwZ9Cm9zz/fRd26kyhf/mOqVPmEl15aTX6+E1VVOXToKt26zSQ6+iMiIz+mQYMp3HXXt1y7lsf772+iYsVxNGv2NTNmHKBVq2+oVGkcs2Yd0PqkMMeogYGBgcFf5y8bWIIIdrtCRIQJPz9PLlzI4uGHG3D6dBItWkQTFRXA998f5Ndfj/Lii/Pw8DDz2Wc9ad26AtOnr2fkyHXUqhVKo0bRpKWlEB8fSePGUVy7lkeFCoE0axZ9W4tcKoqK3e4sXFGoBZ5fuJDJPff8yKVLuSxe/ACTJ/dg6dIjPPTQAgA+/HAL58+n8913ffjmm1506lSDmBh/BAHatq3IxYup7NuXzAcf3E2bNhWYOnUts2cfYvnyk4SHjyUqajznz2fw5Ze7iYgYR1zcJM6dyyTUO5Rm0Vpqonc2vIMtzUb/mv0ByLZlo1pV3lz7JlU/q8rqE6upVKESdcPqAvDdwe+4kH2BH+/9EUVVsEgWl+FwNuMsordIqLdmkNQJrYMgCJzNPKt51RSVzOxM7q11L/3r92furrkcSztCTho0aDSFiIiPGDt2K5cvZxMRMY7IyLH8MvM8Axv2If1aOpG+kXSs3BGbbEMVVXrF9gIgxj+GIfWGsH7oegbWHcisLbM4cu0IAB0qdyA2JJZ1R9YxdfdUHmv0GJ1qdKKcVzntxtzgeVFRcSpOlwGpx3gB2GQbTsFJ9x+60+7rduy8tJMDTx6gbcW2ACw4uoCruVeZc+8cwn3CmXt4rqucV1u9Sr3y9eg2vRtxn8RhNpn5rOtnRVdVITOzAKdTKfUHg6riWpn6R547QdA8g88+O4+mTWPYtOkxBg6sw/jxy5g0aSeiKNC//1xWrTrCc8+15Msve5GX5+TYsSukp+fTu3cctWuHc+LEFfbsuczRoyn06lWDli1jtC68g1aFGhgYGNyu3NQ3qTalZSY2NpTKlQN47rmmiKLIgw/Wp2XLCly7lsfChceRJCtffNGD4cObMG9ef8qVi+SHHxLw9jbz5Ze9AG2aIjU1H1CZMKErVasGuQyX2xl9KkYQYOPGc6SnZ+LjY2XKlN3Mm3cEPz9fDh26gqKoPPhgPURRYODAeYwcuZ6YmAAqVw4EoHv3qggCvPpqS15/vRVfftkTSfJk2bKTREf7MnBgHQYOrIOnp5mqVYMYNKgOffvWwMvb7KrLi6te5Mu1X/Kfjv/hifgntPoJIqgQ4xdD+0rtaRDZgNScVFafWo2syLy6+lW8JC8+2f4JSTlJLD26lInbJwJglsyocqEUAyIOpwNVVbFIFlRUHIqDgMAAPun8CUMbDEVQBU6mnkSyKPTsUZ1Bg+pRo0YIHh4m+vWryYABtWlQuwKvNhlFhZgKXMq6hF22k5qTygstX6Brta4oqoKX2Yvfzv/GsEXD+O3ib4gWkYyCDABaxLSgafmmmM1mlgxawrhO41j54EoerPcgcH1QvzuqqhaP63JbnKH/W96/PH5efniYPLBIFqwmK4qqsODEAuwFdt5c9ybX8q+x+exmTqSeQFEV1p1ex8lrJ+lSqwsD6w8kx5bD0sSlrusIwo0XRej7/8yU+C+/HEUUTVy9ms+YMZs5fDgFs9mT/fuTOXUqnePHL9KxYx0++aQLTzzRiC1bHuWLL3oSHe1Pw4YRbNz4KK1bV+HLL9cyeHA9Zs++lxo1QrR7bdhXBgYGBjfNLYm4EAQwm6VCuQIBi0VClhU8PCyF+fnsnD2bAcCZMxnY7TaCg30pKHBSvrw/99xTl7FjN1KhQiBNm1akXbsKLiHSOwHdBvTz01LRhIZ6MXx4U0Dl3LmMwsBjgdq1Qxg7tjsOh5O1a08zffpm0tML+OWX+wqndgQSEq6SkVHAnj2XkWUZHx8zdeqE8ckn3QD45ZcjdOhQmfHjO7mur6gKL656kc82fsaoHqN4uOHDLD+5nK5Vu+Jv9QcHPB7/OI81fIy1Z9Zy99S7+Xrv19xX6z6aRDUhKz+Ljec24pAdOBQHTkXLU1g3rC5L9ixhX9I+KgVUYtWZVWCCGuVqIAoiJtFEiLc2KHubvZFMElbJC08fkffebQfAmDGbOXcug0mTurnqq6oqw5sO55XVr9D3x774ePjwSP1HUFSF5SeXM+KXEXSq04lFDyzSgukXvoqvxdd1vk224entScXAisXK/D1jXBREELT4MpNoQhREl7fOy+yFSTUxqdskrCYrJ1JP0PirxszuO5tKAZXYdW4X7au150r2Fe6udDerj67m12O/8karN5i2Zxo5thx+HfgrniZPKl6oyEfbPuLN1m/ecHWj7qHNzLTx2WfbMZlEhg9vio/P76eJCgiwoigy8fERdO8eS06OjWPH4mjWLLrwPZS4ciWH/Hwnnp4mAgM9admyvEtS5PDhq6Sk5FG5ciT79yexf/8V6tcPu2H/GRgYGBj8cf6yBaOq4OVl4ty5AtauPc7u3ReYNesAigIffbSNK1dy2bXrHF5eZsLCAnnyyYXcc8+PtG8/k6ysLJ5+Oh4vLy3X3fDhTcjJyefw4bOMHHmXq/zbHX0ZvCiKqKrKXXdVID6+Mhs3nmbGjL38+GMCo0dv5JNPdiAI8PTTy3jvvVVYrRLt2lUEzC4j0ulUEAQrP/64j4YNpzJo0Dy8vLx4+unGKIqKzSbjdCpYLCZUVcXpVMgrsKGqMGr9KD5Z+gmKSWH9+fU0mNyAh+Y/RI49h4+3fYycJ/PexvfoMLMD9/18HyjQrlI7zJKZ5Q8s56POH1HetzzZtmwkSaJuqDZ9+FC9h/Dx9+GhXx+i86zOLN6zmJ51ehIbHMv8Y/PZcmYLiZcT+XzH50zePRlnrpOxWz8kNS8Vh0OrryyrWCwSBQUOnE4Fh1PTk3qg7gOE+oSy9/BehjUcRrRfNKIg4lAcIMGF7Au8t/E9vt33LbJDZtT6UTgVJ6+vfZ2f9v9EVlYWbWe0pdecXpzNOOuSqigNffunOz6l7fS2JFxJYMu5Ldw9/W7WnllLpi2TcdvG4bQ76f9zf55f8TxvrHmD81fO89vF37jvl/twpDsI8Axg48MbifaNRs6XeWflO6w7s46OlTtCPvT5sQ8Pzn+Qc8nnXNOdJT1kxZ8fbdvatacZNWoBK1acwmqVrpNWKI2HHmqAj483P/xwkDlzDvHNN/sZNWoNv/56jIoVA+jRozYHD56kSZOv6Nt3LlWqjKd162/Iz3fy88+HiY+fxPHjqQwb1pyEhAs0b/4F06ZpQfmyrN4ZL6CBgYHBbcxNe7AkSaJNm0qIooWICF/uvbce/v7WwqkvBx06VKZHj+q8/fZajh5NITY2iDFjOvDIIw1cXod27Sry3HNtSEvLo1OnKoWroG5B6/5GRFHz1GkB6Fqcjb+/laVLB/HuuxtYv/4MkiTRrl1lnnpKS53TuXMVDh26yHff7UdVFQYNasTo0XcD4OdnRRAcPPNMS+x2JzabzBNPxNO8eTSqqmK1alNfy5YNwsfHgskkIggmBAHCvMPo3qg7ikkhy5ZFg7AGNK3YFItoIcAjgC51u2AX7eTZ82gQ0YCOLTsyotkIl7jmxayLHLt6jM5VO5Ofn09ieiKd6UxscCy/PvAr7214j9Opp3m8zeOM7jAaURBxKk7urnK3S2AzwjeCLvW6EBQQhCRKLuHZJ5+M5957a+LhUTSVqagK4T7hvN/ufWYdmMVzzZ5z6Vv1jO3Jhz0/ZG7CXDac3UCfGn2oHVZbE0gVJRyKg+bRzfHw8CAjT/MOmsSix9g9rqokDtmBzWGjS7UuKKpCVm4WiqpgEkxUDqxMaL1Qcp25XMq6hIfkQd8GfalRrgZ7k/bSpUEXPM2e2GQbsirTpX4XnE4nBc4CXmzxIqn5qcw/Mp8T107wUNOHGN95fLH6eHmZr5NN0GU4Vq06hcnkxUcfdcRsllwLJsp67lRVpUmTSFaufJjRozexbt1pypXz4YUXWjF8eFNUFX766V7Gjg1j6dITnDiRSp8+tXjssXj8/a0UFDjp2LESFSqEUb9+GPfe25D09ExKTyJhYGBgYPBXEJTCn9GyKmMSJNadXc+ey7t5ucXLKKVMuyiF2ks7d+1izg9zmDhxwj9S8X8Cd4HQatU+x2oVmTt3ANWrB7vS3/zRkDFdpwggI6OAjz/eygcfrOXJJ1vw9NNNqFMntPCavz/19XfhLqbprkx+q8v+N1FcwV3blptrZ+nSEwwcOIeRIzvy3nttNYkNScRudxIRMZ4GDSJZvXowUCQ+eyP+zgUgr7/+OicSExk8eDBxcXHExsZel3XAwMDA4E5Et3XmHvmZzIIMHmv4GHIZ45sAjN48mg6VOtAsulmZx5XFTetgqSoUFNgwm80uMU1dyFDPcQeaQWEyiYVLwIXr8uzp593uQe2gGT2tWsWwdetpRoxYyfz5A1xxM6qqLXPXcjAWGVJ6P+jikKIoYLfLmM0Shw5d5fPPtxIcHMj06bs4dy6LX37pj9Vqum4QdRcf1VFUBUVVXF4gXaRTEiVkRb7OqyMgaNICbsaTLlsgILhik/TUOqDFL8mK7DpPURVXrJZJNBVTXi/mUSpUDb9OXNSt7JKiorIiIwqiK9+he7myKhebblNUBbNk5vDVw4xcP/K6eyUJEgUFBQxuOJgBtQbgVJxFwpqFCu66EntpiIJYbOpR71P3/XrfSKJUrJ/0OML168/y/vsbiYsLo0qVwKI2C1peyMcfb0Tv3nEl3p8bo4uJFn+vCiUjBH1louJSbteeSS0/pfuKRf2aALLsxGq1/P7FDQwMDAx+l5ueIhQETfNIz2lXfCVU0WdtaqP0VC/Xn3d74p5LbtKkbmRmagKPPj6WYvtNJtE1zVlcmR2X4QXawgBBgKZNo9i+/WkURUFRIDTUC09PM38U3RiRkBBEwTXAu+8r3o7iBo0oaPn29GTFJS1098TO7ufooqJaoWXXryxvi163kp4sSZRceQBLlisJUrFt+jSnKIh4W7wLqyK42iwJEpIiYZEs2nRuoUFUso1l/SoRBAGToBmQCgqoxQ1I9/arqlqsbvqz3qVLFRo31oRQy5XzLNynHejpaeLDD+8uqsefeA90w72090oQim9z90CVXLGof1bV2/8dNDAwMLhT+H/Vbb4DnFN/GB8fi8uwKo3S2lpaihwAi0WiZs1yf+i6ZXn4dHkCFbVY3rzS8gPqx7nn/SuZrFg/xt3wKJbgGJWknCSskpVgz+Ab1PfGXsmypgn/6PShXr+aITX5vs/3v3u8bhzJqlysPb/n9hUEAakwHXZp06XuZZXMW2g2S4SHe5dZttOp/GmZhuJ1K3ufqqqkpuaTn+8kIMADX1/DQ2VgYGDw/8FNG1g3EknUB9fS9um/vIsn/i2KW7ldpwt1b8yhQ1c5fz4ds9lM+/YVXR48Pa2NO0UJncve53AobtuKvAolB90TJ1Lx9dUWFOiGkV22M/638Xy771scTgctK7Tko04fEeETwZGUI1zMuqhN46ES4RNBXLk4l0GgGwvfHviWSRsm8Z+7/sPQ+kNxKk5Mook1Z9bwzrp3SMpKokOVDnxw9weU8yrHFzu/4IM1H1C/Qn0WDlzoMirc448EAVJScrl2LZ8aNYoMSPcpN3dvk35+aasBi8pVr/PIuZdVGnoi6guZF/h8++esO7uOZjHN+KLbF1qCbVXm0NVDpOSmYBJNrulWURBpEN6AIM8gjqQc4YudX7D9/HZ61OjBu23fdRlpKirvbHiH2QdmY3fa6VSlEx92+tAlfnrxYjZ7917Cw8NE/foRhIYWN7b0Z+fPUtZ7BdrzJEkC06fv44UXFuPn58XgwfUZO7ajy6CD4u+ckfTZwMDA4NZxUwaWPojeKG7DPQ6rJKUZUbehTeXCPRfh0KELOHjwIj161KJVqxjXtOCNApRvtM9sLnuQVRRVWzqPSpcus+nVK46PP74bhyzjabVoeky/vkG7eu1QVIXvt3yPj4cPk7tOZsj8Iew9tVe703bAA3rU6sF3vb8j0CMQURBJzknmlVWvkHIphd3VdjO0/lBMoonE1ET6zO6DKIq0KN+Cr7Z+xZW8K/wy4BeaRTfDLto5du0YZun66UyHQ0YQYMqU3UybtpfExP9oU8mS5Jq+dPVLCcPoRt6ksjxyN0JRFUREDlw5wIoTK0hIScBqsrrKy8jPoNOsTlxLv6adoDugVPim3zc83OBhtpzfwrrEdRy7doxKwZUK74uCJElM3T2V91a8R98GfYn0jWTSxklkO7P56d6fADh8+AojR67j4MGLjB7dlTfeaO2KxfurlPVe6c+o/jy1b1+R4cNbMW7cVs6ezQSuN+j0Z9Ji+ePT0gYGBgYGN+YvG1iKouLpaeLSJSePPTabqKggDh26QtWqwRQUOLh2LYexYzvTtGkUu3Yl8ckn29i3L5moKF8efrgRgwbV4vDhFN58czU2m6YhFRsbzDff7EFVBZ5/vjl331252Gq72wU9mXXLllX45ZcBrqXzgiCQnp7PuHFb+fnnY1gsEo88Up9nnmmC1Spx5EgK7767nh07LlOunBeiqDBqVHt69Ijl2WeXk5ycTc2aoSxefAIPDxPDhzfjvvtqFps+UlUVi0XEbC6SQqhRrgYf9fuIl1u+zNXcq1S6XImEKwkIgsDoDqPpdrYb73Z+l6fin6LXnF4s+W0Je5rs0fSbgDfWvoG3xZugKkHIiuzyan134DtyMnOY9+g8+lXvR+8fe7Po4CISOyQSHxlPncg6HL96nAE/D+BA8gGeaPwEzzV5DkkUsVi0unl4aLpOekxZHpk8t+hlLmSdp0pgFfrW7MvU3VPJKcihY7WOPN/seWYdmMX3B7/naOpRfMw+jGgxgkfqPYJJNPH9we/5Zs83NCnfhJ7VevLfTf8lLTeNd9q/Q7dq3W44fde9WnfaV2pPk6+aYJK0R19RFYI8g3iv3Xs888sz/DzkZ8J8wjiReoJhi4Zhk20APNrwUXpV70W9KfVcBqX+42DnpZ2gwrjO46gUUImZ+2eyN2kvALKi0LlzVaKj/alTZ3KhoQyaFMJfe671Z23v3iuMHbuR7dsvU7lyIC++2IIePaqhKCq5uQ6mTNnJ/v1XaNgwgqAgL9czNHXqHn799TDh4b7cf38dfvwxgaSkLIYPb0KPHtVvy/yfBgYGBncaptKUb26khlNyn6I42LDhNPn5Z6lRI4TZs3cSGxvJmTOpjB27hVGj7qJDh2nk5Ch07FiNPXsus2bNd+Tn30/79pXYufMCSUkpxMUFU7FiAEuXJuDl5cPzzzf/O9p7y1BVFZNJKEyVo63Wys210a3bDyQkJPH44024ejWXF19cxJkzGXz+eVeeemopmzYlMnp0FzIzbUyZspXk5BxUFS5cyGLBgr2AldatK3PoUDL33z8LP79HiInxZ8qUnZhMEqmpeaxYcZL8fAceHmZee60V9cLqUS+sHgCLTywmLy2PFo1bAJpGlmAW2H5xO6qqcjnzMuHh4VQK1LwwWy5sYe6RuSy5fwkjVo5AEAWXgXLgygEkb4mG4Q0B6Fi5I4v2LeJ46nHiysWhKApJqUkk+iZid9p5bflr9IzrQXlLLO+NWUNWpo2dO5PIyCjgiScXYzGLdOgZSXLBeVbuXsld9e+iv9CfFadWkJ2ZTauKrVBRWZK4BKfsZETTEcw9PJcnfn6CZpHNqBtWF5vTxt5Le9l8djNf7vqSiv4VOXrlKDsu7SjTwNIRBRFvs7dr1SUUxqwJEtF+0aiorDmzhh0XdtCmYhu+6/MdTSKbuI7xNnkjq3LRFGbhS/BSi5fYcmoLd8+4G28PbyRV4oMOH7ieE6BQQLTs58l9Vd+N0H9w7NuXRPv206lYMZChQ+uzevVJevf+jkWLHqJ792r07v0j69cfIjIynDlzEoB8LJaqgLaSdcOGM9jtBcTEBPDdd7uJiQlwNci9nio3/j4wMDAwuJMoy9Yp7ftN4PrvwD/zPfjXkz0LkJ/vJCbGk1atqlCrVijTp/dCkkTee68dffvW4fz5TL7+ei/Z2blMmdKLlSsHs3btQ3h7+/Phh1uoVCmAOXMGAiLx8VHUqhUKmJk4sRt3310ZWVZuO++VO7osg6JoA+O6dWfZvv0UcXFhBAZ6FAY2W5k06TdUVaVSpQDAzrJlidjtMq+/3oFu3WIRBHjppRaIopmnnmrKhg0PMXfuAARBZc6cBC5ezGTJkqMsWnScvDwnZ89msGjRcZYuTSQ72+Ya8H859gvDfh5GfJV4Xmv1GgD5znxEk8jGsxuZvGsySdlJiBaRtLw0VFXlhRUvUDesLt5mb9Lz0zl29RjbL24HwC7bXdNlsiJjFs0IguDy6jgVJxYvCxuGbmBMxzE48hwcTknAVqCwctVpFi06zvHjqRQUOFm+9CQLFx4m/4onvw6Yh3ewNyHeIbSt2BazYGZI0yG80foNBASGNRxGxYCK7Lq8C6fqBAWScpIAzZPUv15/ZLvMhM4T2P7Yds6+fJa3Wr8FlLHCrxBZlbHLdm1VJKomYVFoTeQ780GEOYfmsO/0PvIceQypO4S4cnGgaufq7XadK2jnCoKADRvX8q+RnJNMvpqPt7l4nFWR56p0/myQ+1df7SUzM4e4uHC8vc2ULx+IomTx1Vd7OHw4hfXrD9OtWwMSEp5m6dJB6K+6qqo8/XQ827Y9TmxsFNOmbaV9+1h2736KHj3iAG5q6tLAwMDAQOOmY7BAkyOwWiUCAz2RZQgK8sRi0WKSnE4VQTAVGhdQpUogXl5acufsbDt33VWBOnUq8+6766lRI5TISH+GDKlb+Ev9NpdzpygmCyA72w5oA1Rmpg1ZVnnppRYEB3sBMHx4U3x9rezceYkpU3Zhs+WQlVXAmDF343DIKIpCQIAnoihQrpwXgiCRlpZP167VOH/+ZQAqV/6M3r3jmDixc7F6/HzkZx7+6WG6xHVhap+pWsoZINAjEGeBk3G9x/Fck+dYcHwBfWb04f1N7zNvwDzOZZ4jtyCXbj90I8uWxYWUC0wNnEqz6GZUDKiIkqNo044BlTh49SAqKpUCKrmkHaL9o/G3+hPpG4kgCaBK+AWL7N75OAD//e8mpk7dzfkLzxer70ONHmLGvhkMXTCUrIIsnm3yLCoq+5L20Xd2X8L9wnm22bP4WHzYe2ovXmavYud7+XsxpN4QzKKZCFPEH7pXkiAhSRKSIGESTcVW+/mafRFkgQUDF5CYlkg5z3KaZlahBIQkSAR4BiAIAhbRgiRKrlWFozeN5vy185x6+RQVAyoSNS6Kp5Y+xbkR5xCEsgVo9Xgpp1Nl27bzhQrtUXh6mn9XSDQry1YovaBy9Woe5cv78cILXejYMZbTp9MBqFYtmMBATxo0iEAQpEJZEK3QWrVCCQnx4sSJC3h4mPD19eAmc78bGBgYGLjx179RVbBYRDIynJw+fY2kpGx+++0CoiixZs0ZsrLspKbmEhnpg6o6eemlFXz//UEefHA+KSnJ9OwZi7e3NpC89FJzTp68zOLFB3j11TZ4epr+VqXqW4m7tlXLljEEBPiRlJRJkyZRdOhQmQsXMlm9+jSCIPDaa2tITEzhk0+6MGPGPYCZrVsvAJqHQxCsfPTRFh59dBGDBs1DUewMGFCr0FBVUFWVzMwCcnMdKIqK3eHU0qIc/okBcwZgF+00Kt+Il1e+TNfvu2KTbaw7sw4U2Hh2I1/v+5pZB2aBUzO8LJKF3Y/vZtmQZbzS8hV8LD40q9iMF5q9AMB9te9DReWVVa8weddkpu2cRmxULLVDa3Ps2jEupF8gJSeF7Re3s+ncJlRFZd2ZNeQ58nA4ZRRFJT/fQWamDZvNiaqqOGQnKipPNHoCBPhu63f0rtmb+Mh4BAQOXT1ETmYO9SLr0apCK+xOO6qssjxxOYqqsOrUKnZf3I3NYePt9W8zbc800vLTXF6pUu9R4fbtF7czafskruVd43zGeabtnMbJtJM4ZAerT69GRWXekXncW/Ne+tTogyQUBuQLsP7seiZunUiuPZeElARm7J3BhSzt3pklMzhh5amVrDi5gtT8VFcSbKGUabeiZ0fb+NtvF7j77q8YMWJlmceWpFev6siyk4ICO926VaNWrVA2b77Inj1JNGsWjdnsxfTpu/nss5089dQSVNVGQkIyyck5HDuWStu2X7Nr12Vee60Ty5YdpXv379ixQ2uPEYNlYGBgcPP89WTPgNVqIjnZyblz6aSl5bFjx0XCwwNYtuwEXl4mkpPTqVgxgEmTBnD6dDpDhvzE/PlHeeCB5owZ08G1qu6ee6rTtGk1qlaNYMiQuneMcaXXX1PLVqlYMYB58+7D29vCgAGz6NHjOzZvPk/nzlrsS16eg5UrD9O9+2yef34ZMTH+vPVWGwCsVhFQaN48mjVrTpOb62Ds2D488EAdQFtxJggCn37ahQcfrFuY105T/d54ZiNeohceVg9GbxzN3P1z8fPwwyE7mH90Pl5WLxYfX8xjvz7GgmML6FKvC++0ewdFVYjxi+HYtWO8suwVHLKD3Rd28+PhHwFoV6Ed73R7hy3nt/DMr89QKaAS39zzDV5mL5YlLuNK1hUcTgezDsxi9enVeFm9WHJ8KVm2LMwmCVEU6NevJp991sWVt9EsaaKddcPqMrTeUDx8PHitpTadqaoq3at1p2vDrvxy+BcaTmrIyfSTRIRHMPvgbFRUPtr2EQmXE/AyezFmwxjeWPsGV3OvAtqUpazK1/9fOBU4fe90hi8YTq49l+ScZJ6Y/wTbLmxDRWXB8QV4eXkxZdcUfrvwm0u+QV+xOH7beF5Z+gqSIHEk5QiP/PoIh64cAuCN1m/QKrYVTy94mu7fdifKJ4ovu38JgFIozaHdr+LPj25grVp1EoejgBdeaF7ovSpbzV1/1u69twZjx/Zm9eozdOgwlaFD56OqMs2bRxMS4sW33/bFy8vMc8/NZ+/eJGrVqsSePRc4ciSFVatOsWvXaWJjg6laNYjw8EA2bDjBr78e0eqsGMmeDQwMDG4WQXbLRWguzEW4+/JuXmnxMnIZuQhNosiOXbuYO2cO4ydMIDMzD5PJjKenifx8BxaLNog6HDLe3pqEQ06OnStXcggI8CQ42PO6imRn28jPdxIa6n3bGlju9apefRKhoT5s3Dj0Ov0up1Pl8uUsLBaJcuW8MZm0ky5ezMJiMZGWlofN5qRKlSB8fCwoisq8eUcZOPB7xo3rxQMP1CEgwMOV4Pn3kFWZAkcBoKVKQdX+tUpWHIoDm9PmSgmjqiqe5qL+V1UVp+rEKTtR0FTRzZIZs1i0ZD85J5lredeoWq4qHqKH67w8Zx6o4G3xxi7bsct2LJKluMJ7WX2JilNxkpSTRHm/8tftP591HqtoJcwnjHxnPpKgqbHLqozNaUNVNUFVSZSK1fVGKKqCXba70gLpZYqC6Kq/STThYfK4vo8VGYficBldklioDq+nG0LhxLUTOBQHlYMq423ydvWTIAgkJFylTp3JvPtue0aNauNaGKGqKrVrT0FRVPbvfxIPDxOlpRYqi9xcB8nJOZQr54W/v7XwmtpzmJ1t59q1XCIj/RBFTRvLy0sz4PLztZRBVqtEfr4TUQRJUrFYLMVyEcYW5iI0SZIR5G5gYHDHo9s6c4/8TEZBBo83fAxnGYujROD9wlyEzaOblXlcWdwSJXdfXytiYTyLblABrqX6iqIWKp8HAdfnp1NVrQxfX+tta1y5oygqwcFe7N17jnvu+YnZs/u4chFqueEEypf3L3a8KApER/sBWiocHVVV2b79Io8++jOqauKll5axdesF5s7thyyriGJxrTBtKrH4ajNJkFxpYkpiFs2YS9E30lfbCYKAWTCXaaSoqkq4TzjhPuHXneceyF2WYaWqKopyfeC0gIBZNFPer3ypqvLuRpenqcgglATpungsgEvZl1hwbIGrbH1aUBRE7A47LSq0oHFk41KNpxvV33XdQmOuNFRVEyWtXq56qe1eseIkr766ElFU8fAoVNwvnFrOyXEQGOjBY481xNPT5MoZ+EdQFBVvb7Mrv6G+Tc8v6OtrKabcrst6CIKAl1fR/fb21j47naXnYzQwMDAw+PPcEgPL6VRcefXcPTm6saSrtuvaP3oyaJ2S592u6AHtoijw5Zc9OH06DU9Ps2uwchdOLVLFLq5hVbTwE9fUUZUqgXz4YVckSaSgwEFcXEjhOddPK5W1wktWZBQ0QU0FBZNochkaxdXyBVfgtju6dIHundFRUXHKTte5+io9/Vh9u36s1mL3eytwo7UKrjQ9bse7958gCNeV6x5rpSgKkihxMfMin+/4/LryJVGiIK8AURKJj4zHITuK5SR0L1NRFJexp6ccKpkQW+9fSZBcfSgIgibfoBQlrzaJJkRRq2fdumG8++7deHpKNGigBeTrRpSPj4Vt2x4tqu8fNK6g9PfKPQOA+76i/tX7vehvQ8ndwMDA4NZzSwwszbAo+uy+vfjnG+Sku40NK3d0A6BOnVDq1An93eNK31aUpgQgLMyHZ55p8pfrpBsD+qo2iSIDSUAoVhcV9TqtKD0tTGlJnkVBRJSKH1uagaZfqzRudG/LmgorZnSVKNf9b90YbBTZiO3DtpdalqzKeJu9ERDK9lKp1+cQdMe9f9z7FzTDRF+hqOPex5GRvtxzT1yJ9pW4/F/03N7ovfr9faXXxcDAwMDg5rllHixRVFCU4r+QTSbR9QtZlpViHi39F7Ysa7/69V/e+gomPaj7dkNvQ36+k6wsG2azSFBQ8ZgyWVaLtaPIg6X3g1oYf1PUTrtddnnHdM+W+7nF66BeZ4Bsu7iNhccWkmvLpWn5ptxf635XXr2MggzNoyUI+Fp8i52rGwJ7kvYw/+B8etTqQbPoZsiKjCRKXMm9wrf7viU5K5mWlVpyb417AU3Q9Ltd3xEbHsu7bd/V2ipK1xtpbkHerv5R5GKGmh4TpRsxujdN91S5e4vcPW2iKLrKMotmAjwCbnjvCpwFbD6/mU3nNlHevzyPNXysWH/uvLyTeQnzyLJl0TSmKYPrDHaptl/JucKsg7M4mXaSGP8YHq7/MJG+ka5+OnT1ED8d+gm700736t25q8JdrnIdDoX09HxEUSA42LMM4/uGVS+Vku9VyXemKMVSUfkmk1gsd6gkCa5jDA+WgYGBwa3jluhgeXpqwbVSKQ4A/cu/ZP4zffApuf12FxbVDcaHHprPjh1nqF49kl9+GeCKwdJX/LlP5elxMaX1g05ZAe16H+uxV717/0jbthV5/vlmOGUnVouZNWfW0PHrjkhWzRD5YsMXpPRL4YVmL9Djhx4cvnyYPPLILMikUmAlhjUaxoimIzAJ2jSiU3HyxJIn2LNvDxlKBs2im2k5+goy6Da7G3tP7cXDx4NPNn3C213f5p273iHbls0vCb9QPqW8S7XcHadTQRDgm2/28fPPR1m69H7NaBTF6zxFJqH4Y1iaN62sfe7ComUZCLKqGUHLTy7nkXmPkJGVQZPYJjzW8DGXgXnw6kE6fdeJfGc+0X7RTN06lT2X9zCp2yRy7bm0mtGKk5dPEhQQRNq1NFaeWsmyQcvwNnuzP3k/nb7rREpWCphh4taJ/DzoZ+6pfg8AK1ac5I03VpGdbeOtt9oxbFjDm04B9XvvlV5+adcouV1fhHGLfm8ZGBgYGHAT36iqqmI2i+TkqEyf/hthYf6cPp1GZKQfTqdMWlo+Dz9cn5AQb3JzHfzyyxGOHbtGaKg3vXpVp3LlAJKTc1i48Bj5+TJ16oQSFubN+vVnEASBLl2qUrVq0HXemtsDlf37k/H29mb8+E6ulVlaPQXWrDnN6tWnMZtF7rmnOvHxkYDm9Zo9+yB79yYRGuqNySTSq1ccdeuGMW/eUdLT86hWLZhNm85hsUgMGFCbypUDgKJBcPfuS1SqFFBoxGneFYfsoHNsZ77u8zVpBWk0+bIJ84/O5/mmz9O6QmuW719O94bdaVehHeN+G8crv75Ci+gWtIxpCcCkHZM4mnKU6MrRCKrgmhr84eAP7D2+l9H3jObRho/ScWZHPtrwEcMaDGNQnUFMrT6VCxkXmLFvBsdSj9Errldhmapr4L98OZvduy+5Aqyd2JmXMJ+knMtE+ETQNLopa0+vJc+eR/2I+rSp0Ibj146z8tRKEtMS8TJ7MajuIOqFaqmA9iXtY+2ZtcQGx9KuUju+2/8dGQUZ3F/7fqoEVSn1eZEELZaqdfnWLBu6jIcXPOxaSal7yeYmzCUzJZPNz2+mVUwrqn5elal7pvJp108RBZEYvxg+6PAB/Wr0o+13bdl8dDPJOclUDarKJ9s/ISUthWWPLaNqUFXiv4jnrXVv0TOuJyISbdtWYOTIdtx33xwuXMjSruuKx/sLT19hGwsKZH788RAHD14hKsqPQYPqEhHh7TKutm27wMqVpwCIiwsmO9vOo482YN++ZLZtO09goCdNm0azffsFsrJstG9fgVq1wg1PloGBgcEt4K8bWApYrBIXLuQxYsRCBMGr0NvixNPTg/z8TM6fz+Sdd9rSs+dstm8/jaenL/n5eXzwwQYWLRqM2Szx5JPzAQf9+zemefMYXnhhPiDx/fcDCw2s2y9GRPe8lS8fQO3aoSiKWpg2R+WFF1bx1Vc7iI4OIjfXwSefbOHzz3vx8MP1+c9/lvHNNzvo0CGOXbsus3v3Qby8BlGnThgffLCZffvOIIqemEwidnsekyZtZ/nyIURH+3Po0BXMZhFRFEhKymbbtguIgkCDhhF0qdqFDpU7YBEtXMy6iM1mo4J/BQRBoG+Nvry18i3iI+IZUGsA84/OJzs92xWLdCHrAu9ufJe373qbHw//iF2xu2KcNpzbgOglMqDWAMK8w3ig7gO8tug1Dl89TJRvFKhw/tp5hi8fTm5OLrMPzGb3E7sI8Yhgz96LOJ0q585lIkkia9aewsvTgjUkl1Eb3yTx1CnqVKvDSy1f4pllz2DPsDPsrmG0rtCaZ5Y9Q0JyArEhsexL3sesfbPYOmwrlQIrsfD4Qt5d/i7lgssR7hvOsZRjOK85SS9IZ3yn8ciqfJ1HTG9POa9ylPMqhyiKOBVnsX2dq3bmm3LfMH7LeFaGryQlO4UH6z6IiIin2ZNVQ1ZhEk3IqkxmfiZ+/n4Eemir9zae3Uh0eDRdq3YF4O64u1lwdAGXsi5R3r88vr5WmjePRhQtmM2le+bcg/pvhG5cXb2aS79+P5KQkExUVBAXL2YwdeoOFix4gJo1Q/j44994441lOJ0Cfn5eZGVlYjZ70blzFZYtS+SddxYDnnzwQWfeeGMNYGPatL7UqhVuCI0aGBgY3AL+ei5CEfLynNSo4U2rVrFUqhTITz/diyAojBnTgc6d67F3bxJTpuxm+/YjPPVUK06c+A/Tp/cjJSWbl19eTaNGEXz2WW9AZeDAOvTuHYcoevDss224//46Nz2N8neiqmC3y654FlEU2L79Ip9+upmaNSP57LMujB7djtxcB088sQSAxMRUwEmbNhV4+eUWvP/+AHr3ro4gwLvvtkUUTbRtW5GEhKcZN64nly4lM2PGAVauPMldd02iRYspJCVl88svCbRs+QXNW0zn3LkMACyihVPpp7j/5/vxNfsyotkIAFLyUhCtIu+ufZfyH5Zn64mthIWGEeGjrWYbuW4kceXieLbps+Tac8lz5JHryAUgvSAdwaqtKpRVmUCPQARBIDU/1aXhJCOz5qE1TOw1kUtJl0i4dpDsNJUOHWfSsuXnzJixh2vXcul493RatvyUrUtyWTR4HlghPjKeB+s+SKh3KC1qteDjjh8jIPBGmzd4qslTPNrgUTpV6UTS1SROZ5wG4JWWr3Bf4/u4lnqN+Mh4dj6+k3lPzeOp+KeAGweqq6qKXbYXJXp289Q0j25O9ejqLNizgPdXv0+WI4sh9YZoKwQV2TUV+eTiJzl46iCvtH6FYK9gFFUh055JiFcIdtmOU3ES6hWKqqik56e7nhVdfb8s55AmWvv7z7p+/pdf7mbLlqMMHFifadN6MGxYIxITT/LBB5vJz3fw5psrCQz0Yfv2JzhxYjiPPNIcf38PJEngjTdaM2HCvfj6erN06VEqVQpk2bJHefBBzUv4Z1YyGhgYGBiUjqlYmmhdQcB9W0nc9unBsd7eZvz9rdStG4aqQlxcOfbtSyYpKZvExDRMJh8eeqg+0dF+PPJIA956awMJCVfJzXXw5JPxvPPOeqZP30vdumGYzRKvvtrKpeVzO6MH7Dud2oB9/Hgqoqilhxk7ditOp0L79lUJDvZCUVRGj27P66/LvP32esBB+fL+VKoUQJUqgQQEWFEUJ926VaNatSDuu68Wr722lISEK4wZ055Tp15HkiRatfqG9u0r8f777VBViIj0QUDgVNopes3qRVZuFgsfXkh8ZDwAvhZfZJvMC61f4IlGT/DzkZ95e8XbjNkyhk86f8LMAzORkKg+qTrJucmcuHwCWZH5od8PhHiFoBaoLqHS5JxkVFUlzCcMAKfqJDo4mmZRzch35COYBNLzsvAvL5Bw6GlEQWDcuG389NNh1q9/CE9PEyEh3nh7W+hapysrTq5gyp4pXMy4yOddPyfAI4CknCRGrR3FydSTxIXGYZNtiGbRNZXnZfYiwCMATz9Pvuj2BV5mLxqENyi6JzdcqSq4hEV1LS+dL3d/yfoj6/nk3k9oEdOC3j/15ullT7Pv8X1YTVbssp0nlz7JjO0zeL3r67zZ+k1XmSFeISTlJLmSYV/MvohoEovS5Qi/H1uYkVGAoqj4+VnLjNNzJyHhKiaTJ4cPX+WVV1bj4WGiQ4cGxMdHcvJkOg6HjebNa9C0aRQA06f3IiOjgIAATQfs+eebsWrVKVas2MbDD3eia9eqqIWLDYCi7wH3/w0MDAzudP6orYPbcfzOcWVwUz9V9RVIubl2HA6F5OQczGaJ5OQcCgqcmEwiVasG4nTmMHnyTi5fzmbixO0kJV2lfv1wLBYJs1nk2WebsWxZAp98spVHH40nMtLntvZelUSvZ506oSiKiI+PmSlTejBzZh+6dq1KdLQfoiiwZEkid91VmX37nmTKlD6cP5/JpEk7AU39HSxMnryLuXMP88Yb63A682nePAar1UTlykFUqOBPfr4DLy8zMTH+lC/vj9kkceTaEbrO7sqptFN82O1DzqWfY9iiYSiqQlp+GpIq4WPxIcAzAB+LD7JD5lTaKSRRYna/2XzW9TMej3+cAI8AWlVuxXPNngOgU5VOKPkKX+/9muOpx5mxbwZ+fn7UDa2LTbZhd9oRVZEcew5Xc64iiRKp+akgKlQoH0BMjD++vlby8hzUqFGOihUD8fQ2oagqwxsP50ruFV5e8jKNohvRtWpXVFRWnlzJ1sNb6VGjBxuHbqRv9b4gQ2peKiqaVygpJwmTZGLrha0kpiVS4CxweaVKQzfOcuw5nEjVDMgCZwFn08+S58gD4GjKUZChTngdGkc1JswrjKMpR7HJNhyygyeXPMmM32YwoNEAesb1pPec3hxJOYKAQMfKHUlOSub7g9+z/dJ2Vh1bRcOIhoT7hCMrZddL/wFx/Hgqd931Ff37/0x+vpak+/fCoBo3jsLpzKdp0yjmzx/IRx91JC4ugnLlvKhUKQCLxYs1axJZufIUV6/mMXnyTl54YSUZGTYcDoXXX1/D9u0XGTSoPT/+mMB//7uRrCzbH7q2gYGBgcHvcxNB7prn6ujRfLZsSQAsfPXVXhwOgbfeWkdcXDn27j3GfffVYuDAlsycuY2ZM/cCdqpUCeeDDzq44lEeeqgen366nfT0XJ5/vvkd9QWvqa1r3rb4+Ejee68jb7+9hurVJwISINOzZ20AfvopgXPnTrJ48fHC3IMq995bs1ABXkEQRNLS8rnvvrmATLduDfnPf5q4VMFFEfr1q0mjRpHadJfDgdVi4YNNH5B4IhH84PEFj0MGRFWKIseew+trXseZ4+S9Ve/x3qr3wAlhQWG80PwFBEHg/tr388OhH3hxxYvk2/K5knKFNafX0DSqKf1r9WdO/TmMXzOe8RvHgwqf3/M5Id4hfLT1I/ac2APAcyueY1/yPpzZTl5f8zq9Ynu5piDr1Qujb98aOJ1q4SpTbTVlxyodaVW+FZsObOLV/q9iNVlRUWkU2YiIqAim75zO9D3TCfUORZEUnlzyJP1q9KP3T73ZfHAzWKHT1E54+Hmw6/Fd1AqphUNxIAnXTxEqqiYM+p9l/+G7Ld9BoYh5pQ8q8eXAL3mi0RMMrT+UXxN+pcNXHTB7mHFkOxjdczR+Vj+Wn1zOjM0zQIK5++cyd9dcyIWXWr4EwIimI1iRuIIHf3gQRPD39ufjjh8jCiIOWUZALcMbq/2UWrHiJAcPnuKll7rj62u94Y8LfRXrsGEN2bjxLOPGrWfcuC2AgNkMVatq6ZcmT+7OiBFL6NJlGmAFnLRvXx1vbxOjR2/iww9/xccnhsaNo/jhh/2MGvUTqam5fPJJt0LplDvoJTQwMDC4DfnLBpYgCBTkO6ha1ZOFCx9HksxUrRrEQw/Vw8fHgpeXmUuXmtCiRQV8fa08+GB9zp5NJyTEm5YtyxMR4eMKYK9YMYDFiweRlWWjatXA63STbke0QHfJJcegG4UjR7aha9eq7N+fjMUiUa1aME2aaKsIv/iiO3l5Ni5fzsVmczB2bCfatq2AIIDVagZsvP9+N5o2jcJmk2naNAqTSSzUy9LKnzq1h6sOFrNmKYxsM5LBtQejCJrauAkToT6h+Fn9+Lzb56S0TgFRMzRMoomqwVWpGlgVFRVZkWkc1ZjZ987GarYiyzKVgyoD4G325pf7fmFJgyUkZSXRtHxTWkS3AGBg7YHUCqmFgEC1ctVIy08jtU0qPp4+hHiHuKbf+vevRf/+tYr6Dc2jZBJNfNP7G35r9Bt9qvdxeZnqhNZh48Mb2XJ+C5Ig0TS6KZeyLyEiYhJNfNL5E5KaJyFKIoqs4GX1okpgFVfqndLQZR1ebfkq91a/F9EkavpcikrDyIYANI5qzObHN7Pm1BoyCzKpF1GPjpU7AtA0qikrn1rpSiat52tsFNEIgKrBVdn4yEZWJq6kwFlAu8rtqFGuBgCSqC1M8POzXqdTpara5yVLThAcHMbLL7f4Q8+dqkJgoAfz5w9k3bqmnDqVRni4DzVqhFCjRjlUFR59tCHNm8ewZ88lnE6oWTOE+PhIJEngoYfq0bRpBN7eHlSpEkitWiE4nU4qV9aC9rVn+vZ+/wwMDAxud27CwNKmtTw8BHr1qunaHhcX7Ppcv36463PXrlWLne/+K11VVVq2jCn8fPutGiyJomj13779DG+/vYHXXmuJh4fZtZIwPj7SJc3gTvfu1Uot7/DhFP7zn4WoKkyYsIWhQxsxcmQb4HpRUX15v3tanrhyccSViyutaBpHNi69DYX6T5IoUS2oGtWCrq+bioqPxYeBtQcWu74gCJT3L095/+uTNF9XRqE2WGnK7FUCq1AlsEqJ49Xr6hMXXNS2hhENIeL66+Q6cjmXca5YGh39Wk7FSYRvBDVCalAjpEYZ9VSpGliVqvFVr9sX5BlEpyqdbtBGlSjfKB5p+Ihrm6IqoGp6U3v3JvHxx5uR5TzsdrnwHE16IzfXzv79yTzySGNCQ73/UC5C3YtlNot07lwFKOpD/f1RFJWaNUOoWTPkuvMrVQqkUqVA199RUX762YXl3+YvoIGBgcEdgKlkjNfvxXMVi4kv/B7Oz7dhNptdU2XaiijtS17/NazladP8F1p+uuL55/SA+bJy7d0O6LkIBUHgrbdas3v3xcIpQtEtVZDelqLe0/drq8iK9I8URcFkkgCV8uUDiIsLJzNTG4Ttdrkwv2PJ/rg+P6GiKi5Fcx1JkFyr/0rqGpUU69Tz7Olt05XTBQRX2YWXdnmJZFV2bTeJJlfOw5K5DLU+K/2eKqpSqF5flBNQEATXdve8gPp1SrZHURUskoUDyQfo/3P/664hiRIFuQW82v5Vnm/2PE7FWaztkiC5VvC59wEqrnrpnr7SytZTEel1RsClUK8U1lOWVcqV8+H11++md2/NWBQLEzR6eJhYt+4hKlTw+1OeW93Icn+voEjgVhRv/Bxq76n7cSDLTqxWTb6jZPynEeduYGDwb6AsW6es77fSvgv/KLdEutlkEl0rn9wHCPfPRb/KSx9AbmfDyh3d4Bk8uC6DB9ct9Ziyplj0BM5Fx2mGSK1aoSxaNPgPXd99YHTVqXDKyh2XrlLhYK8bK7J6vaHwu8rpUnFjTBTE63LvFV6s1PrqKYFKK7u0c3QJCF0awd2LJwlSsXP0dtYIqcG393x7fVkIOGQHceXiEAXRtdKvNIqVLRQvQxKkYkr+JQ2h0tqiH9O4cSSNG0eW2Fd4TUkskdPyj78HWnqcst+rGz2HpSm5l2UIGxgYGBj8eW6JgaX/Inaf3tMHIf1v9/26h0vfDkWJad0FF+/UmQp3vSNRLD7lUlILSRtoNQ+f1j+Cy6Bw7z+d0gwVQRDItmeTcDWB7IJsYkNjqehXUSu/0HDSPUS6CGcx75CqaV4duXKEGqE1XPpO+rkHrxwkLS+N2JBYIn00Q+FE6gnWn1pPmF8YPeN6atdCvM54Kc0jo6/4ExBQUFz11Ouje8F0b5Oer1APYFdV1XWeUPhfoEegK2aqLNz1r1RUV311D5lT1mKsrCYrqCUSTrs9j3/2udSnjvVzS/aRLvNR2j3XFzi4X1fPV+n+rvwb3hsDAwODfxO3xMDSpxXKorRVUe6Jn925neM/3A2jjz/eyp49FwgM9GXCBD1djvu0aBF6+/VkzqVRPO7GPeaqyGsiCPDhh1uoVSuUnj1jccoyJkniWOox+s3px5ELRwAI8A3gh4E/0LVqV97d+C6JVxNxCA7yHflUDqzMfXXuo3lU8yJDQxAZsWIEszbM4tWer/Lh3R9qIqKqzPAVw5myZQo4oVxgOb659xt6VuvJ4hOLeemXl6havqor5x4UGW56m9etO8PWrRd4663WrgDtYlN0SG5t1QzL9IJ0xm4Zy5pTa7CYLFT0q0iwTzCfd/0cRVEQRbHYeYqqaIaFW7+5G4j659K8dLqBCfD6utc5n3Geuf3nolCYbFrRjJ4DB67wwQebkSSVfv1q0a9fzT8sJVKaUeWqp6L+bj7B0nJ8lizzdn5vDAwMDP4XuSkdLH3APHQomfPnMzlw4AqnTqVz6lQ6Bw5ccfPiCJw5k8Hu3Zc5ciTFZSzYbDKJiWkkJFzl2rU8cnLsHD6cwrFj11x6QLcb2jimMnXqHlatOkP9+mHF0p9IkkBaWj67dl1mz54k8vIcrkFYEAQSE9PYuPEs+/Yls2dPMqmpmg7TxYtZnDiRSnp6Afv3Jxf2n1rMuAIYO3YrixefKFanvUl7uZh+kZ8f+plv7v+GjPwMPt3xKaqqcujKIWZvm82a02s4lXaKT7d+SqcZnTQNJ0GbPlx1ahU/HPoB7yBv8h35WjtEiWWJy5iyfgr96vdj4aMLsWPnmUXPkFmQyX8a/4dGcY0QBIHT6afZfnE76fnpbrFUWt1Wrz7Fhx9ucfPSQFJOEgkpCWTbszlw5QAHrhxwGRX5znz6/NSHsavGYjVZEQWROdvnsPTEUkCLI7LLdg5dOcTuy7u5nH3ZZTilF6Rz8OpBruReAeB0+mmOpBxBVVUKnAUcTjnMldwrXMy6yPaL20nLT3PFUAmCwNYLW9l0fpN2HUFEdHs9goI8iYsLZs6cvdf1/80gigIXL2azY8dFDh68UsyLKYoCBQVO9u9PZvfuy5w/n8nhwynIskJenoNjx65x4kQqubl2zpzJ4MiRa2Rn225Z3QwMDAwM/jp/2YOlKCqeXmaOHs0jPv4LgoMDSUpKJyjIF1lWyMzMZuLEnjz7bFNee20tU6ZsJycnHzDRrVscM2b05tSpdNq3/xqnU6BPn5o0aRLFW2+tQpbhq6/uYejQ+rel4KggCHh4mGjevAJPPhlfOI2j1XPevKO89dYqjh9PA6Bx4wimTOlFo0aRTJq0k7feWo2qai6JrKxkPv98EM8804R77vmJEyeuEh0dyNGjlwHo3bs2X33Vi5AQL5eRFRjogYeHdr6p0LXRo1oP4p+JJzYolgtZF7BYLS7DYXSH0Sw8uJCxHccyrMEwus3uxvK9y0nOTaZmSE3yHHmMWDGCvjX6kpiWSJ4jz+XxmX9sPqJJ5K273qJ+WH0ej3+ccWvGkXA1gZblW+Jt9uZY8jEaTG1AVloWHep0YP6A+fhafV1OOKvVRGCgB05ZxWwGm1xA/7n92XlhJ7XCa7H/0n5wwrie43ix+Yv8fPhnNh7ayONtH2dqj6kA3DfvPvYl7QNgX/I+nlv6HJvPbgYZwgLCeLHVi7zc4mVeW/Ma07ZMY0S7ETzR6AnazGhDVl4WF1++yOLji3l8weNUCanCtfxrpKak0rBqQ1YNWYWHyYOhC4ZyJPkIMjItv2kJDhh19yg6V+mMU5aJifHj7bfvYvLk3Xh5lS4H8UdxN5jHjdvGhAlbSErKASS6davKtGm9iIjw4cCBZP7znyVs3XoGAH9/X1QVdu4cxurVZxg+fCG+vl689157vvpqL0eOnOe997oycuRdf2g1ooGBgYHB38dfz0UogM3mpHJlK1WrhmC3y7z+elvS0jIYOLAWdetGs2DBMWbNOsjHHy+lZs0w5s0bzNChDVm2bA+vvKLlIuzfvy5OZw5du1ajY8cq2GwKrVtXokuXqi4Pzu2IoqgUFDiL5SJMTExlyJB5gMT69Q8za1Y/du26wJAhCwD46qu9ZGbmMW1aD+bM6cfgwa2pWzcMQYAHHqhDdnYemZkFfPttfwYMqM/ChTuYOfMA8+cfQ5JGYTa/x9mzGXzxxU4k6R2Cgj7i9Ol0/Kx+xAbFYpNtPL/ieexZdh6s+yCgKaBjheFLh+P1gRfLjyynSoUq1AmpA8Dk3ZOxK3Zm9pmJXbZjlswuj9DF7IsIXgL+Vn9kRaZaUDVEQeR81nnX1FpuXi5vtnmTJ1o/wdpDazmSeoisayrlK0xAkt7m/fc3c+lSNr4+Y5CkkXw77RjPtH4UR56DzIJMZvSdQYBvAFN3a8bUvuR9iE6RvjX6IqsyTsXJpG6TWHj/QuyynccWPcbmY5t5s92bfH//93iYPXhlyStsObeFJ+OfxGQ1kZSdRMWAinSs0hFbvo1MWyadq3YmNiSW4xeP81zT53is9WPsPb6XnZd24iF5aAapqq0GFBGRBdm1OIBCL2J6egEOh1xmCqeiVaI3Rj9m1apTvPzyQho2jGbXrid5//32LFu2m1dfXY0oCjz88EK2bj3Ba6+1Z/nyR6hXL5ysrAzS0gq4994aDB0aT3Z2Hrt3X+LChSwefrgZgwbVvSN05AwMDAz+7fx1HSzAblfw8JCIiQnEYsnjgQfqMnbsOnr1qk5BgcK+fUmsWXMak8mbceM607p1ee65J47ly0+xZMkJBAHGj+/C7Nn7OXLkGhaLBCh89FEnwsN9kOXr45luJ/QYMrtdQZJg27aL2GwFiKLI229vwGZzEh4eSG6uHUVRGTGiGSNGXGPgwB8JDvajTZtofHy0+LXmzaMQBO2Yhx6qR9u2Ffn11/2sXXuGPn2q88knXZEkEyNHrqd27RAGDqyFJEkEBXsC4JAdDFs4jF92/sL7vd/n/jr3A2CWzCiyQpuqbWhXsR2bzm1i48mN/Hj4R56Kf4pR60YR6BHI44sf51L2JeYemEugZyCj24/Gy+SF6iyUzxAll3fL2+KNqqo4FAflgsvxSotXWHlqJdO2TONsxnnqV2rOO2+3w1bgZPHiRLZtu8CoUW0wWwTuuqs8YogVQRB4Il5TUJ++bzon006iohYLZJcECYfiIMQrhBCvEI5eO8rBqwdpVrMZ77d/X2ufaGbQ9EGsPr2ad9u9i7eXNwoKHiYPmkQ1YY4wB6fqJNI3kgj/CJLzkhnZZiTrz65n+tbpWiohUWJu/7l0+r4TZ9LPsPmRzcXusySIfyif4B81anSDfOXKk0iSiatX8xgxYgUOh0JQUDnS0wu4ciWH/fuTqVu3CmPGdACgXbsKrFhxirp1w/D2NjNjxj04HCqzZ6+nU6cmfPPNPa6+M2KyDAwMDP5ZbirIveg7XEWSRGRZRSj0fjidMl5eFmJi/HE689mx4yKtW5fnt98ukpWVQ4UKwTidKiEhXjzwQEM+/XQLUVH+dOwYR3x8RKnB4rcrej+Eh/ugqgoRET6MHXs3giCwf38SNpuMKAp4eZl5552OBAd7snbtaWbO3EZ+vsLy5YMpKJBRVZH1688yYEAtFi8+gdNpJyLCh8qVA3n22eaAFuTeqFEkTz/dxHX9PEcejy1+jJ/2/MT4vuPpXK0z3+7/lqH1h+Jl8kKURfrU6MOTjZ6kXng9lh9azrwj83gq/ikG1h5IVn4Wec48REEkyDPIJf4ZHxXPwl0L2XR2E5XqV2LRiUWIFpFaIbVcIqUB1gBA06gySSbMogWrp8Cjj2gK6WlpBezZk8SLLxaplO9POo/JZMLb4g2Aj8XHpSnVPKY5403j+e7Ad3Sp2gWzZGbTuU0cu3aMrtW64mP24XzKec5knKFSQCW2XtiKLMgEegZqcUuCyKXsS6iqytbzWzFJJqyiFQBZkfGx+rjqK4mSS9fLqThRlaJch4qqcOjKIZpGN3W1sSz0Kb8ZM/azYcNJ7r+/Pl26VC1zelt/XiIj/ZBlB/Xrh/Pss03IybGzY8dFYmL88fAw4+Vl5vJlLaaxSpVAkpNzEUUBh0MGzOzceZm9ey/TsGF1EhKu8uOPRxg4sOYdIdZrYGBg8G/nr8dgFeYiPHkyn5UrDwMS06btRpZVRo1aj5+fB9u3J9K5c2WqVYvm5ZcXM3v2IQ4duoos23jppRZ4eppQVXj66XhmzdrD2bNJfPtt38Il6LewlX8T+qpBUdRSr7RpU54uXWqzYsVRnnnGhtVqZt++i1SoEMzTTzfmpZdWcfHiFUaMaEdAgBUQiYzUBCYdDgVBsLB8+VHq1TtPZmY24eHlGD68CYqi4nAoSJJAWJg3Xl5mnE4Fh9OBh9XKa2te44e1P0AgfLn3S15c9iJBvkH0q9GPketH4sx28tLKlxi/bTwn006CAH2q93Glq1l3dh2jN4wmPScd1aqptwM8VO8hvtj+BUN/HcrHWz/m8JnDPNT6ISoHVua7A9+x5cQWkOGdDe+w/eJ2HNkO3lr7Jq1iWhFoDUZAwNPTRFiYN/kFDswmCafq4NW1r+LIdDB512QKHAWsOLYCCrRy3mzzJh3qd+DH7T+yP2k/ZsnMoQuHKBdQjkcaPMLwJsN5b/l7xE+LJ8wnjKPnjlK9UnXur30/giDQMKIhaw+tJW5SHIlpiZANb657k15xvdhwfAM4tL8PJB/Q6rvuLVqVb0WkbySx5WJZs28Njac1Js+RR3puOpuGbaJ1+daue13aMyAIYLfLvPLKaq5dy+C551re8LnRRUYHDarD11/vZvr03Zw4kUJBgcKuXee599469O1bg+efb8bo0Stp0OBLYmPLcfjwFWw2hXPnRrBhw1n69PkWEPjwwx689toa7r9/Gnv3duejjzoaMVgGBgYG/zA3lSpHlhX8/CwMHdoYSbLQvHkMJlNr/P2tREf7UbmyD336VGfIkPqMG7eFxMQ0BgyoyQMP1KV792quqYxmzaIZM6YLaWn5tG6tpV8Rb/OxQRQFLBbJJb+gquDpaeaXXwbw2Wc7WL/+DCaTxIgRLXnooXoAPPxwfU6dusrhw1dxOmVefrk9L7/cEkGAgAAPwM5bb3XA09NEfr6TIUPqERsbhKqqWK3a1NmKFYOxWCRMJhFBNCEI0Cy6GY5ODhRJIdeeS6vIVtSLqoeHyYPmMc0JsYTgEB0UOAtoW7EtbSq0YUjdIZr6OCr5jnwCrYE83uRxCgoKcCjaCs4YvxiWDVnGx1s/5nLmZd7t+S4vtXgJAYFIn0gebfoogiAQVy4OD7MHFbwqEOAXgKfZE7NJq++TT8YzeHBdPAtTCUmChTYV2lDRqyKhgaFUDqzMsMbDEBSB6iHVMYtmFt23iM8qfsbaU2sxm830r9WfIfWGYBJNvNvuXaoGV2Xh0YVk27Pp1bEXzzZ9ljCfMADGdRzHR54f4VAdvND8BfZe2EvtyNpE+EbwaNNHEVWRmiE1CfAIIMojCn9ff7wsXgC82fpNvM3eHE85TnRANN2qdaNV+Vau51TLJygW80rp+w4dukJqagbPPNOKhg0j/kDCZpWICB/WrBnKxIm/sW9fElFR3vTv35mhQxsA8P777alevRwLFx4lK8vBc881Y+DA2sTE+HH2bAaPPNKEwEAfWraM4fXXW5GSkk6NGiGF1zBcWAYGBgb/JIKzMJ+HrMpYRIm1Z9az5/JuXmn5Mk7l+lgORVEwSyLbd+5i7pwfmDBx4l+6cElR0jthPHDXpKpW7TNUVeHrr++hdevyLm/BX2nHlSu5jBy5lq++2s6999bnmWea0rZthcJr/nPxNLqm1e10zbL2/1111e95enoBS5eeYMiQeQwd2ogZM3q7FjiYTCJvvLGWMWM2cvz4c1SrFvSHAs1/797+f78XDocDs9nM66+/zvETiQwePJi4uDiqxcZikiQjVY6BgcEdj27r/HT4ZzILMni80WM4FKVUnURJgP9uGk2Hyh1oEd2szOPK4iZjsDQdrPz8gsJchKIrlUtRLkKx0NulFstV6B5fpe//I4HE/zS6t6pnzzi2bj3NxInbadIkEm9vi2tqU5aVYp4tSRJc2kZ6P+jTShaLiVOn0li8+AiVK4ezZs1JZBmaNo3EajVdN8DqU6fu22VVLsxJV4QgCJhEkxZbVEouQvd8gcXyDaJNYUmC5MpFqOcLlBXZFSvlfo4+RaobDHqKG/c6u9dXr5Ouw+VejiRIrtx/7kKhrpyBCK7j9RyA+j792JK5CkVBU2z/vfrq13VX00cRkCSRxMRUpkzZRbNm0TRrFu3WV9p127SpSNWqQcTGBt9QULbkPXJ/JvQpSP2d0b3ErrYWesX0Y7V92ruk5x0URfGOiV00MDAw+Ddz00ruggBms4TJJKGqagnRTbcLmTRjTM97VpKyBgU9JcjtYHjp6Xy01Y+dKCiQsViK8jDqRkSRMvf1KvV6P4CmEQXQrFk0Bw486xpM/fyseHqWrrVUmkej1LyAhZQ0dkqjZL7BkvsQNOPDvazrzrnB7SlZ55J1KnltAcGVQFrPpeiOu3FYcl/JnIDuiu+/V1/9usX2F57epEkUGzY8jMOh4OWlHeP+THbpoi0M0IVC/yjuz0Rp74Z7HFXJPJ+iez/cBu+HgYGBgUERtyRVDtw4HYj7MX9Huf8E2qrAv9Z9JZsjigKhoV63oFZ/H//fU4X/1DVvhNksFvsB4Y4sax6xkmlv/ii34SNuYGBgYHAT3JJQclEU2b8/mRdeWEFmpq1w+sJtmqZEgmP3v0vu09HV0Q8c0MrNyCi4rtx/Cr3OunfNfXVZyZVm7u1z/7fkNj2e54+KVbpTcoWb+9/uSYHLqmNZdTIojj6tWBqSJPxl48rAwMDA4N/HLRkRJEli8+YLTJy4mpSU3MIEtdpPcn16z/0XuvvfJffp6EHCW7aUXu4/iV5n3btWcuqmtGOBYv+W3KbH1mjH/7k2loxd0//WlfBLlleWNlPJOhkUR89ZaGBgYGBg8HvclIGl/5Zfs+YUq1Ydx2TyYfLk3Ywfv4VlyxIBbVDasuUCnTrNxMfnA6pU+ZTPPtuJzaYFHB86dJWuXWcRGPghMTETiY7+mAkTtiOKAuvWnWHFihOYTD5MmaKVu3SpVm6JmO7/F3TvxezZh2jQ4Es8PUfTpMk0Fi0qSv779dd7adx4Kn5+Y/Dz+5AXXlhNQYGT5OQcOnf+nnr1JjNq1Ho+/XQ7tWt/Tp8+P5KX5ygs/8/XSfd6TZ68m+rVJ+Hp+QHt2s1gw4ZzCIJAamoeDz64gEqVPsVqfY+GDSe77s2hQ1dp02YGDRpM4eOPt/Hf/26iZs1PGTp0wZ/2ohkYGBgYGBgU8dcNLLepp+nT97BkSQJgYuLE33jppSXMmnUQgL17k+jceTopKblMmtSNhg0jeO65X5k8eScAb721jhUrDvLWW3cxcmQbfHzMyLJcWO4+liw5VFjudl56aQmzZ2vlqur/r4UlywqCIPD99wcZPPh7KlcO5IsvuiGKAv37z2LTprOoKiQmphEZ6cvUqT3o2rUqEyeuYOvWC3h5mQkL8+bgwdOsXXuajRvPcfjwBSpXDnJ5lHQJCFlWS53GK61Ooigwfvw2nnlmLi1axPDpp525ciWHXr1mcuJEKvn5Ti5ezKR//5pMn96HU6fSeeWV1dhsTgIDPQgK8mT//hNs3HiWtWtPc/ToFapUCSp1atHAwMDAwMDgj2HSh1D3f0tuc8e1TwCxcLrk++/706BBFK++uoxdu56hRo0QPDy0FU6//nqMvLx8goJ82Ls3iULbiTlzDvP8881p2jSKRYv2MWHCbzRtGkXv3rXo06cGALNm9aFBgwhefnkxO3c+Q82aoa7A8v9vlWpdkmLmzAOIohlB0OLOPDws2O15zJ17hDZtKtKhQ2XOnUtn6tQ9pKcXIIpmLlzIokOHSsyc2Yf4+EjeeGMVsgzz5j1Cv37Vi3muBKHsFZXu6FOodrvMrFkHMZu9sNlkDh26go+PJ9nZZ1iw4BgvvNCc9u2rsH79KfbuTUJVRfLyHKSnFxAd7ceCBQMZNSqMsWM34unpwcaNT9KmTXkUxZgq/F9HLeV/AwMDgzuZsmydG32//dHjSnJLVhFKkoCHhxlR1HSvvL3NZGfb8fY2AyqCoBIU5EG1asFUqBBAgwZhLsXpHj1iyc/vxpkzqWzbdoH58/dw8mQ6P/10LyaTiNUqFSs3L895w9VcfxclRVEjInyoVi2Y8uX9adu2Aj16xHL06DV69pxNdLQv48d34ejRFN566yw+PkWSCx4e5sJYHpWrV3NcZevlJiVls379WQIDPenaterv1apQb0wztqKj/YiK8qV8+QC6d6/CPfdUZ8yYLYwaNZ8nn7ybe++tyauvriIlpQBfX6urFKvVVJi+ReXKldzCOqncUHvBwMDAwMDAoExumZUSEGBFUQp48cWVPPnkUipUGMcnn2znvvtqIUkmTpy4ire3GVlW+OGHA6xdewaAN95Yyw8/7GbAgFp8/HFHrFZvTp9Ox27XXF3+/lYUxcaLL67kqaeWUqHCx4wZsxkofTXc34UuhNq3bw1kuYBz5zIICLCSmprPl1/u5PTpDDIyCrDbcwkO9sHpVDh48CqK4uTHHxO4fDmb115bwxNPzKFTp1g6dqzK00//yOOPLyYry+Zqy6RJu3jggW9ccVJltVEzrBTMZok+fapjs2Vx+XI2AQEeXLyYxaRJO7l2LY/ExDRAIDTUm5SUXM6dy+L8+VQWLz5ORkYBjz66iLfeWsgDD9SnZs0wBgz4jldfXY3drhhThAYGBgYGBn+RW+LBkmWZ7t1j6dOnCevWneLgwau0bVuJNm0qUKdOGD/99CBvvLGaRx9dgLe3By1bRjJoUG0AQkK82b49h0cfXYTZLFCpUhAff9wRLy8td12PHnq5pzl0KIXWrSvQvXu1W1HtP4XJpKl/P/FEI3JzHYwdu5nFi48RHOxN165VaNo0kogIX4YPb8vs2QcYOPBnOneuRpMm1UlIuEp6egGbN5+jQoUg6tYNIz/fwYED5Vi79jQ5OQ78/DSP0qZN5/DyCuSFF5r/bp0kSavTyJFtUFWVzz/fwfffHyA01Ie+fWtQu3Yozz3XlHPn0hg7diP+/t506VKVjRtPcuBAMnfdVbGwTmHUqhWKySRy+XIyq1ad5p132rmmRY2pQgMDAwMDgz+H4HDLRWgVJdYU5iJ8teXLOMrIRWiRRH7buYt5P85h/IQJrhxmAPn5Tjw9i+w293xrmZk2/PysxQbs7GwbVquZvDw72dl2oqP9Sh3QS5Z7O5CRYSMgwHrd9vx8J6JYpNT+e+h9dOzYNWrU+JxnnmnGpEldkWXlT8WaqSpkZdnw97++TllZNpcRZ2BQGiVzET5g5CI0MDD4l6HbOj8W5iJ8otFj2MvIMWgqzEXYvnIHWkY3K/O4srhlFotmpql4epqKTS3pOdQEQXAN/Pp+QRBcsUAWiwcBAR6u/bpR5l5uyXP/CXQRT1EUXMaV3j49/2LxuhZfIVgaiqKlFbLbFdq0qcgrr7QoDGL/YzfSPZ2Q3seKyzjW6qAbV4qb0Vy8TsVjrm519xqeMAMDAwOD/yVuaaqcImOidGFLfZB131/c6NANlZIDvVDquf8EuohnSeFU989FCZlL5iIsvUx91WDduqFs3PhwmdfW07HogqTu5aoqOJ1F0hXu+RBVVcXhUF3io1ry6aJz9RyIpZXtfk335N368W6tK7V9uvq+JAmulY+60VxUf8PyMjAwMDD4d3HL59xOn07HajURFeV7ndeitHG0+LayB9rbaQwWBHA4NKOktNWMN1NXd29YSTRD7PoduuFSmkK7nnzYbNb3CdftLzkN6X7f3K9Zsvzrp4+L1700g0077/p66F5BAwMDAwODfwO3xMBy9540aDCVJk2iWLVqCPq0kywrpWg93Xl523TD4/nnV7J581l8fc1MmtSTWrVCXAaCNoWouHSkSvMIaYZIkefJPYddSSNDv2ZenoNFi46zZs1pwsJ8+O9/27m8SqIocPx4Kp9+up2kpEzat6/CM880cRk7SUnZjB//GydPptC4cQzPP9+8cBGBZhDNnp3AggUJeHp68PjjjWjVKsZV7oIFx5kz5xD5+XZatKjAs882wcvLjN0uk5SUjaKAh4dEQIAHnp5FchT6+Tt2XGLGjH2cO5dG8+YVGDXqLjIyCrh2LR+LRUQQBEJCvPDwuL3i6wwMDAwMDG6GWzKqmc0iQmHg15AhdalRI6SYB+ZONKbKQlUhJMSL1NR89uxJJDW1Q+F2FVUVXMajJBU/x90j9GfyKepG0K5dl3nxxWVcvpxBlSrhvP32XVgsEoIgkJycQ5cuMzl7NpWYmCAWLNjHyZMZfPppZ/LyHHTv/iP79p2mQoUwFi48wP79V/jhh76YzRKTJ+/imWfmUa5cOdLS8li06BArVjxM06bRLFp0nD59phMWFoogwOLFe8jIKODDDzswcuQ6Jk3agiR5kp2dh7e3B4880pCPP74bk0lCkgS+/nofjz22gPBwPzp3rkzDhhFkZtpo2fIbzp9PIydHBmyEhQXxn/805bXXWhZOXxqeLAMDAwODO5uby0VY6JU6fz6Tt99ezwsvrCQ01JucHDvp6fmAgNOp8NVXexkxYgUvvriS119fy4QJv5GVZSss485Zm6QHsb/xRmvef789kmRyTRHqRpTNJvP113t58MH5PPHEEpYvTyz0VGntnD//KA89tIAHH5zPxInbGTVqPfn5TlcZJdE9Wo0bR7Fly+O0bFm1UNS1KJnzd98d4OzZi0yZcg/Hjz9Ls2bVmTx5C+np+Sxblsi+fcd4/fW7OX58OPfe25h583azb18yiqIyZswWIiPLcezYf9iw4WEyM3P54otdCAL4+VkZOrQZJ04M57ffhuHlFcimTedQFJUhQ+rh5eWFl5eJyZN7Uq9eOJ9/voY33liLJAkkJqbx/PNL6NixKseP/4dvv+1Djx6xeHubuf/+2uTkZPHKKy2ZP/9BFEVl5MglnDyZ5loUYWBgYGBgcCdzUx4spTBQ+dKlbGbNOkRBgZOUlFyczgJ69IglMNCTlJQ8XnhhJZKkUrFiMAcOJOLjE0S/fjXvWNkAWVbJyCgoDADXtgmCQFaWjXvvncfq1QcJCSlHTo6dadO2MnJkJ957rx0vvbSK8ePX4umpKa7PmrUTEHj66cZ4evpQciWfO15eJipVCkAURdd0rG7Ubd9+AUnyoXPnqnh6mujXrwbbtx/j5Ml09u1LRhRN9OwZi9Uq0bdvDX75ZRfHjqUSGenLxYsZDBnSgOBgT1q3Lk9ERCg7d15EVaFt24q0bVsRgO3bL5KXl0Pt2iGIokDt2qGEhvqhqgpPPdWYgQPrEBf3OTNnHuSjjzqxZs0pcnLycDgUmjefTp06IYwb15noaD9atSqPIJjw9bXi72/F29uEIATi7+/xt987AwMDAwOD/w9uyoMlFU7lNGkSxa5dj3Ho0FO8+GJzRFFyeXb8/Cy0b1+Jn366j8aNw5EkTxYuHESFCv7FJAPuFIpWM2p/K4pauLpOYMmSE6xevY9+/RqRkPA0+/c/SWRkMJ9+uoN1687wxRc7qV49ij17Hufgwad5881OREaW+0PxR4qi4nQqLu+OohQZd1lZdgTB7FoR6OtrQRQFsrPt5OTYURQJk0lClhW8vS2ASE6OjawsG4Kg4O9vwelUkGUFf38rOTmOwjgy7QJ79yZz330/Eh4ewEsvtQC0mDunU8bhULHbZQIDPahbN5zMzAJSU/M4dy4TQYDjx1MJCPDgp592MGLECkDTQ1NVEyNHrqF9++mcPXuVqKhA1zNzhz0SBgYGBgYG13FLgqNUVSU42JPgYE98fS0oiuIynLy9LSxcOJBffz3KzJm7mD79Xry9zeTk2ItJGtwpmExa0LouIurlZXZN412+nI0kOenYsQqhod7ExgZTq1Y4NpvMzp2XKCiwUbduFDVqhODpaeL999tx6dILLv2vGxmboihgMomuGCWLRXLFckVF+aIo+eTm2pEkkTNnMlEUlfBwb8LCvBEEO2lp+UiSyIULmaiqk7AwHyIifBAEM2fOZGIyiSiK1obwcB9XcP7u3Zfp3fs7ypXzYNmyh4mNDXYF5kuSiCiCxSJht8ucOJFCQIAH5cp5FbZHZebMPmzd+gi1a1dh+fKTAIX6YXamTu1Fevpb/Pe/Xdm//zQffrgV0HTBDAwMDAwM7mRukYGlyRbIsuKmxaRZTg6HzKuvrmHatI08/3w7goI86dhxJgkJV4H/33yCt4KUlDy2bTvPgQNXEUUTmzadY9u289hsTuLjI5FlbyZO3Ma6dWf4/vtDrF59jHLlPOndO46wsAAWLEjg228PcPhwCq+/voZ27b4jM7MAuHE8WnJyLjt2XCQry0ZBgYONG89y5YqWLLpHj1gUxcb48dvYvPk8X3+9m9DQECpXDqRDh0qoqomJE7fx228XmTx5BxaLD/XrhxMY6EnTplEsW5bA0qWJfPzxVrKyrtK9ezUEQWDr1gt06/Y9KSn5PPtsG5YvP0Hv3j8iywrJyTnk5tooKHAyb94RBgz4mQsXLnHPPTUQRYHGjaNQFCd79lzm3LlMrlzJIjTUG0VROX48DUkSuXYtj5Mn00lKykZVneTk2Atbe2c9EwYGBgYGBiW5JasItZVxmq0mimLhVJU2SJ47l8mkSTsAibFjNwIFmM2+mM1S2QXehuhpaxYsOMbjj88BzIDI888vAGD37udo27Yi777bmf/+dx0dOnwJQIUKIUye3JMaNUL44otuDB++mIcfng2YEEULgwfXx2KRcDp1r19x40JRVEwmkY8/3sKECSsBT0CgbdtPeffdexg16i56945j0KAWzJjxGzNm/IanpxczZw7Aw8NE06bRPP98eyZOXM/KlYcBM5Mm9aJKlUBUFT79tAt9+vxAjx5fAdC6dR2efDIegClTdpGSkgz48OyzC4A8KlSogMkkMnHids6fvwB40b//94CJwYNbMm5cR2RZoXPnKvTr14TXXlvEa68tw8PDzFdf9cZmk/nvfzciy07efHM5b74pAyINGlRjxIimwPVSFQYGBgYGBncat8TAstlkCgocABw8eAVVFVzTXhUqBLBv35Pk5ztc8UtWq4kqVYIA/pRkwT+JnrZm4MDaNG36kltwuybLUK1aEKoKo0a14YEH6pCYeA0PDzM1aoQSFuaFqkK/fjVo0SKGY8dSUFWoXDmQihUDbnhdvX9ef701Dz1UjyJVe5XoaH9A68+ZM/vw5JPxXLmSQ4MGkVSpUlTuhAmdGDiwNmfPplGzZhi1a4e47kXjxlHs3v0UO3ZcwNvbSvPmMXh7mwvP6+xK26P1Afj4aPf1lVdaFCbsFjCZBDw8TFSuHORaMenjY+GHH/qxbVsTrl3Lo169CKpVCwRg/fqHyM21uaQ9RFGgfHl/16KHOy0uz8DAwMDAoCQ3ZWA5C1Os/PzzEd58cw2qauLy5SR69GhAaKg3qqpiNovExgbfksr+k+hjvq+vhbp1w8o8TlFUqlQJpEqVwGLbdFHQiAgt9smdixezOHbsGiaTWEpMmkrt2qGEhHi7YptKQ5IEWrcuf901dZo0iaRJk0itRLdcj1qslg+9e9coumLh/tBQb0JDvUu9XnCwF8HB19dHV45XVS02S1+F6F5u1apBpZZpqLkbGBgYGPxbuCkDSyr06rRoEc2QIfVJSysgPr4N999ft1gAe2lxVnfqQKonVi6J3h7dkPoj+/TcfitXnuL111dgtXq68gIWJWJW+eqrnnTrVg2HQymm+u6em7Fkvdz790b7StapeJlqKQafnk/w+n3uaXL0+pd23dKeB1313sDAwMDA4N+ASR/qSv5b8nPJbYViATidTipV8mPMmI6uYxRFxuFw3PDCsvxXqnv7cqP23Gif0ynTvXsV6tYdXKrivaqqVKgQgNPpLJaY+e+qz82W/XecZ/D/g/7OKm7LONUS/xsYGBjcyZRm49zo+63k8X/me/Ave7AURcHDwxOTyXRdMaIoIYp3VhD7P0l4uJnwcL9/uhoG/+OYzVrsnbe3dzGpFQMDAwODP89fNrACAwNZsXIlKampKLJcmOJEQVEUbfrI+L37h1FVUG8gVyGKgibwXrbQ+01WABAEJFWzz2VBLAymuvFpgiqgCAoCAoIqoArGPb+TURUVURTZt28fDRvF/64X2sDAwMCgbP60gSWKIg4VYmNjWbJiJbm5uYgCpGdkciQhgSNHjpBy9erfYwgY/C0IqkqBxUr9gwcwOxzsbBSP1W5DvYEHQ0XFqlrZK+5BRKS+0gCbYEMwbvwdT5u2bQkPD0dRFM1DLbgZ+AYGBgYGf4ibCnKPDA0BQgBQgAB/f8LDw8nNzTWmF+4gBEXB7uVNFV8fTAU2wrt3x5KXhyqWrUOroOAlemFNsyIh0TGoE3lKHuKt0a41+AeRZRlVVQkJDSUoKAiTWNrqVgMDAwODG3FTBpa92OozgfCICExmMzabzfBj3EkoCrKfH/7HjiLm5WKpWw8xO0sTvioDWVXws/hx4Ph+JMFMndh6ZNmzkATDwPo3IAgC/gEBBAYGGI4rAwMDg7/ATRlYJb1UHh5WoqKijADZOw1ZBrMJISQEIdeToPBQKBd8QwNLURU8JIlyqSGYRBNR5UMJloMRDQPrX8OdmCvUwMDA4Hbhlii56xQpfhuD7B1FYYoeTcdKQEDVBbHKPoXi5xT/bPBvwDCuDAwMDP46hiVkUIhQxudbfY6BgYGBgcG/n1vqwTL430RRFWRVQVZlQ57DwMDAwOAfQV/sLAribbGi3TCwDG4ab7M3kiDiVYoSvYGBgYGBwf8nKuC8DX7rGwaWwV+k6Oldf3YdFtFEgexANGKwDAwMDAz+vxFAQMQu22hZvjUxfpE4FfUfjQs2DCyDIrSMy0Wfb/BcioKEDNxTsx92xcGl3OT/lyr+ZRQZjBWOBgYGBv9KVBQsooUz6WfYl7SXMXd/+I8vujIMLIMibDbtf1XVpBvUGxskChBg8uHJhsP+f+pnYGBgYGBwA05nXOTrvV8iqwqSKP2jq6ENA8ugSI6halWEyZMRk5PBKf9+LkI0W8yB8rdX8S+hqiBKkJEOLVuh9OsHqCAZj72BgYHBvwlFVbCKIjn27NsiwB0MA8sAtGlBFdQWzVEiIiA//4YaWDr6D4Pb41EuDRW8veHsOcSff4aBA7XNivqH2mdgYGBgcOcgCuJtJXZtGFgGRSgqaqWK/3Qtbi1nzoAkgdOJsHcf+HijVov9p2tlYGBgYPAvxzCwDIoQBJBv0+m+P4OigCQiLl2G9MADqCYTgq0AYe5cBIsZ5/oNqNXjDE+WgYGBgcHfhmFgGRTn35LmSBRRa9UCSURITwNAyMuDmrVQK1b8Z+tmYGBgYPCvx1RagL1a4l8DgzsKUQSnjFq5EsoDDyB+8QVYrWCzIT/7LKqHVQvil6R/uqYGBgYGBrcAtcRn9///6PFlHaP+znFl8S9xVxgYlI5yTx8t0N1uh6golI53azuMqUEDAwMDg7+R/9kpQlVVUWRZG2j/SaEMg78PhwO57V2ocXEIe/eitG2Ls2JFhAIbmEzgdP7TNTT4OxAEJMM7aWBg8A/zP2tgmUQBSfyfbf7/Fm+8AYMGwchRWEQRPKz/dI0M/mYcGL+bDAwM/ln+5ywMVVWRBIHMrGzWrl2D3VaAZBJu+GWsKuBwyn9o8lVF04USRQFZUV0aUaJQ6Cy70Ylo6uhG8NstonA1oXDiBJLdjnPLZti9y+jffyuF3mh/f386d+2KSZKMW21gYPCP8T9nYCmKgtUksXXrFqZ98QV3d+xBSkp24Zexbh4VpuITtC1mi0S5QE8Esey4HQFQUREFUBHJtTsJ8DBhlzUjq0AG2QkCamFSysIwIEH/VyvBLAhGeNCtJjQUZs2CtDTIzf2na2PwNyHLMpIk8dnECdSuW5eqFcpj+4eTvRoYGPzv8j9nYOnITifduvfi3LleeHplIWBFQgGcOJFxyiqKXcHTDBePXqbhoPr0uSfmD5W98nwudsmT7lGiaxXBsKugCEAmyNngzFRRchyouU6c2Q6EXCdZWU6mPBtGZf+/q9UGBv9+zp49S0FBwT9dDQMDg/9x/mcNLJNJ4sKFq0hCNmM+ULBximNYyaY8CtVwHIOAs9DIH9YszWXDgeP07BGB3e7EZCoeQCugoggSEjZ2bH+bmRfupU54AF55gdxVKZCUHJVLSQ78CyDjeD5yXj5iQQGObAf2XCeC04EpR+HCSZnEXibK1/JHVlSkG3jMDAwMiuNwODCbzWRnZxtB7gYGBv84/7MGlqqqmEwiimzGefk3zgTsZonFh8u0xpQdg7zVQrV9UMcfbPuu4dG+HCaTCVUVMJuv//JW5QK4MIImkZ7s2LGSGvUfpkO1UEDFaVJpg8wTlTwRankR4AMpGeDlA14muFag4m8WWX8olbwcMJlMCIaBZWDwp9DeaROCKHL1yhWqVKiAaDYZwe4GBgb/CP+zBpaGiqCqmBznsYsHOCsFcYo4zIqK/ZKA9Qg4vVXkQ1dROwYDWqjU2bM2rl2zI4gyAiLBwSoxyktgCubwd2do4RVEhNlEfr4dT08LiqJgcsocPaZQv5XAhM8Erthz8TSbOb/HTFS8DYsksXOvyPD/yP9wnxgY3NmoisLhw4cJDg4mKjoaHx9vw8gyMDD4f+d/28AS0Faa/R975x1nRXU98O+dmdff9r7ssnSWLr2LIGBDsWDvPcZEEzWJSUwxxlgS4y+x9xpAQFFBpAgISJNedul1Ydlle3l9yu+Pee/tAgtiSQSdL5/3Yd+buXdum5lzzz33HP9WfNIGikQCRfRF0QSRXQLPGgg7DfyHD4NUCEBtrcYVV+5g1AgX2HX89Y0MzPs1117fH9+8KvbIPVhhG8vyB9/nhsv7cNtVQ1AjKpKqsbUkQGHQxTWXC866to7RY1N46W07E+6JoIc1brhaJhi0fDNZWHwbdF1n65YttCkowOly4Xa7LUN3CwuL/zk/WgHLwABJxgg1UL+/lBIlRKVLpV6UQdk+OOyhot5gn19lL4eQog/ounqVEcNdDLw8iamzSnn8pudp3W0Ie5/fyx+nplBSeBEdE1UuvnwggXCteS0NjKBBvdbIp585ycmCDR8mUr4rwsF1Kg9dGyAzyWBLo0IgYL0ILCy+LbW1NQSDQSKRSLO9wRYWFhb/O360AhYGCEkiEqynaFs9xTUQcgqEqECqWote58InYIMcoUg9RLfoI1qSdFQjwKdLPBh736R1us6eF0r41dsJzNLGo326gY2OBG5r56Fthm5eyjBw2nSWbw7iCmnMnCPzcHIRZ4UeoyY5SAMNLCnxkvj4y+S2Tvw+W8XC4geBEMISqiwsLL5XfrwCFgaSkAkEGlizrYEdpYKgAwwq0Bs2YdQ6aDQMinSVXVTQM/64NtAkHY+opI02i2XPpfLXOSNYpI3EHTxMUAgcMhhCwxCmPZUswF+v8dSv8nhnusSBAzD47k4cnjyM8mAlNcKH0sqOxytj6N9fi1hYWFhYWFh8N/xoBSwDkCUJf7iBjXuq2acYqIqKQgki+CVGo0JQEWxVVPYbZShCYBgGhqHj8oA3UeHVDVcwo2oE5UlOWocaCIkE7FqIZJeXhEQ7SDXxNNU1YTIzJAb00rnkAmjfKoXqkQ/QFVB1SJFh6vxyAsEIYETTfc+NZGFxmmFYN42FhcUpwo9WwNJ1cDtt7DkYpmRPW2q0MI1+HxhO0A6DalCOwWxVJYyOZAiEECQnuVm+7gA3d+nAbffeiKAeQZiIkYRuqKi6k4QEWLlpJWP6dEQIQX66G1lu4BevlZLsgfAWg3BIRzJ0MzaOMNANQTBi8IsJeYBAka0FDguLr4PNZgNAlmUikcj3XBoLC4sfOz9aAUuSZOrrK7j1zmEcPPgkimJHwsCUeHSQDMAACdDDnNHLzcGDB9F1g/FjXOzYthWbPQLCwJAiIDSEpCJJKv6gRo80G73atubgwYNIAu45U1DdoMWDFcZC6oDp+kHXweOUcSqVHDyox8KqWVhYnCSqqqIoCg0NDTg9HisOoYWFxffKj1bA8no9zJv3GZFIA0IYSFI0MCBwxJ4jAxCC994LEwxGEAJSk50oikyosdn5Rix99G8hePvllwhFZ9IGoEiixR1Nsd903UA3+FHHIjQw+F+ZJ+uGHjWGPr0a/H/ZRqcTuq4jSRJr165l9DnnoOuWQaOFhcX3x49WwKqtq+Xaa6/lvvvu+76LYmFh8R1y1113meFyJOmrT7awsLD4L6HE1OhH/3/03z8UYnUSQsLn86GqajyG2Y8JRWmSrVX1f+fc1Aw3pKNpTdoFWciIqM2ZpmnIsoyu6eiGfkQ5j1dewzCwyTZzOdcAVWs6Hk8fVRPG8tUNnUO+Q3gVL0nO40fXVhQJEKjq9+9hP1aX2FJY7G8ARVKgmTyhqZrp6w3TZcERsfl0UPWmNtINHbtsPyI9mH1hhp+RieldDUND007NJ0PsPg4Ggwgh0DG7PfaxsLD44dKSLNPSvX/08aP/PvrckznvePxoNVgAkiRFX/gGkiQfYfMUW6Yzokt2sWOxv83JsUDXjWPONT+n5hKOWQ+DDRvKOHSoHq/XydChrYFY3czdi83rK4SI2okZR7THiY7F0kpHxVPctq2KjAw3qakuDMNACEFjuJEnFj/BlM1TwICxHcfyt1F/w+vwsql8E4f9h00BAmiV0IoOqR3i+emGjiQknl7xNO+tfo+Hxj7EuE7jUHUVRVL4YOsHPLHkCer8dYzvMp4/jvwjHpuHP3/+Z15d+iqjuo7ijYvfMMeAkJCEFG8nIaC0tIFAQKV9+xTz99gOz+gynUCgYwqLEpL5Yjf0+PHY/7F8mx+L9wlGPG3LfWaAgAV7FvDIokfYVbOL1omteXjUw5zd9mwADvsOs6VyC6qu4rV76ZfTL95mqq6ypnQNtaFaZGQKMwrJ9mbHBTAFhUO+Qyzas4iqQBVd07tSHazm/A7n47K52L2nhq1bKnC77fTunU1SkvNrj7uWiI2ZGM3Hy9HjsPnx5mMtZr8IIMtmLEJJktAtA0YLC4vvmR+1gBXDFLC+mUAkH2e3X+wFcCoRF2gaI1x00WQqK+uYMOEMBg/OR5YFum6+wI5X7hO10YmOaZqBruuoqsHgwa/yu9+dyb33DiCiabiddl5d+yp//fivnN/vfA75DvHs3GfJ9mbzqyG/4oJJF1ByuMTMKAK44aY+N/H8Bc/jlJ1IQmJb1TYenPcg4ZowG8o3MK7TOBRJYeWBlVw58UpSE1LpktGFJ+c+SUOkgecveJ6hrYfyxOdPsLN6J7KQjzS7MyAS0RACHnlkMcuXl7Bq1R0YhoHdLh8jCMkcGfw7Jky12E4nONYSBmafNYQbGPvOWFKcKZzd7mze2/Ae175/LRvv2kimJ5Onlj/Fk3OeBDegwrtXvsu1Pa8FYH/dfvq91M+ceoXgrK5nMee6OSiSgiQkPt/7Ode+dy2ltaVgN89JT0tnyU1LKczoxPLlJTz85wXs2FHJa69dxi239EbTdGT5my/BmZOUY8fM0YJ7SxydLqacO0JLZ2FhYfE9o7SoV6OFv38otFBPu93O/Pl7eOaZFWzeXEm/fjkYBgwYkMuqVaUkJjooLq6gXbtUIhGV0tJ6nn/+QkIhld/9bi59+uRTUeFj0aK9jBnTloceGkFOTkJcoDnVkCRBY2OY8eN78MYbFwFNQuahQ408+eQSZs3aRWKig5/8pB8333wGkiRYvbqURx75nI0bK8jO9iKEzv/93/n07p3DXXfNJBzWaNs2hQ8/3EpOjof77hvK2LHtkGVzicpmA1XVcTgUbDYZm818IfbO6c1TVzzFfYPvo6iiiDMOnsG6Q+uwyTYePuthbp18Ky9e8SLndzifs948izeXvMl9g++jR2YPDAwemPMA7VLb4ff60XQtrtV6ec3LqGGV6VdNZ0j+EAa9OohX1rzCX0b+hTHtxtA+uz2V/koum3IZ2yu38+thv+a6HtchhMBuN8umKBK6bmCzmcLE4VApv5r1Wyr8FZyRfQZnFpzJa2tfIxgJcnn3y7mh1w28sPoF3i96nx01O8h0Z/Kb4b/h0sJLkYTEC6tfYNrmaYztOJaBrQby8KKHMTSDx8Y+xuC8wfGyx4hpuhyygz+f9Wcu6XIJ3TK60RBpYNaGWdQGa8n0ZPLrob9md/VuZmyfgS7pvL3pba7ucTUA+Un5TLtqGrd+dCu6S2dFyQrWHFrD4LzBVAWquP6D66kMVjLjlhl0Su3EfbPv45NtnyBJ5k1y7TU9yc5KYMyYN9D1b/9QiN0XS5ce4O9//4KNG8vp3j2T3/xmGEOH5mMYBo2NYf7xj6VMn74dt1uhW7cMbDaZZ589n+ee+5LZs3fQrl0aF13UmTfeWI/fH+TBB4cyZEgbc/k5rlbmh/kcs7CwOJKW1gJPtEb4Vb9B08S7JfnoJPhRa7BidkAffljMhAmTkCQ7Y8d2YNmyEkpK9qPrQ1i4cC9VVY107pzB0qU7aN8+hwMHqnnooQU8+OAwli/fz5w5xWRnZ9K2bTLPP7+YpUsPsnTpzbjdNpr2CJ5aGAY4HDKSJFBVHUWRqKz0c9ZZb1Jb6+OGG/qwfXsVt902hYoKHw8+OIxrr/2A3bsreeyxsezYUc1bb62isjJAJKKxbVslX3yxFfAwfHgBCxfuZf78nSxffieqqjN58gZ0XSIUUpkyZTO7d1eSkuzmgV8NYUTBCEYUjABg5vaZqA0qw1oPQyDIS8zDkA2+2PcFFY0V1AfqaduqLTneHACmb5nOspJlzLh2BldOvRK7bI8LKOvL15OUkkTXjK4AjGo3ipW7V7KzeicprhTQYUfZDpKcSZQ3lPPzmT9nXOEFGPUenvj7YsJhjc8/38OhQ4384pezEcCoS9LYXl/MirWr8Qz1MLT1UKZtmQYRGN91PAYGHxR/gE228bMBP+PVNa9y/ZTrGXrfUHIScqgP1fPFni9Ytm8ZTqeT/IR8isuK2VC2oUUBK4ZdtvPQmQ8BsLduL2tK1lCQXRBvhwR7AhsrNnJ739txKA7+vfjf7K7ZTYfUDkhC4mD9QeyKnZcvfJnLJl7G9C3TGZw3mJUHVnLg8AFuH3Y74zqOA+Cpc5+iV3Yvsr056LopeLtcygndhsQEr6/SBMfymz9/D+PGvckZZ+RxzTU9+PDDLZx33hvMn38bffvmcOGFk1m0aBNnnNGJhAQHr7++lISEVP7857MIhTRmz94C2ElJcfHeeyspLMzD2jRoYWFxKvHj3WZjNNlJvfjiajQtzNSpVzBz5tUsW3Yro0efwQ039OKcc9rTsWM6b755MbIs8Ze/jOTyy89g48ZyBg5sxTnndMFmszFz5jUsXnwz48b1YcOGPaxeXWra45zCD31NM21ZYi/H6dO3sn17CV275pCR4aagwDT+fuKJpQC0apWIqgb57LPdJCU5ePTR8xg8OA+328Z99w1GkmT+/Oez+PzzG3n11YtQ1UamTStm585qpkzZxAcfbCESMdi4sZypU4uY+cl2AgEVPRof6LX1r/HgRw8y9oyx3NnvTgACagBkmL51Ov9c8U9qAjU4bA7qQnWousoDcx9gRJsRYIAv7GPNwTVsPrwZgJAWwi7b0Q0dTddwSA4kJEJqyPxfC5Gdks0XN3/Br4f/mrraOnZUb6OhXuWD6VuYMqWIPXtqqa8PMXVKMe+9txGPP5f3r56K3WsnPymf0e1GYzNsPDjqQW7rfRsCwd0D7ybbm8368vUoskIwEqTMVwbAb4b+hrM7n42qqrw+/nVW3rGSfb/ex219bgOI200d01eGaWR/qPEQl028jPK6cl4c9yIJjgR0Q2dZyTK2H9iOqqv4wj4ioQgzts1AN3RCaoiJmyeiaiq+kA9ZkZlcNBnd0Kn0VyIj0zapLaquElJDdE7rzKNnP0qiIzHuGf2rDNslSZzUMntMsfTcc6sIBiN07ZpFSoqTtm1TaWgo4513NrBzZzWLFm1i9OheLF9+C3PnXs+TT45nzJh2JCU5+PWvhzJnzm3k5SXyyivLuOyyvqxc+ROGDs0H+FZLlxYWFhbfFT9aDZYBxBQFjY0RFMVGhw6mIXNeXiLz5t0IwFtvrcfptJGa6kbTDFJTXdjtAim6BdzcXSaTkeFGUSRSUhzR30/9dYmYkXBMM1FXF0QICSEMyssbkSTBffeNoHVrs13++McRdOqUzLJlB5k3bze6HsRmE9xzz0AiER1d18nIcCNJgsxML5IkU1kZ4LrrenLddT0BSEl5nN//fgQPPDD4iLK8vPZl7n7/bib0m8Az457BF/bhUlwkOZIgDG9c/QYTukzgpTUv8ZNJP+Gfy//JX0f9lf31+6nyV7Fw70J8YR/vb3yfdmnteGL0E7RJasO20m00hBtIdaWy8fBGdFmnILkgLly3T22PQ3GQm5iLkAWGKlHQzsOO7fcAcNddn7B06X42brwrXlbDMDinxzlMKprEwYaDuOwubj/jdgwM5u+ez5UTr6RrTldu6XMLoUiILQe34LF54ul1XSc/M59LCi8BoJW31Qn7STd0ZCGzr3YfF026iAPVB5hx0wyGth5KQA3gUlxM2zINm93Ge5vfw8DA5rXx1oa3+OXgX7Kndg/rD6wn2Z3MrR/fSoozhZKqElYcXEHvnN5ohsaqQ6tQJCUu4FUFqkh2JiOaOcM9mpi9VCiksnz5ARwOhX79crHZpBPYIJo/1teHkGWFSESjpKSBzp3T6NTpAi69tBuHDjUCgtzcRJxOszy/+tXQI+y++vfPJTHRSXFxOQkJThIT7cApPJuxsLD40fGjneoJAXpUCBozph2q2shdd33C5MlF/OUvi0hLe5InnlhKSUkd5eUNLF9egizbWbBgDz5fhMrKekpK6nG5bEQiPi6/fCp33DGDd95ZRevWWfTpk3NKGrofjWE0GeqPHdseIRxUVfk4++z2jBrVlp07q1m+3DQyv+++2TQ0hHn11Yt49tnzAY2lS81jpobDzoMPfsZPf/oJd9zxEbouc+mlhdEdYQbhsEZtbdDUWukGobDpKuCF1S9w59Q78Xq99M3ty60f3Mo1719DSAuxcO9CAObsnMNr617jw60fggFem5dkZzLbfraNaVdO4/5B96NICud3OT+uDbqm5zWofpX75tzHM18+wwcbPmBI2yEUJBew4sAKKn2VlNSWsKFsAytLVmJoBvP3zCesRVBV00WBzxemvj4U39WmahpCCO4deC9l9WVMWTWFa8+4lnap7RAIVpeuJtwYZkjrIYxsM5KwFsaIGMzZNQfDMPho20dsr9xOta+aRxc/yjsb38EX8Zm7E1tY4I8ZuZc2lHLhxAvZuGcjg9oNYsvhLbT6RyuKDxez5tAa3ljzBm3T2zL/hvl8dsNndEjtwIaDG3hh9Qv8fdnfCflD/GLIL9j3i32m8XsY/vTZn8hwZzC402Cmr5nOQwse4sOtH3LF1CvIfzqfxfsWI8mxXX3Hjp2Y5nPWrJ2MHfsiDz/8ObIsThgPMHbsoos6oWkBZFliwoQudO6czvz5+9m6tYq+fXPwelN45521/PWvS5g8eTOjRr3BgAGvEgpprFpVypAhL1Ne7uP++0fz5psruOKKyWzZUhEtlyVoWVhYfP/8aDVY0LSU8MADQ6ipCfPssytZsmQHsuzkkksKyc31sn59OaYgsZ+srCRmzNhOnz45+P0+1q49hN0u4/EkIwRMnLiZ0aM78cQT55KS4owKWKeuhBXbqSWigax79sxi4sQruO++WVxwwauAQkFBKr///VkA1NaGmDhxDXPn7kEInU6dcrj/flMT5XCYRuF9++YybVoxiYkOnn/+Ms4/v2PcqNlmk3nxxQsZOLAVkiTigt2cnXNwOpyEjBC/nfdbCMOEPhMIa2HeL34fp8vJq2tf5dUvX0W2y1wy4BLuG3wfhmHQPqU972x4h4fnPYzX62X29tmM6TiGewfey2WFl/HF2V/wwvIX+GDdB/TK78WLF7yIQPD+lvfxB/z4wj7e3fgun+/7HKfdydTiqdw76F48igcE3Hxzb849t0O8HxVZxjAMRrYZyfjC8SzcvZD7B98fd71wVfermLFtBs+veJ7nlz/PsHbDSEpJ4s31b3J3/7v5/fzfU1Jdgt1p56E5D9Emsw1j2o3BbXOj6uox9lcxm6ziimK2VW3Dnexm9o7ZzCqehSxkklxJ/HP5P9ECGnv0Peyq2UVYC7OzYidOh5NHFz+KX/Xjcrj4dMen3D/4fqYVT8OZ4GT+zvmsKVvDlMuncMO0G3h0/qNgQFJiEjedcRM9MnugaXp8+e/ooRz7PmvWdiIRg1/+cjCSJNA0g+Nt6IuNtdtv78uBAw38/e9LefPNFYCDoUPz6NEjC6/XzowZ13DvvTP5wx9mAxLt2qVy333DcDhk3nhjHdu3H2DQoELat0/G40lk6tT1DBnSmi5dstA0ENaGQgsLi+8ZEdTMKaVuaLhkmbm7F7L20GoeHPorgtqpuQvu26BpGm6bzAcfz2DLpo38/ve/R9NUZFmhpiZIVZWf7GwvXq8dgMbGMIYBbreC3x/Bbjf9ZgWDKooiccEFE9m1q4aZM6+mfftUvF77EX6iTiVigo7fHyEv75+ce25HJk68NOrLS0BUWxIKaRw4UI/HYyM93R11tgl799bidtsoK2vEMAw6dkzH7VbQNJ2XXlrLz372Pu++ey1jxrQlMdEZF7q+iogeIRgJAqZvMsMwsEk2HIqDoBokrIWRJTnuVyq23GZggAFhPYyqqfHQNw7ZYToejbKvbh8NwQY6Z3TGJpm/a4aGP+wHAV67l6AaJKJFcCgOHLLjpModUANU+ivJT8w/4nfN0NhXu48ERwIZ7gwawg3YZTsO2UFEixBUzbrKQkaRFdPJ50ngi/jQ9Wh4n6i/rQR7Apqu4Y+YdYm1jS/iAwPsih1N11B1NV63gBogokWQJAm34kYSEgYG+2v3E1SDtElug0Mx20DTdWRJYuHCvYwa9Tovv3wxt9/eB1U1l+tCIZXc3H/SvXsmixbdRGxTx8mO/draIIcP+8jO9pKYeGS7RyI6paX12GwymZleFCXmjFYnEIggyxJ2u4zfH4n6tDNwOOzceuutqLrBRRdfTJeu3Wjbrh3SqXYzWlhYfKfoho5LlthUsY1Jm97lDyP+jHyUf0vzPFPWmVg0lbpgLXf1vZ2A1vLmIpsEjyx+lFFtz2Z4/qDjnnc8ftQarBjmLN0gJcVJSorpRDHWKTFBCyAhoekF4HQq3HXXJyxevAOwMWrUa7z66qVcemkXIhEt7oLgVETXIT3dzezZxdx0k8Srr16EoggMw9Q+OBxy3LGmeb6586tNm2QAMjOjAk506W/GjO3cf//HGIadG2+cym23DeCFFy6Itqt0xMtW0wwk6UjNnk2yYXO07EnfqThxKsc6toy7wBCmC4OWhKLYkltBUgFEnbXHNEKykElwJMTPdSkuXIqrhbYyjlhGbY5LcZGfmH+E41DDMJCFTLuUdvHzEuxN17HJtiOEvxg7q3cyb9e8qIBplh5Mv1lhNczZ7c+mS3qXFloIZOnIuhx9zaPcdB1T11ibFCQXxH8zDANNM1AUicmTN/OXvyxACCk+rmMTiOrqIK1aJfCb3wxFCNA0jqu9ak6sjsnJTpKTm/o3NtZirjEKCpKPOSbLEl5vU3/H7ktVjXz1hS0sLCz+R1gCFsQ1As39VjX3zh773iQJm7P0CRO60LFjKg6HgqZpnHFGNkBc43OqYdYRvF4bEydexv79dSQnO5FlKeo123yBHWlD07Q77GjbmpizyJ49s3jssfOw2xX8/jB9+7aKH2suXMVekC0aTB9jf2SKLAYGRlTDFnN4Eeuv46WPCTvNhZ6YLVPz2Uc8lExUM3Z0el03mmn3jkTXDbSorY8kmpY7Y+NI1fRo+UGWJITUdB1dM9ANA4Gp7XLY7Gyr3MZTS59CSBKaZiAkMHQDu81GOBQi3ZtOYVoh4YhqzsowkGUprpkxMAUimo1X6Wih0Gi2G1CALIkj2iTevyIWXsf82r9/Lo88MoaEBDv9++cCTWM8N9fLxo13xfv0eI53j8Y8XzQTJsURntzNcRg7Zp7bfJdiS/el5bzdwsLiVMISsJohhKCmJoDDoUR9WB25zNf0t/nH2We34+yz23E0p/Kyaqxo/frl0q9f7lHHYuVuufxH1yv2tV27FH7xi8EtpTji24m28YvjXROBkGIC0/E5XnqznKLF481/a+n48VwPxIRHSWpS1cSEx1huNkU+Jk1M4pJlKa5UUpDRdYMx7cew8s6VOO02PLIdDR0ZQV04RERTSbAnmMuf9uPEzDRAOco9QfMJQ0zjFFtma4lj+ze607J9Ku3bpx517Mi/v+mSeEzQ+mbHjv3bwsLC4lTBErAwl8xUVScUUmnT5l/ccEMvnnnmvPhLU1WP3JUkhPmSjGk4Yr8dvRx2qqJpRrROTS9gu13mk0928Pbbq+nYMYs//eksiGlJmgkZmqY3i/0m4poGVTWDAJsvcTm+6y52TiSiUVRUSbt2ySQkmMuuXyWImvnqPPzwIoqKyvB6nfz972PIzvYe8UJvqUwxdD2q2WlWV1k+VgPWEkVFFSxYsIfy8kYefHAYXq89Pib27avj3Xc3UlfnZ9SoDpx7bvsj4uNNnVrMypX7yctL5vrre5GW5oqnLSqqYMqUIsLhCOef35nhw1tjx06aK42DJT5emLSBgwfq6NAxnZtu6kVSgimOhUIq77yzkU2bDtGxYyY339wLj8ce30yxbNkBPv54C0LApZd2o3//3LgWKGZb9957m1m37hCaZvCnP51FWtqxy6It9UMs5ubxQticDuPewsLC4n+JJWABdruEEBKKYgazLSxMP+L48Zb8Tta54qmEYRjx0DVHU1cXZMqUjRQUZPHXv446TlrpCBubmNBghr5pfvaR7bJ1axVnnfUa//73BdxwQ6+TKGeTsFJSUsenn+4kFGrkt78dFhWwmpaVjlem2P9fp49iafbvr+Oaa95n48b9gMItt/SOb2A4cKCesWPfYvv2UmTZxd//voiXX57A7bf3AeCPf1zII498isORQCjUyPvvFzNz5jUkJjrYuLGcsWPfory8FrDx1FNLmDLlGsaP70zJgTr69X2Jioo63B4Pfl8Vi77YxeTJlyGE4PbbZ/LOOyvIzk6jrGwJCxfuYdKky7DZZBYs2MO4cW+jaeZYfeaZ5Xz22S0MHJiHEGYIpKuvnsKiRTvp1i2PUaPaxsP/fBVmG59e49zCwsLi++ZHLWDFbE5KSuqZPXs3kYjOlVd2JznZQTisYbfLhMMaH320jdLShqjmQyI/P4Hzz++IopzIoeKpiRBmmJLZs3cgyxIpKS46dUrjkksKueaaHrz8ciElJfW8/fZ6tm6t4qKLOjNoUF487Zw5O1m58iAOh8Lo0e3o29f097V9exVz5+4iK8vDuHGdmTq1iP37axk/vpCePbPYvbuGuroGdu+uoaLCjySJE2pPYm0qSYK33rqYrl3Teeih2XGhoLm92EcfbWP9+jISEx2ce25HunZNjwtKO3ZU8/HH26iu9tOzZzZVVX4uuaTwuLEiY98zMz28/vp4XnttLa++ujbu0kMIwSuvrGX79n28/PK1nHtuBwYPfoXf/vYzrr++J1VVfh5/fBG9erVjzpzree65L3nkkZlMnbqF227rzdNPL6e8vIoZM26lU6c0+vV7nt/9bgHjxxciCYnCwjQmT76SwYPz6NHjBaZO2cw7b19CVVWAd975kssv78uUKZfz29/O5/HH57Bu3RAGDszjpZfWEAiEKS//HbIskZ7+N/71r5VMmpSHpun8+tfzWLZsL/Pn38GoUW2+41FlYWFhYXE0loAFrFlziAcemIOuC3w+Py6Xi5Ej25Kd7WXPnhquuWYaiiKRlubh4MFS8vJyWLfuJ6SluU/ZgM5H0zwG3AUXvEXbthm0apXA/PlbGDCgPZdcUhhvj337DnPXXbPw+xv5z382sHLlHaSnu7n11pm8/fZKhLBjGBoOh8QTT5zHvfcOZMGCPdxzz0e43R66dEln06ZywuHDHDhwDkOG5HHTTVORZRePPLKYhx9eQI8euXz++Y2kprqOsl86ktjyVCCgoqp6M+Nm093EVVe9z4wZG5FlF5oW5uGH7bzwwsVcc00PZs3awXXXTaOmpgGPx4vPFwJC5ObexMUXF7YoHMe+OxwKffvm8MknCUQi6hHnLFy4B5crhcsu60JqqosJE7rzr399zr59tezbV0ck4ueGG3qRleXhhht68eijn7F48V5uu603n3++j9zcbMaN6wTAmDGFfPhhMQcO1JOfn8jcuTfhdJouQYLBEK1bp2CzydHIABKNjREqKnyEwyqSJFFUVMHAgXnRNpQ4cKAet9uGJMls3lwOQFlZI1OmFNG2bRZvvrmO555byW9/O5x+/XJPm/FrYWFhcbpxam53+x8RC3dzzjntWbXqTtauvYMrrugVX0YD001Djx7ZfPTR1Zx5ZmsUxckrr4wnPd0d16KcDsQEk82bDxMK1dGjRyZ33z2AJ54YxyOPjASadsBpGnz22fU89dSF7N9fyu7dNSxZsp+33/6CYcM6UFR0N0uX3o7H4+TBBz/j8GEft93Wh5//fDh+fy3Z2V6WLLmFqVPv4t57BzJ4cD4/+9kwNE3l4os78/e/n8NvfjMEl8tcU/yqNmz+/o+5hpAkwbvvbmTGjNVcfHEvtm69m08+uYFAQOU3v5lPY2OY3/9+ATU19bzzzlXs2/dLnnrqPGw2Fx7PcQzFOfI6mqYTDmvNrmseq64OkJDgip9jhgcyXRbU1oYQAlJTXXE3B7pup7o6EE+bmekmHNZQVZ3MTDeGoVNV5QdM9x+BgMrVV0/j4MHD/OEPZyJJgtxcL2PHFvLpp+vo0eMFnnnmS8AW16xdeWU3dF1j8ODXGDLkNXQ9gtNp1rO0tJFwOMSOHVUsX36ADz7YxIUXTqKy0h/3f2ZhYWFh8d3yo9ZgxbDbJTp3TgNM/1Cqqsdn9bm5CSxZcjMPPDCXadPW8fzzl1JYmIaq6qesO4aWiMqS3HzzGSxatJfZs3cwdepakpM9XHNNH0aNaouiSEQiOvn5aQwenE8goCKEIBzW2LWrGlkOct11PenSxbRRGzGiHdOnb2LbtkqGDy8gO9uDEHaee+4CCgqSGDCgKcbeT3/an+ee+4Jx4zpx8829v0a5TTur2NKgw6HE+2bbtioUReW223rToUMqHTqk0qtXPkVF5WzefJjDh/3k5mbE4yDed98gbr75DJKTHfG8j4cQIm5b1nRd81hmpodduyqjRvwSpaUN6LogPd2N3x/GMARlZT5kWRAMqkhSiIwM03dYRoabsrJGbDYJIQQHDzYgSQrp6W7AdGx7440fMHPmZv7+90u47bY+GIZpB/if/1zKU09lUVUVZOfOGhYu3EavXlkAXHZZFyZOvJaPP95KZqaHZ55ZSpcuGc3qGebSS3swadJl/OUvi/nrX+ewbFkJF13UGV1vGh8WFhYWFt8Nkrm/qmkO29LfP7QPzf4HcxdhJKKjaQaRiHZEAxkGPPHEUl58cTFPPDGO/PxERox4k5KS+mja02P2H9O+LFy4l+RkB7NnX8/s2beSkZHE888vpqysAU0zCIVUJAl8vggVFX4URaasrJFOndLQNBevvbaW4uIKFi3ax7x523G5nHTqlE4wqFJSUo+i2Fi/voydO6vx+8PRZT2D6mo/hmEwb94eNm8+zN/+toR//GNZtGzHb8PGxjC7d1dTVuZDURSKiirYs6cWwzDo1SsbVbXx3HOr2L27hg8/3MratXtJS3PTo0cmubleSkvLeeWVtdTUBPj4423cc88siooqv/K6kYjG4cM+qqr8KIrEjh1V1NWFADNmYzBYy1tvrae4uILJkzeSm5tGmzZJ9OiRhcvl5Y031rJ7dw0vvrgaXQ8xenS7aNoOlJUdYuLEzaxaVcrcuVvo1SuL7GwvNTVBrrvuAz74YAM//ekw+vfP5dJL36O83AeYwv9jj43hZz8bwNq1+znrrE507ZoRX+a7+upuTJp0GQ0NZuzE224zBdncXC9Op5eamgA2mxzVyunx3Zw/RL7vZ4z1sT7W53//4Wucx0mmOdnzWvpYGiw4QkMS24auaea+/zVrSnnkkXmAwQMPzEXXG3E6k1BV7QQ5nnrEZInlyw/wxhvz+OgjM6bijh2HGTmykJycRJ5+ejlr124DBPfe+ylr1x4iEvFx112fsG3bz/jlL8/m6acX0q3b/wE6Ho+Tf/1rHFlZHq64YipTpy4HHFx88RuAg4ULb+ass9qg6wbt2qXSo0c+kyYtZ9KkdYDO1Vf3iZftaDMgTTNDsTz33Jf89rcfY7oj1xk37nXAwd69v+S663owa9Yg3ntvFe3bbwFUMjISeeaZ8/B47PzjH2O48cY67rhjMnfc4QQ0WrfO4A9/MJ15mkuNx15XUSRmzdrBJZe8jnmL6IwY8SxjxvRi7tzruOWW3kydWswDD3zIAw/YkCSJSZOuioZ08fDoo2O4774Pad/+n0CI88/vw/jxndF1g1/+chBz5mznuuveBWQSElw8+eRoFEXigw+K+eijFYCLZ59dxrPPLgB0/vGPsaiqiwcemMfs2dvZtq2E/v078PLLF2K3mxq2Tz/dyVNPfcHChftRFI1nn72YM88sQNN0cnIS+NOfRvHb336M0/kIoZCf888/gyFDWp/y8TItLCwsTlcsAQvz5a7roOs6JSV1SJIUD79RWJjB3Lm3EghEUFUDWTZISXHTpk1KNO3p8XKKLYdde20PunVLJxQy63r99T254IJOyLJgwoSudOpkOpQsLMygqipARcVwvF4XaWlu/vnPsVx6aSGbNx/G6ZTp1y+P7t0zMAx46KEzue667kiSjKbp2O0KvXvnxK+fk+Nlxoxr+OKLvYCgY8e0uKPTltowZh93zTU9KCxMi/oYE+i6jsOhkJ3tQZIEkyZdxh139GHLlgoSEx0MGpRPx46pGAaMGNGGJUvu4Isv9lFbG6Jz5zT6989tFvKopeuaAsvQoa2ZPv3mZtfVyMtLBswlwjlzrmPmzO1UV/s588y29OvXVNdf/nIQffrk8OWXJeTnp3DhhZ3weGzoukHHjqksWnQLs2ZtJxhUOfvs9nTrZi7lXXBBJ2bM+KnpCV417QCdToXWrZMAyM9P5LrretKr1zmMHt0Ol0uJBlYWJCY66N+/Fddc04tBg/Kimq2mdnzwwaH06ZPDunUHad3aLJPDIZ92u2AtLCwsThdEoFmwZ7csMyca7Pm3Q39F4Aca7Nljk3n/4xkUrd/AH//4EM8+u4LXXluHpsGmTbu4+OJ+TJ9+lWWbchQt7Tg70Q7AI9P+717kR/vBOhqfL0JJSV2LaVXVIDvbE7eJaomW6tL8Wi21UyzNt2nDY8tx/PszJnj9mIhEIthsNm699VYiVrBnC4sfFbqh45YlNp5EsGd3NNhzbbCWn/a9Hf8Jgj3/dfGjjGx7NmfmDzruecfjR63Bij1zu3fPpH37VIJBjauvvog77+wfP24YTcuFzdPJ8ukpeRmG0cxuzNxBFjPobu6ZPuah3XyJm/UVQhzVFk0x+JqnjWGmiZ4pYoGTm845Gc/3LeULTc5fTTcOTWWK1SVWh+bX1DQdm01mw4ZyLr98SrxcsSIpikQg4OfXvx7J/fcPIhLRjxB8RDTm4JF1afIO3/w8s53M9pWkJs/xpjas5bSxAMvHq2ss8HRsl2tz4SrWRrF8WxKujlcmCwsLC4vvnh+1gAU6kUiE4cPzOOusdphmaQLD0IhEIsdNZb7UTy8brK9C047//UT11fUWfwb4Sju1b9OGR29GaM7RdWnCXHpr3z6RF18875ijQggiEZXCwgxUVQUMDKNJCDHboeWcT9QOJzp2MsdbqquqtnDid3jN05HYPWsK3JbwaGFh8f3yoxWwdF0nKSkZ2xHxXWJaBjm+Pd/ih0dWlo0LL0z8voth8R0Tu5c9Hg91jb7vuTQWFhY/dn60ApbX62Xy5MmUlpaiqiqyLEd3EEaD2R67UmNxiqNHDeakr1DPGDQtqUlIGNF/MYQQnCb+Yy2aoek6siSxaNEihgw/84ilYwsLC4v/NT86AUuWZUI6DBs2nKeffR6/348QUFVVzbatW9ixfTvV1dXWAsNphMAgZLPTf+MGAk4nGzsX4giHTygjGxjYhJ0N0loSjCTa6x0IixDCsHr+tCVqUHdGn77k5uZi6Lpp3N5k7mZhYWHxP+NHJ2CB+by1O+0M7HNG/Dcd2FJYyJ7du/H7fdbe9dMIYRiEnU56fPIJoYQEeo0Ygd3vxzjBFlADA6dwkFyTRKYti0HeIfh1/9faIWJxaqKqKoauk5GZSXJyMrIsjtlJZGFhYfHf5kcpYAEYOviP2H0GmVlZ0dAw4e+xZBZfG11HT0gg+csv0ZNTkLt2Q66vP7GAZRi4bB6WbV1KrqcVXVp3oyFcbwlYPxBkWSY1LY2U1FRLuLKwsPhe+NEKWNDkhDFGYmICHo8HXdetLeynE7oODhtKVhakppFRkA/BMMjH36igGzpuxUZGVSa5Kbm075hPYySMLKzNDT8ETJcakiVcWVhYfG/8qAWso4l5vj5dfVz9aNGjxu2SBJJkDmpZBuVEApaELJlpJElCEiArMoolYP0gMP2Ffd+lsLCw+DFjCVgtYD2YTzOMI62YjWP+aClJC5bPhrV51MLCwsLiu8ESsCx+9OiGHv9YC8MWFhYWpxoCAwOBOK3sZC0By+JHjRACj92DJCQSlNPnxrWwsLD4saEDIf308bpiCVgWP2pCapDlJcvw2Jz41fBpNTuysLCw+DEgEES0MG1S2tIptR0h7fiB7k8lLAHL4odD7IaLWTifwJhOAKphcEnhZfxn09ss3vcFhmF5/v7uiYZFMMByj29hYfFNkIREIBJg0ub/8MjIR2mVkE1I10/5CbElYFn8cIhEzN2DQoD9xENbIIgAHdLa8pez/oQVHtjCwsLi1EQAEeChz35PXaiB1ok5nA5bkpRYEVv6/9QvvoVFE0ZGJvKH02HXTlPYOgkVsmYYaFYslf8Opt8TRGMj2pVXonfrahpRWG5QLCwsvgaSgLCmIoSEJKS4fNJcRjmeDHO0HHP0eRznvJZ+/7pykaXBsjj9kSQwQJswASM/H9QI8aUpi++BZm3vdiGWLUeZPp1Izx4gAxqWPGthYXHSCMxVBwPjtHqqWwKWxQ+D6F2nDx74/ZbD4kgaGqCqBumLJYiyMgy7E1KTQbe0hhYWFj9sLAHL4oeFahmqf+9oGtgklP/7F8ozz4KuQTCIPGkSRts2RKZOw0hMMIWs02AnkIWFhcU3wRKwLH5YnCDAs8X/CMPAkGSMnFzE3j3xn8Xhw+jt2mJ4PaAZVl9ZWFj8oLGecBYWFt8tsozQDbRLLkHv29fUUik2ANRfP3jCINwWFhYWPxQsAcvCwuK7R9MxnA608Reb31UV/Ywz0AcOMO3lrKVBCwuLHzjfaolQ1y17FwsLi+Og60Suvx75sb9BIEBkwgRUjxsRCoOiWFHVLSwsWkT6gZgPfGMBSwjwWLHbLCwsTkSbArj2OpjyHo677sYhBDjt33epLCwsTmGCJw7EcdrwjQQsAaiqxrING2hsbESSBMaJWsMA3TjZ2EEGhmEG4TWapTk2d6NFN0fm6dbyg4XF904kguFQUHQNORgkvLUYQmE4xcNbWFhYfD8IwOP10KNnT2yK7bTyedUSX1vA0nUdjyKxpmgrP7vjVsaNO5/GxhCSJMUbQ0QFHCFMGUiWJRx2GTWinYT/RwObohBWNWySQNUNEGDD3O2NEKYQJYj/H/tNSBCJGOj66d4tFhY/AIQwdxTm5sLvf4/4+GPL9srCwqJFNF1HkWXmffYZ//j3M5w5aCA+VT+tlwu/8RJhfUMjEyZcjCz/hPqGA8jCi6xrCDR0ImjoaKqOTYa6yhpGjO3M1Ve3Oam8N9YZ7G7QuTivabfRX+qgXgVbALRG82P4DPSAhu6PIAI6dbURfjUhmZ5Z37RWFhYWFhYWFt8X3oQEGht933cxvhO+sYBlkyUOV9QQ9B/kmb/ZiCSXslNWqCcDXe1EaLuCZ7/BAKdgzco1vL54HRMmtCIS0VCUI7dpCwxzOVBxsKvo/3hyQ0/6t23LlCobl3TNIhQ2WL47gqYZNBQHiDQEwBdEbQgRrI0ghSPIAZ2SIpUxXTrQJTUdVTNQZGu2bGFhYWFhcaoTiUSw2WzU1dcjKz8MVy7fWMAyMJAlgdvrgbq11HqXskjysJe+KOF8tGI7+V8adPcIbDvr8eQ4sNlsgITNdnTjGRgIOPgY7T3FdKqMIOWmc8mQHtgk0+Ctn9C4o7UTtZWb9FSd2joQikF6KlTUG9g1ie1l9ewsUbHZbAjJErAsLCwsLCxOF2w2G7IkUVdTi6obSCJmU3R6vsu/tSd3QzcQoYOE9I3sJYliclB0jXAphIsg4AB1awXGBV7ANMEIBHSqqyMYGEjoOL1uUhofw9B2c2hJMhNCeynonouCAUjouoHb0CjbBd0HCqZPUSiPhPF4JIoWKHQapmJ3GCxbbmPk2PC3rZKFhYWFhYXF94AsSezYto2de/eRmppKYlLiabuj8NsJWFGhUvHvJizWskUksIr2KBhE9gm0VYKwHYJl5RjjXPFE4y/ZTsc2Mq4Eldp6ha6pf+GXP3XAtky2bi1npvdatt37PmNHd+D+284mHFFRVJ3i/UHyutkYMUJh2FU1tCtw8Ppjydz/RJDNWwP8+g4PQpymPWFhYWFhYfEjRwjB9h3b2bljO23btsPj9aLIp6eh+zcXsGLemCMBakr3czDVR5nXR5VRBnVlcChMWYXOIUmwXy8FCgBobFRpVyBz5T3pTJpbx8/Hv0Gv3gnUz/Pw9L93saX3H8gKaIy/PIPDB3aZl9INRFinTmtkyfJk8tJh7axEyg7IJNoNHvqZjKHZEe4Iq4tOT1WihYWFhYXFjx4hqK6sxOfzEQ6HTYfmssRXuB84JfkWNlgghIwe8VG8o4ZNIQh6JIRRhdSwFr0qmaDQ2KRIFIf3A4PjaR3OEB8vCrN6wXu0PW8HDZ/l8eiTu3mh8XaC721G9cGv/9yKJJfZoIZh4BAGG7b72RrwsmCJjV9m7WdsyT/Znt6ITwqw7YCK57d/x52b8W3bxMLCwsLCwsLiW/EtlggNhCQRCQfYuLOGLbUCn0NgUI0e2IxR5SFgGGw1BFs5ROdYMmGgSRGSbGEuzJ6Jb16Ax6d6ecd/Cy7dj9Mp0IWMJOsYwrSnkmVBXW2E+2/IZsY8BdtiyDg/i/LPMyhp9FMv7JR6BV1c4nQUci0sLCwsLCx+YHwrGyxJCCK6nw17qtldbhC2a9iMCoS6HqPeScRmsNMm2E0p3aSoR3Yd7C5wyGGemVfInO0j2Fqfi0P1EfEZRAICIyBwOJ1IsgaYpl4NdRG6tHOgjYSxw+GMrsk03PpXumgQ0SDRCV8W1VO854fhP8PCwsLCwsLi5DnV9CtKrEDNC2Y0+xxN7DfdAJsis/9gPcVr7DTIGdT5G0D3gVYMKlSgMzNioFLLaF8EAIdDZuOWQ9w4MJGfP/R7DPxcoAdQdS+arqPqEVxOKKneRqrDFJYSnDKRiM5PX9pLotP0m/X6AgN7tPTCMDAMweG6CNeNyQaIbu+0sLCwsLCwONWJhcUTiCNkkKPlkZZ+a+n348kxR+dz9N/HO/dE5x2PbxHsWRAJB7n+5r4UDXwJRXaCoZlOQ9EQQscQBkICQw8x4szORLQIdgdceF42WzbsxeFVMYSGIUUQUgQhqdikCLqukSZqOG/4WUS0CEIY/O3qLA5UhuM1lCTTexaYGi7dALdDJifNbqYBNO2b1s7CwsLCwsLif4Wqmq6bNP2H8+L+RgKWASQnJ/Hh+5/QWFuDLCSEFAsMCEc4BTMAITH57Zm89nwIgLRUJ4oi06hH4xYa8aCCZgxnQyDJMm+u28zzwWA8S7ssjis9CgG6DhHNOGVcksUDYAtxypWppcDbhnnCKVVeixNjYMYHlSTpf9JnJxo//9XrxoK7R/0O/q+v/0PCMMz4rqfCXW66mP7vlcMwdBDf7b3RNLH/5rl+kzzMe8BA/ACCpcfGYAyBQDd0bHaZ9Rs30LN/H7QfgIbkGwlYAqhvrOe8M8fxf4//g9qDGravcG0vySBHT1FVTspxmCybmqqYVHUyqrlT4rlrxIJcR7VrerS+30fZotc19Oiyrs38TdPM4NgxNM0sryyBGo3J/Y3LG72mrptf4334HdXfMKLt2SzPmHxvGOZ1JSk6Fr7tdWPtd7x8jZhgemzSeDDy/xKGYfaX4gHNH9XYftvrGUfdm6JpLMSuB9G+/V85WTaangWaBopsjtF4Gb4qedM85zsrT6w9vtN8/9uYcydsytdrv/9WWSAaDzz2/buVgr7buh4h3Df9FL/vTzbvaD6i+bOjef4nSCdJ5tiPxN6fp8u4a060/RTF7JNYW6qqaUvtyYGHfvcwGw6uQ5ZO/3A538rIXTc0UxKVtOhb9ETngq42++EkBoemm5/TDSHMnY8NjSrhiIbbbUOWxPfmjdYwwGYTuBxQXaMihCDBIxMKR91gAF6PIBCAuoYwyYl2VM3g22hqDcDlEAgJ/IHvTquoGwaKLOF0mu2sqdHoAEGzLpIscLkgEARd++4aXJJaztd8WAgkceQz0jAgohr/1T6XJPD5VNavKqNH5yy8HpspOH+rPAVK9KkgMO+/iGqg6wZ2u0RjQENVNdwue5OG9r+IgRny6uDhMsqqSinIbsvOA9vokFdIakIymvbVbxpZEkiSWY/vkv9Wvv8thABN1ympKCfRnYTH5UbT/rsapOMXBiQEYTWMJMnIkvSd3itCQERVqTx8mJSENJx2R3S8fru6SpIgEolgGAayrHztthPR2UpEDSOEQJZO7hVsRkAJUOerJSM56ztvr/8VkgTBUIjivZtolZ5PTUM1kpAoLOhMOBLGHbGjG6e/5irGt9Q1mlN0TTcfwLH/Y39Dkypf1w00zfzdiKv4zbSx34D491jaU/ETL6d2bFlN43/4x0vL6D/uOc67/jWmfVKE0ylQNT1eV8MATTPb6rsok2E0lUk/qu1lGQ6WNXDNz6Yz5OKXGTz+OT6YvQ2XU6BqBg674OlXVnHW5S8z8MIXuP7eD6KzC7M+mnZs38X6L96vWvN+BYcNlqw6wKwFu3HYzP7nZOvSvH21I8eL2ynR0BhhxtxdvPfRVpavKWX+0v2AKehUVwd47+OtVNcGTDu9ZuU9Xr7Nj8XaLnaeYYAiC6przXyrjsrXMGDP/jo2FFdQvL2Kou1VbN5WydZd1dFZszhiTMfaU2+W/nhlQogj7pvm7a8b4HTB0lUlnH3l4yxasRdX3E1J0z2pH2ecxcafeR7x8oVCGsU7qti8tZKiHVUcKvchy4KEJIl1m8o5+8pXmXDHJPYfrEMIM/03uX9O+v4G7Ipgf9keFq6dQ0XtYWYt/5Cq2sPYFBGrLkY0YHzsX8ziQJbgcO1hdh7Y2eJ1gXia5sufzY/FiOeNOYE6Ub4n0wbNy9zU5xxRh6PLdaLymsePaodm6RQZKmvLeWn6/7Fx51qcDhFfbm1+/tFlil/XiJ1zZN4nvpdjquZm6QUokmB50RJem/kcXxYvA2GgG3qL9YzJMLHvzfNuua4GNgUOHN7H8x88xa6D23E6zLFyTH2apT9e38Sub1cEK4qW8uasl3hnzqvsKd2B0y6Oaavjf0DVVCZ/9hZvffoyH3w+iXp/nTmOjaY6HN0HYL5T1m5fxQvTn6ausRab0nQfHTNeaGEcG8cbL0e2w9cdx193zMuSIBgKsmD1bPaX7+XLLUtZs20FDrvZb7Hn/A+Fb6XBMgwQNkhLdZiimgLElikERBohFDZf4Da3AJt5XA+C3x/93ROV8VRTwyU5owJMAIKhU0/9rusGTqdAcQuzvhGI+CBsbpJEkQQ2L/TtmcPyNZl8Mn8dO/d2RbJBUrIMMhCOtl30ARdoOLkl0+NhGOBxC4RTxPMPByAcMXXQrmzBs0+uZNKHy7npijNJS7aT4LGjapCULLFzZz2/+utMOrbN5OpLeqBICrpuqnETEgRE+wTNzNvvjy4XyeBJkMAJ6EAAGn3my8dmhz//cwElB+vYteLn5sxPbVo2PBEeV7Quipmv4Te1YA6HYNPWSq752WS27arA4XAQCPpoX5DNyhl3kZahsHL+Aa66+x3ef/kmLp3QkVB1kxa0pXwDQbMuXle0nhFQw6B4zJddqB4cibDq84Ncdfc7THvpRi67vBOBKnDYYdnqQ4y55g0MQycUDmHeCIK0FC/TX72W4QNzQTHHuBoAxQHYhNmOPlNzSKzfNND95rgHc9nTkyyBnXj760GImyXaBT27ZHPdJWfRqV0aanQM2mzg8UhmnxiAw7xeoLFpedXrERATyMLRiznhiSe/5PdPfooi2wmF/YCd0cPb8cTvziMjx0ldQ4i1mw8iJHDnSNAA/savN17ttpjgfjJnm8Kg2+nB7fSQ4k3FYXditzvjryNZCOx2EVei6zqEVVA1HadLYtWW5ew8sI07x99LgttBONK0NGNTBDZFxJ8zEdX8ADjtIj5uY+caBgTC4LTD6i3L2XFgK3eO/8Ux+Z4I46jrarr5/DDvOYFdEei6ubQVOyeiNn0/XnkFYLdLxKw1DMNME44elyRBSmI6A7sNpVVma1SV6KQH3HZTI2JgTih0HUKRpueSwy7M3w2znLLUVKbjIQlwOiRzsob5XIjlCwZeVwKHqg6Sm56H22mO13C0PnabQI669lGjCySxneGh6Dh32aS42YmpMTaXmcBMm5GSxeDuZ5KRkhk1e2h6mdhtApts3uOaZr5nYvV12AWKJOLLwOEIqJopfiR7k3DYHWwv2cIZHfs1ORj/iveUYZiaWJtioyCngM27N7Hn0C7CkRBCgNNu1iXWl3bFbOtYmWyKoHV2GwZ3H47b6UaLToAdtiaBNKKZfSei7RFrp1jfgbkUF262kmS3ibiwZkTvyebHv2t0A+w2O26nh2RvKm6HG0W2RY+eYi/774Bv7sndMHA4ZEp36fz57zPJzUph644KCvJTCIdVqmp8PPCT4fTsmsbWnfW8MWU1m7eWk5ORwJXjezFmZD5FRTW8+O5KgiGN/r3yKMhLYvrsIgSCay7pxeA+rQiFm6T47xtdN/C4BeuKKnnp3ZVs21VF986Z3HXDIDq3S0Y3oL4hwptTN3GwvI5rLjmD2Qu34XLaqK1WeeL5JVRW+xjavwCP287shdto3SqFe28ZgtMhR2+ar1cmwzBwOQVzPt/H5BkbqKj00adHLjdd0Ye2+QnU1EWY+c4OPpi1maSENPp0z6FvjxwGnJFLRIXV68t47o0v0XWVof0KGNi7FYN7tzU1bio8+/paPpxdhCRJpCY76N09j3tvHYQkmXX912urmbdkF4leBzdM6M2FozsQDBms3VhJZZWPQEjl8y8OIEuCDm3TSElyxh9oLdVFUQRzFu3l/Vmb2bqzEq/Hzh3XDOCcs9qjyPDki0vYsnMfD98/nhuu6sHdv5nFuk2lpvaqLMyG4lIANmwpI/cLDy67g47t0pBlmLtoL9NmbWbrrko8bjPf80Z2wGaDj+ft5IPZRfTonMO5IzvyzOvLqar1c/eNg+jXO5v1RQfj+bb6wovTbqdz+zR6dEnnojFdmDJzHW/939V4EiWWfFHCv17/HDWicag8wMNPL8DltHPjhD4sXL6LeYu3M250N265phfTZu1kxrwt7NhbTWaqh7tvGsSZA1pjCPA1Rnj8uWUsWLaH5EQnLqfCJed24/ILuiDJgpmf7GHGvCJa5WRQWR0AzAfx/gMN/N9rS0lKdJGblcBHc4oZ1Kc1990xFIdDxi7D1JnbmfjhetwuGwN757O+qJSh/Vpz8bldeOndlfgCGv965DJmzNnKxA8X84cnbXwy42quufgMHn1mAa/8ZxWb/ljG4L4F3H/7UGyKdNLjd/v+nXicHrLTc0wN2AkerEIINB0yU3Lo0a4PCZ4kBnUbRpIn2RQ4ZInaxjpWFi3lcG05XlcCspDo22UwrdKzqaipp85Xi6apHDi8H7fTTaInGbfTgyRgz6G9bN1bRGV9BXabnV7t+9KpdWdUVWd50WrKqkrp2rYniqSwetsKEt2JDOw+jHBYUOurRdM0Sg7vw+P0kOhJxuPyfMVkyXzR7ivbz/odq2kMNJKfWUCfzgNI8rjYV17K+h2rSfamUFjQnc271nG4ppzenQfQKb89uw/uY+v+zVTVVWBT7PTq0JeO+Z1Nu0pDY83m1ew4sA1FVrArDvKzWtO/sD+aLthffojiPRtw2J1ouoZumBqFQCjA4nXLkGQZryuB3aU7SPGmMqj7mbidTnTdYPXWdewo2UpKQirJ3hQO15RRWNCd9q3ao2pHPqNjwkS9r4HlXy4h0ZuMLMnsKd1BekoW/QoHkexJoFvbXnyxcSG+QCMfL/6EBn8D/boMon2rNmzaVUzJ4b1gQNe2PSmvLqWi9jBup5eBXYchBCzbtJx95btwKE4UWaFDXmd6duiBpgl2HNjH9v3FuBxuNFU9wuYLYPPuIrbuK0Y3NHLSWuEP+hjWcyR2m401Wzewr3w3dY21pCdl0K/LEDJT0glHdHp37k6yN419ZXuRxcnZCBmGgU0RHK6ppHjvJlISEmmX25EGXx2SkKJ1WUFFbTmFrbtht9lZvXUlHpeHYT1G4nG5WL1lI4eqDuJxegirYbzCRUTXWF60hqq6Chw2B4UF3dl5YCu+QCNpyZn0KxyArsParevZVlIMQJc23enWtieGYfbZ+h0b2LJ3E4YBToeLzOQsBnUbdlITha+LEML0g2l30qtDX9KTM+jcujuyLKOqnDLv+e+SbyFgmVGva6uCvDJxOeAgJclNTV0t6SkpVNbUEFF1/nDvSM69/jVKSqvp0CaX2Qu38/qUlbz3wnW0b53Ka5NXEAg2EgoNJxzJ56V3FwMORgxqhyTHlmK+uwp/U3TdwOURLFy6n8vueJusjGS6d85m6icb+WRBETPfuJnW+QlcdsckFq/cjN2WSDgSBsIoskSjL8Qn87exaWsRW3f1JS87kckfL+CsQQP46Y0DcQkZU8ErMHRT3ftVvrw03SDBK3juzbX87KH3sdlc5OckMWvhRiZ+uJ65E29BliXu/eNsDlfWY7Mp3PPHjxjavx3vv3Q1WVkOXp24nremrUYIB++8v453P1jFO/++hsuv6szE1zfz8z9MYdTQbnRsm8p/pq/hYLmPX9w+kMbGCBfd8h+KtpcyYnBH9h2o5dLb3+KlxycwfmwXRl7xGvWNDYCdkVc8DwR55cmbuO36njTU6sgtBO8UwlwS+9fry9h/oJph/dsyd8kurvn5uyz78G56989AjqopZn++g/zcJH5242ASvHaS0mR+ev88Xnh3AbKUwF+enstfng7Sr2dnPpt0M4os8X+vLWPfwWqG92/LvCW7uPbn77J0+t306ZdB0fYK3nl/NQ67nb+/uATd0KmoKqNbpyzmf7GLv/57BrKUxCP/N49H/m8GfXt0Ys5/biYt006PLllM/cSgviHIW1OLGD2sI7+562zat02jvMLPB7M2UVHt5z/T1yMMweHqWg6W+bj4nEL++cpSAoEQ/Xvl89HcLSz5chdrP72HgjYe/vDkEv7x0hyuGT8ISRa8+8FqstITuPKiLiDB7n1VTJ+ziYqqamT5AkYNz0MLQnVtgHc/2EBdQzWJCSnYFIl5SzaSm5nAT+7szYsvr+Ou303F6fCQkeph4odrgDCGMZybrziDnMwkyit9XHVtF4QOkz9aQV1DCMMHobCGrvt5/b01OOwKcxdt5Iwu2Vx8bkcafcefDBmGgd0m2LSriInzXic9KZPrzrmVjJR0VPXEkyhVg8yUTLJSMzF0GNV3DJoeXXZGZ87Kmew8sJX+XYZS56th077NtMvrRF56DhPnvs3hmkM4bA4mffYGYTXC6H7ncXbfUYQiOmu3reRwTTltc9qz59AuPlg0idsu+hkp3hT2l+1h46617C7dAYaBpus0BOrpkNeZResWsLdsJy67i8mfvUVYDTO633mM6juKcKTl+sTaYP2O9Xyy/ENyUluR6Eli+ebF7CrdzvXn3ECjv5H1O1ahSDbWbF2BQKKy/jB2m4MOrdqxdvtKyqvLaJfbnr1lu/lg0SRuOv8ntMnNZvG6Vcxc9j492/ch0ZPE2m0rCUaCDOrW35z8+erYur+IQ5UHGRoJ0bl1O8K6QUSNULxvE4dryvC6EnHYHKzbvgpZURgzcBSffjGXRRvmk56UQVl1KbUN1RhAenIWHfLat9hnQkBIDbNp93p8wQZcdjdeVxLF+zaz88A2rht7K7IkI4Rgd+lOGgKNVNWWU9NYRX7WTyivLmPZxkXY7Q5aZRaw6+AONu5aS15mAcN7DmfxxkV8tupT+hcOwqbYWL1tJTabnb6FPdA0qK6vonjvJsqrS7HbbLRtlUcoYqAIwcK1n7Fw7VySvakkeZPZsncTYTVC/y5DCEfCLN+8mERPMhnJWazb/iWVdZVcM/ZGhJAIhw38IR+GoR+xpHc8dAwcNsHu0r1MW/gfgqEgNpuDUCSAx+lFN3QMYF/5bor3bmJHyVYkSULTVRoDjXTO70qCpw1l1YfYsHMNtY015GUWkJGchB7S2Fu6iw07V5OVlkurzAI27d7AwYr99O40gIFdBjBz+XQ2795Au1Yd0TSVD5dMoaL2MOcMHE3R7u18uPg92uV2JDs1hw2711HbUM3ArkMRzWyGT7Tr9Kt2FccEufh3QBYSw3uNQDcgNTEFMLVmloDVDNN4OULXwW7OGtyZ0nIfT/3xPMbf8hp//c0YPpm/nZ17q3h54mpKSsv44y/G86t7B7FwYQkT7nybvzy9kPVzf8KrT17Jtfe8zrlndaJHYRYCB3/65ViuuryQhmoDWT51Gl0I+Ndry6mtb+TaS/sxoFc+um4wffbnTJlZRI/CLBav3MBl5w/msYdH8fobG3j8+U8JhVXy8jx8Nukmfv3obOYu3sGe/VX8+q7L+OMvhyNQ4ipfIcDhMgd3KHz8ssRmRZXVIZ5+ZSkup4OP37iRAf2z+Ns/l/LE85/w6sTVPPb7kSz94CYuv2saFVU+Jj57M61bJZLgdeBrNPjbb8+iXesUfvO3j/jzr8ZxyUWdSXUngA+CoQigUt8QpFVOEvfdcRZD+rbGkSB49/2tLF+zlZFDejB+bCF799eydvMuHnxsLjdM6MUnb93AT373ITU1QV5/6kZUzaBHYRZBn7lUcbw6uZyC+28fxsz5W3E6FApaJbO35CAlpfX01jP4/T1nsX13BcvX7GL5mnW4nOncdf0Q+vXO5cFfDiEl2cHfnp3P738+mpHDW+N1upEkgc0uuP+O4cycv8XMNy+ZPSUHOHConj7hDH7908Fs2VnBO+8v5b47zuSnN/Rl74FGClolgU3FwODRf3/G7342mlFntsbrcGNTJIwwBEMqhqHz8z/MAOo5b2RnHv/X2fj2QOtWbv7xhwu5+b5JdOuUxYuPXUgwZCDLkJvt4ld3DufzZbtwOW3k5ySzZtNuDh1uoKC9hwZfyGx/X5jh/Qt45IHzuPicLmgaBH0GP7ulH90Kszjnmpdw2BV0w8Af0BnQL5OfXDeAv780h+cfvYiunTLpd/4/WVdUihHpzXNvrUSSFOb+5yYKO6Yy/pZJrN5Yym9+OpxQxLzn9pSUk97671TV1oGwc9MVvcHe9EB95pELOaNrNj3H/p25S3Yy/ryOX/m6MQxI8iaTnZZLZkoObofnpCdQ5tKmuRajqk0PfN2AiBpC1VQ0XaUguy1tstvTLrc9qm5wxdmX8+nyTymrPsRFwy7H5XSS5EklrJrar/5dhrJtfzE2xUaSN4WK2sNU1B4mJy2dcweNp6z6EIGQj4uHX0lWahaNQT+pCWmMH34hs5Z/Sln1QS4cNgG300WSJ/UYbU68/BhIkiAQirCyeBmSkOjUugsJ7iQaAvVs2LGG4k6D6detO4eqR/L52rn07NCHM3uNoCEQwOVwI0uC/l2HsH1/MTbZRpI3mcM1ZVTVV9AmLxvD0NE0jVAkRLI3hRFnjKEgpx2qZrqv6VJQSGpSGm/PeglJmIaEkYhGRlIiA7sO48Ml73Fmr7MpLOjKix/9H9V1lTQ2RFi3czVZKdnceP4dhMNhJs57A6fDRe9O/c3l96OqK4QgHDFolZ5Gvy6DmL/qU84eeh69O/fg06WzWbp5EbtLd9KlTQ9UNUJ6cga3jbudhWsX8OXW5ZRXHWbMwFGU15Ry4PA+OuZ1prq+gt2HdnL5yGtxOWVU1fSXGFJD5KS3YnS/8+jQqtBcztMN+nTqQ3pyBu/MfgUhZHTNwCYLKuuqWbV1BTnprbh85LWkJ6eysuhLVm9dgSzJJHo8DO05MiqYOUn0JFPnq8EX8JPoTgCaNK7N7eCOh8CcCKzasgJfoJFLRlxNQXYr3v98KodryhGYG2TOHXARNfVVNPjqGTf0crLTcmj0+0hPyiSiGozuP5b05Aw+XjIVSUhomoFNsXPhsMsorz2E15lAl4KOfFmchCy14dKzLmP/4YNs3LmG7LRWdM7vSkSNcKBiP4vXz2dojxHoho6qqYTVEB53AoO7DSc3PR9ZFkdsLlNk832kt1BVJeo6qSXTDyHM4y0tI6tRzfV3sfHgVOZb22Ahmw8ql9NGXnYSum6Qk5lAgtfGvgM6tXUBZMnJ8AEFeDNtjBzSluSkRA6W11NVHebS87vQ+ok8nnrlC7p1yiQxwcldN/Qn1PiVGxP/ZxiGKRSEgwbVtQFk2c7ufTWUljVgt8tce8kohg9ozbrNh5DlCGcPbU/Hfqmct68Tjz8/D7tNBgMy851MGNeLt6atBXTOHtoOT7qCr8KIC1eBkErxjlocNol2BaknLJMsQ21dmLqGIDmZqQw4oxWJuRKjhrTjqZcEew/WgoAOvVNJTnJR3xjizIGtwA6+WtN4OjXPSffCLECnS8dMCgel4dsJIT9MOL8764rO5osv9/D7J+Yg0Bg5pDNnnnkd5RWNyJKEPxBi9oLtGAZcPb4/bfLT0HUYNiiX9BQvgYDGOee3Me3vghBuAL3F2T3Y7YLi7TXc+sA0IprGeWd1weuxI4SEzSaDBNNmbub+O8+koOB8Zs7ewb/fWMY/X1nMhAu6M3hsNn16tEIIjb49W3H25e2gAjBg8+YabvvVNEIRjfNHFuJxOxBCNt2LGCAngF2RcDkTeeDOYSTnyORme/H5wZMB/XvmRfPNNfOtNG24hIzZv8h8NulWZn++HbfLzl23fsrdNw6ie78UUpJd6IbOT28YSOehKeilINlh6fJS7nxwGl63kzFndiLBa9ZViZbp7hsHUl3rZ+XaEmZ+thmbDcorG/nXn89BCJC8kJPpRdMNbDYZySuw+SSQTFscXbczfGAbEjx2hHABAqFAbX0Ah91Ol06ZpLex0So7iZXrDiBJArtNICSJBI+Tqy/uiSQJhg1ow7izOyGCRN2xODlzYBs8bjvgIhzWEfYT2xEKYT5o8zJbcc2YW4ioYRRFiaY52QesiOdljhkDp01mWM9R2G0Otu0vpiFQj12xoyg2+nTqTU5GFoneZMqqD9EhrzPeRFMo1gyoqKnl4y+mElHDdG3bE1lWkCTJXLYBPA4nmh6hfW5HurXvgKZBkjeBcMQgOyOTJG8yZdUH6ZDXmYREGSMStdcxWqiRYT7PwpEIwVAAm2LjcLW5MzI1IY2zeo8hJSEZBDgUJ7IkM7j7CFJTE/AGE5AkqKytY8YX0whFQnRr0xNZUswdeEIBFQoLulPvq2N36U7mr56Npmv0aN+b7NSLEUimTaU7Md6Gsk2ghM37SpYUFEmhVUY+aUkJpvAL6IZOOBwkLTGd9CQvoTA47U5TM3HCvooeN0BIElkpObgSHaQlZSILmYgawiaDpmvkpbXBm+QkwZMU930gSzCgcAjb9hexbPNiNu1cS892Z5CdlkYwBH06DSAUDrGvfDc7SrZiGDqN/gbGDjgXIcCuQII7AcMwkCQZxWbaVAVCfkLhIO1yO5CTlo5hwNCeg+jXeRAOO6zfuZmZS98nJy2XgpzWKLINVYsgCdnM12baUQEokoKwCaTQcSaMGEhCEIpoNAbqSfAk0Sa7PRmtPGSl5lJWVYoiKwjA5XCjGzp5mQV079wJNQhJngQiqjmWnA7wOD3oho6i2LDbBGHVwOOy06fTAD5fO5dF6xZRUr6PMQMuwOVWqPfVmSsihsG+st1oukZhQfd4/3Vo1YkRvUez99AuPl87F1VTaZfbiazUq3HY7NH3HlTUVeGyu/C63HHBy7TVg+r6WmRJJsmT0OyYgSwEoUiEOl8N6UmZcY8uTXeyiP/1Q+abizAGKIqEv1KjorqBhsYg23ZXoCg2irYdJhBQCUdUWrdKQtP9/O3ZhXw+u4Tf/G0OhysPMax/GzxuBYcL7rllMGs37eKd91dx901DycxyED6FbK+EAFXVcSYIBpyRj6Y10rNLFo/+ejSXntuVg4caCYZUenbJQdOcvDrpS2a9u5snnlsMqOzcV01NfZBpU7dxw72TGT2sIyOHdOKyO9/hrTc3oRvm7kKXF96auo6x1zzL068sw95MY3A0kiQIhQ3a5HnpWZjD7v17eOzZRcz7aB9/fOozVA1GDGxLOKgz7+O9HCqvx++P8MZ7G1i2/JA5u1Aktq2r5bMlO5AkhQVLd/HppD1U1/qxeWHKzM1s3VnOk78/j+Uf30Fhx1YsWLaZ0v1+Rg5pi6YLZFlw353DuPe2wbiddg5XNmK3QTBgYFMk9h2s5PkX1vL4o8s466K3WF9cjqOFeum6js0JX6zax/7Sg4wa0omn/jyWTu3SMAyNom3lqKrB068u4/Zfv4+EzC9vH0S71mmAQTisQsAgHNEwDI1JH21k6ktbufDqSfztqS/YUHyIfQdLGDWkA0/9eSydo/lu3l6OZhis+7KCHXsr0Q1494P1fPLxLsoPh9B1HSNgEIrl+6GZ78XXvcdvHl9AUNPYvqcKIQQlpXWMP6cLpeX1vPjOMkrL6qkuDbJk5R4kSWLxij3M/M8OirZVYwiDz77YRUXVYS4+tztPPjSaVtmJGIZK8fbD6Cq8/t4aVFVjyotX8/HrN2NTHEz6aCMh1SAYVpn76R5mzNuKEDKbtpQxY/oODh6qJ1Cvsn13FULorNt8iLWbSjEMjb0HqmmsDTPh/O4EglWcf/1bXH7VNKZ9so4Ej2lJX3LIx6HyOrweDzdd3pt/PTqWyy/shKYbNNRF2F1SjRA6G7eUs77oEKBTWlZHzeEQinJ8I2/DMF+a9T4f0xdPZsqCt6mpr0GWjj/GT4ypEfKHVNbtWEVyQio3nHsj4wZfSmOgke37i01D7JA5U27017F2x0pWbFjDa5+8zr5D+6ltrGZ36U7a5XZkTP/RpCdlEI6EqW2oJhSOsOPgTlRVpd5fz/rtxew9dJBwxFwaUqPLgA3+etZt/5IVG9by+idvsvPADpw24jvimp4hplbA43KRndaKRn8DrbPbMqL3GPIz29Dgb0BIMrW1PsqqDyIJmW37iyjeuYN6vw8hDA7XlLHn0C7aZndgTP/RZCRnEo6EqW6oRBU620qKKa85xLihl3L9ubeTlpjO9pIt0fQ6uw/uZ+uezQDUNtZQtHMH1Q1VqKpGVf1hEILymlLKq6uJqGHqfbVoukbH/C7sPLiNd+dMZvJn73CgYj82xYb+Ff2mR1+emq6yYM1sFq9YyoqiJdhtdvIyC6iorUbVVXz+BmqrG6iprwYMquurCIcN8rNa0y6nA19sXEAwHKBflyFEVANFgY2719EYaODSEVdz9eibcDu8bCspxh8Koesa2w/sZft+c7mtsqacol07qKqrIy0pjfTkTLbtK+KLjSvYX17Kpyvm8OanLxIIaewu3UGdr5Z+XQYzvOco7IqdQMhPXWMN4UiYrfv2sK9sN4osU1ZdytZdu2gMNrSoDBDRXdYuh0x6UgZVdRWs3racTZu3suPAVoQQVNZVENE09hzaRSgSojHQwOat29hTWkJENRAC/CE/xXt2sb98L7KssO/Qbrbs3Uk4HEDXDboU9MDrTmTh2rmkJqbSvV0vwn6D3LRcXA43oUiIMzr2Y2iPs0hwJ1Lvq8Nht7OtZCullQc584wx3HrhHeRntWHr/s3U++qQhLlzsXhvEW9/+hKT579NIGQa5OuGjkOBPaV7eHfOq7w751VqGmqPuJcNw2DW8g+iu0S/QJa/6X1+evOtbLBcToXi9WHWF+8B7Hw0dwuKYueFd1bSvXMWW3fuIyV5APffcQFPvTyfhcu2AIJhA7rw2IOjsdslwkG4Ylx3nntzBdW1Pm67qi+REJxqzmplRSLYYPDrnw5lT0k1Tzw/jyeenwPYaF+Qjt2uMPbMAn56w9k8//ZiLrj+RTLTM7EpCbzx3louGNWZ+x6ZTU1dGW3yexEMRljoq+am+95ncN8C2uQloqkwe+F2qmsDXH1xTxTF3OV2vFXS6MZWnvrTufzkNwEef24Ojz8HYOcn15/NzVf2pKTUxznXvoVBCLBxywNvMnJIXz5+/Vq8HvjL/33OxA+XAF6eeeNznnljMbPfvZ38Lm3Yf7CWRSs28MWq/bRrncqOPYe54fKhpKc5yc/18MTvxvPHp+YwZPw/AQWP280vbh2OroPdIZhwQXcWrdzB3Q9NAez06Z6P22VrUZ0sSRKRAJw1uC09u3TiP9NX8Z/pK2jXOgeb4uVvz37Ondf2Jy8nkY1bdjLg/Gcx5wcqd994JkP65RGqNRjYO4++PToxdeaXTJ25luQkNyMGt+OsgQX0KOzExA9XMfHDlbTNz8FmS+DRf3/OXdf15+7fz2D5mi2Am5//4T1stkSWfngHfbpnEvIb9O+VS7+enZg2axXTZq0jOdHNiIFt2VJUw38+MDWSN9//brw+NpuXzHQP703fwt9fnAV4ePatJTz71hz+8dBV9OgzkHNGdOKd99vw9CsLefqVBXRqmwvY+eu/F3L1+G7s2FPFJ/OXM3/pbtJS3PgDYX5/zyhcCYLi7bWcc+2rmFsFbUz6aDWTPlrKP/94BSOHtOe9GWuBEK9MXEUgFEHX/cxdvJWFi0t45LejUHWD+V/sYN/BWnp1yaN4RyUOu8IHs4vZsecAYKPfBf+meMEDtMlPwuUQLPmynMkfrQNCvPSfLwkEI+h6gE8/38KCpfu47MJO1NfpKC3Y15l9DNX1lewu3UH/wsHkpGdGXyJffyJlRHtf13XKqkopqdjP9v1bMDBIcifRt3BgdGlCUFjQjW37i5m17ENsip20xHQkyU5majpd2/Rgw861rN2+iuy0HLwuL2u2rSQvs4DpiyYRDAcJhPxsL9lCYUF3rh59E5IAXRcUtu7G1n1FzFrelK/D5jRdcBzHXkWWBaP6jCEQ8vHhkilIQqDINlql5+N1uVi8YTGrty7H40xg9sqP0HSdWy74KakJBWSl5tC1TU827V7H+h2ryErLJcGVwMripfTvMphA0Me67auitlQJ1DTWMKDLYNISE6mur2f64slU1lbgdLjYeWAb67av4rxB43HaB7J2+yo0TWX11pVU1JRT21hDbWMNew/t4oIh43A6XJRWHiDRnUh6chaR2JbVEyBFe8rj8OAP+lmwah4et5cLh15ObloGHy35mLrGGjRNZUXRlxTv3UhEjfDllmV0at0Vr0uhT+eBbN1fTO+O/clOTScU0bErMjX1VazasoxDVQdw2l0EwgEGdBtCkttJSUU5781/G1+wEafNyaZda1lRtISLhk1gRN+hnDNgHLNXfsys5dORhITT7qJr257YFJlO+V3YeWA70xdNRpYUslKzaQw0sn7nas7o2I9357yGpqvYFDurtixn8fr5XD3mZvp06oE/pJtLr0ehGzCkx5lU1B7m87VzkWWFzJQs6hpqWLNtBVmpucxYOo1Gfz2+QCOvz3qJzvlduOG821Fk0z7rvfnvIEsyiiSzcO0cNF3j5gvuwuNqQ1pSEj3b92HulzPp32UIHqeNQEgnNTGZCwZfzOyVM3jtk+eQJRmHzUn3tr1QZGjw17Fl7yYOVuwnNTGNytoK+nYeSFpiMqpmmJFTdJ3GQCMOuxPd0ONayZio5As0oijKERMKc+TrhNUIvkADYfUEti4/cIRPM8VK3dDwyjKzdy9k7aHVPDj0VwRasCfQdR2vIrFk9SqmPT+Zpx5/io1ry1FkG+kpbqpr/bhcpmPN+sYgBa1ScLtltuyoprSsntRkF4Ud0vF4ZALB2NZi2LmnFl8gQs/CDFMtemoor47AdNgJugbFOys4XOkjJzOBvOxEkpNshCPm9uVNWyuoqvVR2CEDnz+CoRvk5SRxuMpHIBgiNdmDpunUNQRw2G1kZyTgcUvs3l9P3/OfZ1j/tsx650p8JzAabl4mpxPqG1S27aygriFEfm4yndolm04iIwYHy+oJhdX4MmSi10lGmhuAmrogVTU+DEPEtVq5mQk4XTIlBxsoLatHNwwOHKqnTV4yZ3TLxmaT0DRTbb17fwO791fjcdtpnZtIbpbH3B4cXcLcubeGiiofWRle8rITcTklQuHj7SIEuw1q6kMUbavApkh0bp9GZU0AWRIU5CWxYs1BEAY+f4S6+iDtClLpXpiJJAk0zXSdUFMbYvvuCux2G62yE8nOcKHrLeUbRBLQulUSFVU+6hqCxF6NdrtMTmYCimJuM7fH863EbldolZ1ITqaLRr/OgUN1qKqOJJpCOUmSoHVuMuGISml5fTP/VkT724aiQEVVgOLtFXi9Djq0TqGs0ofLqZCfm0Dx9kp8/jANvjA1dQE6tUune+cMdAPUiM6BQ/Womh63Y4rl7XAo7D9o7nBLSXKDgJpaP7Ikk5OVQEKCQn19hINlDTjsEj//4ycsXbWP3Uvvx26TKDlUD4AjWk9JiroKiOiUHKpryheoqfMjyzKtsszrHm+SGjPwnrdqLss3L+a2C+8hJ+2bC1jNOVx9CISgMdCIYehkpGSR4k2KL1lIEtQ1NtDgq8Xl9JDoTsRuU9ANCKthKmrKkSSZ1MQ0gqGguTzoTsDnbyCiqcR8KzlsLtxOd/y6LeZrV6I7oo7XDqZmIBzRqKyrIBQOkuhJJsGTiF2RaAwECIT8xF5TkhAkuBORJDnqriFi2u4IibSkNIJh089IsjeZmsZa/EEfuq7TGGggJSGNzJTM+OaRxkADqqbS3K+A2+nBYXNQ76sjokVw2pwoig1foAFJSHhcXlwOOw3+AOFIgIim8v7nE3E7PNx4/u3RjQYtCJO6jtslMXPpp2zYtZbLR15HamIykrCT4Hah6RAIBfAHfUiSjMfpIRAKmGWwO3E7PQjCrNqyhs9Wf8q1Y2+lQ14bAmEduyxRUVtFOBIioobxh/2kJ2WQnpQBmO+oBn9DNKZdU/m8Li82xY4igz8YpLKuEjBI8qaQ6PbG3VQ0+hupbqjE40ogwZVAY6ABl8ON3eagwVcfFSbMfIUArysRm3KCsY+5nBYMhTlcU44iKyR7k/GH/DhsZl3rfXWozcaa3ebE6zSXaTVNpSHQENUAmdeVhMDrToxuFDCdqlbUlpGRnB0viwHYZWgI+Kmqr0IgSPImkeBOQAD1vkbqfLUIIaj31ZHoTiQrLQdFju5oj7ZcdUM1NsVOosd7xORYCKhtrEVCkJSQdMQxSYJAKEiDv4G0xDQkIX2ljWZEjZCUbeN3f/gTm0o3cO21N9Kpc2c6dOqE3aYQ1iI8uuhhrut1E93SO+DXjhRodUPHLUtsrNjG5E3v8tCIPyNL8jH9EpN13i2aSl2wlrv73k6j1rJwbJPg0cWPMrLt2YzIH3Tc847Ht7TBMlDs0L1zFjbF9OGRk+WMh4aRZS/BEITD0KMwlZ5dUuPG24GAETd2DocNOrZNRohT0/dVDPMlY/7fu1sGQmTE/aQEQ+ZbztCgTw/zWESNhhYREApB2/wEJKlpXT0/1zTy9QUMZBuUHm5ACHjw7mHoxsntoBTCbEuXU2FQ3xzANDg0PZub/mA6tk06Ih9VM+sBkJ7qJCfTGT9mAOEQaBFo3SqBDm0SzAMSoJsatdgLxB8waJtvnhPzoRIMNb0wNQ26dEihW6cU0zdRhBO63RDC9N2VnOBg5JA8wBw7aSkOwBwbwwe2alLHCzB083ddM/3uhMMGSYkOhg3Ii/sBCobMtjhRvrlZHvJzPU3tEB2nsT4Ihw2SEx0MG9Aqnm8gaC6DFrZPOaafDMw+t9tsdO+cdsSxcCTqbyZskJHqYvTw1vFxlJZqN30FhaF75/S4V/VYXQNB4svznTskH/NqC4fNGXPXjinxvgbIy3bHfU/V1ka47M6JbNlehpBkKqrK+cWtY8nKcBAIQo/CtKY2CJl1MScX0rH55pgCRyj81T7OhIDDNWX0aNeH3PRMwt+BcAWQm5ETb3+B6VcqZkQLppFxsjeB1MToOG123K7YKcjOB8y2cTsc8fqlJCbFbUeEIOqQtem6Wkv5fkWdzJehYQqlGdkA8bQR1cDtdJHgdh3xUtD0Jv9lNsVGQXZevLwuhwMRK29CMulJyfF20KPjNCbcpyQkIkSTrZwQZh7mbq6keB0NwOtyxM+rqK1h2sJ3iKhhwmqERn89l5x5lSk0aMYxu53NDTgSX2z8kjXbVqIbOh8ufo8ze5/NoK59aQxoyJJ8RF11HVwOe3yStWXfbj5Z9gGBkB9VjbBh5xpaZeShyAqqbpCRnBZ/DjSvq1kvyawPTZoWAah6zF+WgdPujLfj0f2a6PGSnOBtVq4083msQ1pS8jH2RLH+OW6fY44Lh81Om5z8uMG4x+WK932s/WPPm+ZlUhSF9KSUY/I9clwotM7KOyIMnQDCqoHb6SbB7T6irgaQ4DbraZ7bCoOmsEKxHjWAjOTUeDmP7GdIS0xu8Zimg8vuxOt0mmPw+M3zg+ZbCVgAGODzh82wAUIQCjUZbBsGiOjs1+dvamIhxBE7yYQw7YkMvto1wfdNrF5H1qeZ4S1Nx4SI22wiSYJgyIjfQBDdJSiivmj80LtrDps/u4eMNDfBwPF32x2Nqb0xaPAB0W2xsbQG4A8aR4zw5uWNRAzC4WPzIypMhsNH3hqxvo2dFwg15d08XzD98jQ0ayclui2bozY4N19OEUIQUQ3T8WLUU6aISEjC9AYcCBrohhENpyCi+Spx2wAwhbRIRBxb12i+sd/jDhhj4+/IQh0xFpuXq3m+hmEKmi0hSQJVh4i/5TY0x72OPxSti4Bws7oGwwZGqNk4Q8T7xjBMZ71as7ASkpDifnV8fiPefrHUEuaxBK/MXdcNYNHKPTjsNgb2bsW4swvNMEC6gc9/ZB1iNB/38TFsHHteS5jtBxcNu8J8SR7l+PHb0FKomiOFHDNiAfEXcNO1daOpTxFm6KWm8h6VrzhqrLaU70k8v2LjJhw58pkY0zQd7YD1aB9TzctLs/J+VdoTtVPzY0KIaAgi8+9ETwL9uw6loqYch91BQVY72uS0JRwxjjub14G0pHT6dh6ATXEQjoRI8aQSVpvSNC+vEAJNjXkTFyS4EuiY1wW7zY6mqaQnZyJFtRECgao3tfvXrasQAs0w0CLHHgOO6NPYmDAPtzAmOPk+P+KawtxoERtTJxprMaHwRNeNjaejy2La/h05LoQQcaFUixz7bDqa2LW/zjEzfyPadqf2O/2/ybcXsDAfroneWGwkYc7QVY6wozqZB/Dp0g0nepAKTKGy+fdYxZoLJ7F8YsQ0BNmZbsLHWUI7cZkEEmYsvqNnU5L5RjluuuNd62ReGJIQ6IZxTD4GBglK1HN9VLPtU5sEK4mm5TTN0KLblaV4mRDglmQUxdSYhaKzKh1wyBJ2W8xtNzRGdAQSHkXCiAofoRa2BsfKGFvWkMSxx07E8c450dg+URsagCJLeG1SfCUjFN2FZobJMH3GxM7VDBXdkOLqdiFBkk0hNqX2R5otiAgDjyLHPV1rKvElf10XXH1xF66+oovp0T5iavGaL2Mej6Pr+nXGqWGA2+mMz7q/K072Bdfi7xx1bxw1Jr6La3+9tF81Do86Lk5w7KSu1/Kx5t8VWWFAl75mvM2Ypk475uJHpNV16NCqHZ1btzN3o4mo5vwIJ8NHPw8Fgphj2QwuGnZBM19MR3oYP6bfvkZdvyr9MWm/5pg46Wt+jXy/0zH+HeX71em/+pn6Q+c70WDZFJmJH25h2eq92BSJ6yf0oWfXDILNlgG1qK1ITGPTXOOjx45hCifySWpuvi9M1XGT7YskSUcMpFg8xubjWpYlsw1o0ozEBJNYfQ2Db7R7MuayASAc1rFFhY/mD6fjldd8YOpNb2bDDGlhzmKbYoPF6iMfVVchzDA9sWWvGA5JsK6mmGWHlxLWQvTLGMjAtP6mUCEJ/KqGEt367I66sfBHH6C6YeCUBWurN7Ghci1n5Y6ktbc1YU3HJUtUhmqYvWc2jZEGBmQOok9qTwwDPj4wm/kH5tItrQc3tLuBsK4jC/mIWXasvJHIkWE+NEOLunk1BT3d0KKG1FL0u25qhKJtKktyMy2IeczUEIm4VkkWTecc22cGNknQqAb4+MBc9jTsJtudw/m540iyeYk9nIKahiLJyIDbrsQFJUUyX0azDixgR91WChLaMTb7HBRJENF1PIrEtvo9LCr7HIBRuWfT3tvaFLIQ+AMQrtNM1wx26YjI9v9NTiZUksWphblcHp0lAebY/OrBElENcxk4/svJpYPokmlIb1qi/RppLSxOFZTYLdP8/+afozn6fDBfyMtW7+P5t1diGHX06pZLn74Z6HEjbYOEBAkcgA6hBvPmkyRTi+BJlEw/SRIQMJchTtWbyQwvES1zNBahv7H52rkZTke4hKluUQEBAR8kJEoggx7VFshOAaoZ2y/G1xeuYg4MVX76uxns3HOIzu1b8dJjFyEkcyYpSZCQHC2vCv4Gmglbzdo/KnBEfKY9XUKiBAL0CEjR+gQbiDsXFJi+tK68azqXX9iDS8/vSKNPI8Gu8FHJLK5ceDERLQK66dtnytkfclbWKK5YdCVl/kP4dT8BLUDnxELu6HQX5+WeR0Q3kIVBQItw67Lr2LxvI4+e9SS/6/UrNB0qQpVcvOAivjy4HGRw2Vy8Pvxdrup4KV9WrOCZ9U/Tr/VA7ux2My5dRo00ab8MDAwdrv7pdC45vysTxnXG5zPjfrltclxFFtbAHtUMaSoENVNrZlOkuMQcDkPElDlxKRKyLGFo5rkehzlvCR3HJ5LpHwf8WpCLF57HkpJFZt+E4aKOlzJlxDS21e3kJytvRtM1aiO1SEj0S+/Pzzr/kt5pPQH404Y/8Piav8bLfUv3O3h2wAs4FFhVtZaLF1zEoTozxE9+cms+HDWTbkndsbnhzUmbeOk/y5AkhYfuGcm5Z7cj4DNOelna4seF+Vz6emMjppH6psQ12t84B4vTnaPlkZY+LZ3b0vfm5x3vOie6/onOOx7fXoMlTBusZx8/l6H9Crj+F2+bL6doQWTZ9OY6f0kJ23dXkpToZNTQdmSmOQgGIazqLFt8kJ17qwiEIvTvmUf/M3LMwLWn2J1l6OBygi+gM3vmLg6VN5CXm8SoIe2x202bJa9bsHrjYdYVHcLjspGZ7iUc0Rjav4Bliw9QXRukfZsUFFli685KstI99O3ZClkSX6vjmiMJc4fXjHlb6dAmhVuuOgMkU+vkdJh2Sx9+sovSsnpa5SRx9tB22O3mrrtIRGfWxzvZW1JLZrpp5D18QAHZGV7mLdqPqmpkZSSwfnMpCV4Ho4a1J8mrEFbB7RAEQoKpn2yme+cs5AmdsIcVJAH7fHvpktyN/4yYzLrqDdyw4Er+s+ctRuecjSIpfHlgBYNaD6EwqSvT9k7ms4Nz2DB+G+28bbArgr9u+Bfb6raQnJaCpmvmbklZ4p/Fr/NlyXIeHvI3xuaO5Zy5Z/ObtfdxXt44Huz5B6bsm4gQgrn7PmNPYwkjs0fTxpOPJsBlF4TDMPWTzXRun458RSEuFRpDQRaXf0lNuJpcVysKvAWsq16Lqmt0Se5Kh8S27G8sZU3VKkr9B0i0JzE29zwyHGkYQHHtDjbXbqJDQkcKk7ry3u4Z6IbOqOzRJNsTUY1j4+3JkiCsqpQFD/HY4Ke4rv21jF8wjo93f8CeviUkOxOoDdew5XAx57e7ENVQeXfLW6yoXM6W8dvYWF3M4+v+yoCcgbw6/E1+t/q3vF70Mle0voZz8kbw6KZHOVR/kCljP0Y3NK6adwkPb/wzH571PoGgwZmDW7N9TyVPPD+HXft6Idva8UP3qmxhYWHxv+Q7scECIBrqxVwKNEzDbgERVecnv53JB7M2IkkKjf4Qvbpk8cqTl9J7YCb/enIFf3vmM5KSEqitCyDQeOOfV3LpRZ1orDeXQk4FzB2TgpLSBm66bxqrNpQiSzLBcIgLRhXywmPjycxw8rdnlvPoM/PwBwKAE4iQl5POjDeu44ZfTKO0/ADnjuxPfnYir0yaS6e2nVj8/m2kJDniW9ab7/I5WSQhcDhk+vXMY9Q5BdQf0nHYJQ6WN3LzL6excv1BZFkmGAxx3sjOvPj4eLIzXfzkwRm888FaOrXNpKYuwOGqvUx67m5Gn9mem+97n9LyWhIT3NTVNwAawwd2ZvLzV+JyKpSVBwmGNRK8dnz+MAf3NhIKQU6Glxva3cKVba4lJzGJg75DAKTa03A7Fe7qfA8f7fyAe7s+wKWtL6G4djM7arYT0kPYFNhSu5univ7G/d0eZNLed4noEVM7CMw79ClOj5Nb2t9BXlIal7W5gje2vsLuhl10TOiMTbKxsWodF8y/ANUfZmjBmXw6ei6RgERpWYBIxDDLGwhzYE8Dsi6zz9jBlYvHU1tfy/CCEVycfxkPrL4XI2jwq76/47E+f+XyRRexs34HifZEDjYeYEjWcD4c+QnpjgT+UfwEb29+jW7Z3Umxp/LFocUQgH+M/Df3d/85oaCGIjXdaqaRLngVDwvHriDDmYLdBjZhw253IAmJ1onZ3NThNn5X/SueHvAcuq7Ts6wTITWIYRisqlqJUAW3dvwJPTIL+Wnne5i182O+OLyIs3NGsLBsHt0ye3B5mwsJRKBXTm9WVCylKuTDKdx06JzE+LFd+MdLi8wJ0XdoE2VhYWFh8W08uR+FYRjoUQMLwwBDg4QEiSkfb+atqZ8z5sxC5k28md//fCRrN2/nL/9ahB6Cc87qxD23DOeph87joXtG0uhv5LMvdiLZMYMenyLouoHDDX97djGLVmzm3luH8Nnkm7n8gp58OGcJkz/aTPG2av7wj9kkJbj5+PXb+PKTO+hRmEdtXYD2Ban8598T6NqxLftKKlm7+SCD+/Zi4nMT8Hrs5q6qqHAlSVH3Dt+gjIFgBL3RtAFzeODx55awcPkmfn7TYD6bdDNXXtSLj+ct5fXJaxEKzFq4A5tN4rc/O5N//WUcv7z9Ynp1ySEtzcbPbxmMYYTp1SWbRR/eybWXDGTJyg1Mm1nEaxPX0n7Yn+g26u80NIZ58sXPyev3F/qd/zwVNX7cNic5ziR2VZdwz4q7SLAlcEP7W8CAqlAlmqJx9aJLcbwhKD68mZ6ZZ5Dvbo0w4E/rH6Jf+iB+0/0hfGojOlH7MaA8UEaSMxkhBKqq0cqVh2RIHA6WIQsJ1dDQDZ3pZ33MLT3uZOm+xZRzgFff2UiHYX+my8gnqGsI8dTLi8nv/wiFo/9FHoU81vcfAAzNOJNbOtyJW3ZzZsFI7u1yL4Yh+FnhL/lVt9/xwsBXGN3qHJYdWMJBv7n89oeef2RA3iCKDm8m05nFR2P+n73zDpOiSt/2faqqc09kZpiBYcg5ZxARBCSKogKighlzzjn8zHnXHNY1CyrmgICSJOecc44TO3dVne+P6p4Z4q7CIvrVfV0j012hz6lqqZf3fc/z/MBjXZ/h9Ko90XWOuNJKIshyZeBU4YF5jzJ760wubXAFNX3VMOOSQDyAYRo0/KqAxl/UIh6J0S33dBwOwc7wDqQiqerJxYgbpGgpmIrJvugeDKAsWka+twYxXUdiUt1Tg6AepDC2H4cikFEoC0Qr/kFkY2NjY3NcOW4ZLKEJy0MNS6NHOMAIwqIVu9A0Nxs2F3LNfd+hKoLG9eqQkerCCEsmTF3HqG8X8PFXKulpHlTFYS0RPonERq0mcoVwqWTFmj1omp9fpm1g7KS1ODSFpg3r43IpLFy2EymDXHxedwaeVxeC8NtXV7F1ezGKotC9TwGvyHPoOexNwGT+2Nto0ymLst2yXK1dVSEas5o7Ne33R1lCWCJ0qmopzyfHO3HmRsZNXYemKTRraFmfmAIeu6MnT77yK5fe9ikCNx1aV+ecPk0QznRqVktDCJOrLmrPaWfXQEPjs++nM2/xdp59qBdNGmQR1yUX3vA55w9sw4XntEBTVVL9LtwKrC7dyDm/nsXmwEbG9PqezrmtkTq4VQ8YcGPz2zg973RGbxzFd+u/4qMN7zO05gV8sXYUVVOrcvr4zpTFy3h+yVPETJ1nOzxGmiOdbcGtCBQ0VaUwth8Tk3Sn5dsYN2M0yWzGmfX6sCO8k/eUt9myfwcjzm1LsxbXo8fhwhs+Z3D/pgw/ryVCEWSmuxhe5RKeX/o0U3dPokFqQ4KxIHc2uY/qqTmsL9rO5xs/ZUnRIvzOVOJmDMWhEDWjGBLqpReQ7sokL7Ua7586ihS3ylk1B1i6YMbhAyyJREHiUBTuW/AIT81/lKGNLuTNTq8RS6y00oTVB/ZC+1fI81bllRX/5PuN3zKl3ixqeAtQTIWSeDGqphIxIyimQpojHQVwOzzsje7BqVmN8ftie3CrblK1NIzy/ruT5H8wGxsbm78hxyWDJYSgpDBOcUkYh6ZRUhqhaG8MVYO6NTPQ9TDtWlbn63cu5PUnzuK8Ac0547T67Ngd4sHnfyEcgYXjbuCTV4YgUdH15Oq14zG6Y0cIaxWkJ0VQPS8NXQ8xbGBzfnhvBM/c14depzahVZNq1MxPR0oXYyevYfWCYooLDb7/ZRU/TlyNqko2ryrjiVcm0rJJdZo3yufGB79j3bJinA5Ld8blgZ8nr+OcK9/j/16aWCEy+bsHbI3X7Rfk56Wi60GGDGjGD++N4Ln7+9K7WxM6tamBGYdtO0u4dWQ3fh49khsu68zshat4+d8zrGbvuIGUKu9/sYAZP23n7Y/nousmDetkkVvNR/+edenfox6xuEG9WlXo1a8mXTvm43OrrCxez+BJ57CtbAvvdv2YYDzI4wufRSiW3IADB+2zOnBWwZl0yOpIJBph9t6ZpDjd3NX6fkbUvZyOWZ1xKk465pzCmfl9kBJOrdqNYFmQsdt/YHvZHr7d8hUZvkzqpdQnZsYQCFyKC+IQNWNoqkYkHievupf+PesyoEdd4nGDugWZ9OpXkx6dCzAUHb9D44r61zBr33RunX0Dp+Seyul5pyENyWebPmXc2p+4qO4lrBmyksEFQ1EMBdM0UAWEYzrBeBkuh5utwc3sDpRSGtEJH7CC6mAkqiJ4cNEjPLXgUQbWGcS9zR/i5jm3s7p0HUKFqIziUBx0z+3JmQVn0iitMSVlxSwrWUan7C6YwuSzjZ9SHAzw2aZPMDFpl9URhwodsjqxeM9C5uxdyvzC+czfNZdm6S3I9qQRNw271crGxsbmf8wxZbAMQ4IPJkxdx4ibvyIWjwIxrrn3K66//yu+e+8yLr+gFV/8uIR/jZrOdxNWEItLikuKuPXKnvTvVY+WTXKZt3gDrfu+QiRiYprw/hfTOH9gc/qcXovgSbKySSiCeBTuuLoLs+Zv5PbHfuC5N6dSFogRDIdp3qgql13UgkuHdub9z6fRuMc/8HldBIKlnH5KEy4c1JJu573H5u3LOH9gP6IxnW/G/UqznjtYNvFm8nNTUB0w6pvFTJqxmCED2uB0Wcujf49shVWqtXq54lG47aouTJ+3kbue+IEX3/6NsmCMYChE43pZCGryxCuTgBBn921HWVkUUOnYpgZSJPWiNCbN2MgvA9YBMU7t0JzLh7UhUiLRDUvNukPLfKpm+zFKJaUBgwyvxnWzr2bZ5sWQAiNnXUy4KEyT/GaMbHA198y/jXg0zsW/DeOSaRcioyYpKSlcUHs4HtXNM6c8zmuL3+HpxY9RFixlVnwGmwNbOU3CVQ2u5vONo7hyygicbhexSJQXOr9MFb+X22bexcbdG9iobuDOOffy9dYviQfi3LngZtpXmYFP86ObJu1bVic3xxpvICDRNJVIXHJJvUv4x8rn2FO4m1u63IFXc2Ia0CC1EapX5bVV/2TUhvcJGVH0uM71s0cyrd8cOo/twJIdC0GFpl/XpW56Pcb3mkoNXy4R3ThkZaiJiV9T+Wn7RJ6c8ygAP2z7lu+3fAMlcF7NISzbb/LkkkchAm2/b2IdGIU6eXXpXrU7jdPqMKzxcEYv/5gau6oRCJbRq3Yfeuf1xpCSe5rdxzm7ZtDxhxYgrKzhfc0fRAhrHYyZ+J7Y2NjY2PxvOKYAS1EERKFpw6o8entPQOLQNOK6gWFK6teugs/v4Kt3hjPmh+WsWLubzHQv7VpWo1vHOvh8Kh/+4zy+HruSnXtKOKVtLRwOlfWb91GvdmbClubPD67AaiKPRaBdi6pMGDWSMT8uY+vOEmpUS+eUtjXo1DqfeAhef+JM+narx5xFW3FoKm2aV6NP9wYIAfffdBplwba0bFxALK7TtUM1HA43qT4Xmgq7d8aYu3g7TRs04ZKhLSwdsd8xf0URuF0OlFSBGoRoBFo3y2HCp1cy5sdlbNlRQo1qqXRuU0CntjWIR+H5B/pTFoywbWeA7EwfI84bwR7U9dQAANmPSURBVDl9myAk+LxOhIjz5lOD8fkVDF2hX/f6pKc6iEQTvWKqYOxHl6CoglhU4HSoxAy4pfEdnFn9bExhEjNjuHDSKKMpPtXPPc0epLDefgxhoEsdj+qlQ1YnOme1I6SbaCGT2v46XNHgalJcKUTiEQp8dYnqUC+lNj+fMYGP139McayQntX6MDB/ILEYnJk/iDxXdaSQdMrqTOP0phTW3U+2rypuzQtC4NBUfvrwEhTFGq9DS+i0mZJcdxb/PuVjFhbOo3/1gUR0q/d7YP5Avu71I5N2/opH9dIttzsrSlaQ4cxEQeWWxrezt9ZeVEUhasTI9mST7szAROBW1UOyRVIqCKBJWhNe7PoqhtSJm5bEs0f10ii1CSB4sZ21LWZa5o6pjjR65p1B/ZTaxEx4s8O7nFLlVBYXLqRheiMuqXs5Hs1FKG7St1ovfurzC99t+QYknFPrPE7L6UxIB4GC4hGk+l3lmmc2NjY2NseXYwqwhADiULsgg3vu7Gy9mVzpLSBeAuEApKe4uP7qNpbOUkKLKRyAWAga1M7gvttPOVBowtmAeCl/SNH8f4lQLI2uOgWp3HfnKZbGlQZELS0rmRBrPP+8Rpx/XqNy4c5wmXX8yMtalWt9oUC//rUthfNCy9Nx5do9bNy6i/dfuhCvX6WsWJYLiP4nDMMkHjOZNncDH723jHP6NEVRLDuV2jVSufeOw4wXuP2ajuCk3HIDLOX0WTN38eI7U5FSMOrbhVwzvCMXXNCIULHlh5f0AUsq0CfVuQWCuAln1+wLat+DBmmpjV/ecPiBxWkJUoeQLlGFgmkq9M/vSf9aPSu+TzoEdUs/rVFaA55q/3/l35lgXIIu6JF7Cj3yT0lMAk5TOlZ4KMao8NTTlPLfy++tEIQNyYDqvRhQo1e5KjqALiUDa/RhYEGfcs2p3jW6W+KoMbiswUUHzse0NLBC8ShleimWxr484LN00yDHncOtLa4/5F4m/f9ubX79gcGZJKHrZV0Up+LkxqZXH6ACHzMt9fegLumReyo98k4tPzYQt1b3utwKc2fs5q1PZ2MYEaIx3S4Z2tjY2BxnjosOViymE9996Kk01fJO0w1JdJ9l/ZF8zKiKglAsw1w9aJb//S4UYUkiqEpiVZ2sJFvw50vvJz0FzXBiPtIal5UJsPYpLapQIAZrrgDFew1rbonFAGaJaSmHq4JYFOrVqsKoV0fQv0dDwgErO3QwyRVfB/hqmeD1aFx3SUeWr97BrAXbOK9f0wPGa4RM63oiy5vgAcoC0lqtmfgowzDJyNDYtS9IIBThlLb12bazmJkLttG/R31MKcrnk+RgFXABlMWMcm/A8msnFFShUhrVK93XhHdiYps1JwjEDYxYxfFJRXYhBGHdROqWPY6JWd4MHoibGLEKFXVr9aF1fk1UfD9NefjAXSAI6JaCe3IsyffLEudNqr2b0iw/b3I+Fec3SHe7+WHbBO6cezOKqiaOtNCESiQW4f/aPsWFtQcT0C0V+CRJSYfSsH6QZyMolZTpTSSlUQMlcR0qK8crQlAWP9AvSBUqpjRxOAXrNxWxd3+QCwd1om3zauiRkydbbGNjY/N34LisIhRCWCrXR9muaYf/y1tVBT6vZZlimNa/3ivjcoryZu9oLGHGehIEWUfrC9MO1liQoGrg86qYpjUPKS27lSTxOORU8TBscGPCZYd6tSWV151OUb5/5W2qqvL0vaeXv2ep4Vfs4/GoKAoJcdFK2RRAcygkpZBiMYVgAPp1q0uvLjeiG1YPkd+roChWMGXZ4sjy5FJyDJWvjypUSJTClIToaXJfDQ1TSFxOgVCsjJl+kOS5FUgcPn1nBRjWNa4cmCTNjstfoxz2u3JUr70jfKZ60PuVXycDvCSmVNENaJTWhNua3X3IKkLLSDhOy4zWgAOncqgQKYCmOI48UKzALxk4KodZr3LwmMGySYoEYfCARgwe0AgzIU0ci9qrCm1sbGyOJ9oh3jcH68IfzFG2HaqnIyqyVpW2VWRfLCXxmfO3s78oRE6Wn7YtqqGIZBZLsHpDEWs37ENKaNuiOrnZ3nJBzj+LZOalMuXeigk17GR2S0qJ5hAUFkWYt2QbXo+T9i3z0TSBlBVZLyEse5pIkXlogAY4HNYzfOuOAJFInNoFGeVlOUUBpxM2bwsRCEaolptGql8lErXO6/UIdu2NUFgcJDc7jcwMjXDEmoLbJYjGYe2mIlxOBwXV/JaZq56w0XGqOBywrzDOpq1FaA6V+rUy8fms4OjAKMv6IxSyGuRTfNaGaAy8XoGhW8GZFBKvU7B9V4jSQIRqVQ8c718dRSjETGiQWoemGVcdcT/dSNr4nOBJC+ueJL+j8Pe47jY2Nn8jjuR5c6QY5HD7H80r5z/FOkf77P+S46aDZZoSp0OgqgnTX2H1JOlJTR+HQFWsv9CjcUtE1OUSbNpaSr8RHxCLB2jRuDY/f3wJVdLdRGMSp0fw+MuTGf3tHAA+/OdwRgxrSmS/PGJG7H9NeUDjsD4/mQGIJ3S7HJrAlNY10FQwpcCdAr9+v4ERt7xPrRr5TPr8Cmrl+wiELG+8ZOZAiEOzX1KCywXLVu3jxoe+Y9aCbbRuWo0Joy7H6VAs02BN8Ng/p/HkyxOJ62GaNKjOO8+cR7tWeWgC3vxoIfc+PZbSQBk1qmXx2uOD6N+jLrou2bi1jJF3fcWUWWsAjSuGdeSFh87A6XBYpb5gnP97aQovvzcdp0NhQM8mfPDyIKbP3cOPv65ESoVIVC+//7VqZHLFBW3xugRTZ+3g8x8WsX5TMY0b5BAMxbhmeHtat8jm0Rem8eQrE4nFwzSuX423nzmPzm2qHdDf9VdGADFTEjGO7G6sCOXEB1cJKgf2NjY2NjbHn+NUIgS/T7B7b4xgOIbf60Q3TJwOlZQUB9KE/YURguE4mqaSl+NFCkE8DtVyU5nxwxVccuPXBEOx8v4eISwPvWfu70nDOlV49KUfrUfRn/hAsBqkIaZLNm8LJFalKSAE2ZkeDEOyuyiKw2Gt0AqGdQLBGOm6k4ED6tHxg0Zs3FqElJKikhhOpxOPB8Lhoz3orGxdTDdpUCeLjVuKCYTi5ePxuAXjp27i0Rd/4JS2DTinXxPuemIsI+/+mrk/XsOK9UXc8MDX1K+TzaN3nMH/vfQrV975JbN/uI5atfzc+fjPTJm1nAduGsiajXt5d/REmjeqys1XtiMWhdsfG8/7n8/gibsGMKhvY1L9HvwpGvMWb+Pp18YBDjLT08hId7N+0x5SfH5uuLQt34xbx4U3fEQ4Ag3rZfPzlJVAjIG9GhEKGzzy4vd0bF2fwWc2554nx3LVXV8z/eur8Hoc6MbJa/b9exCIw5bpbGxsbGz+/hyXXIGqKDz3xmza9n+Ful2epGXvV+g48DX++e8Z6BhceutXNOv1D+p3fZ5G3Z7n/md+BSGR0tK4ats5j8w0L3HdPOBf1rouKaidSpvm1Y7HMI8ZVZGUlEW54PrPaXz6P2lxxsvUO/VZBl3+EW43fPL1Elr2fo5r7vmWnXsCDL1mNC17v8D4KRtIK3CSm+0jEAhx/nWf0aj7K5x/7SfMX7wbl+vQnqskQgiiUWjZOId3Xz6LOgVVMAzrOplSojhhzI/LEAKevKcPd9zficvP78CKNZvYuLmE8VPXIgny4M09ueXB9tx0eRf27N/DgqU72bsnxtjJa+jSvimP3XUaLz86EI87nc++W4I0YeHy3bz/+SzO6dua1s1zKS2LUz3XQ6gUbrysA+1aNqRj67qsmXorLzzUh5svPw2HQyEWl9zz1HhMCZO/uIpV82/gk1cuAFS8Hidfjl2KEJIn7+7LHfd35IphHVi5bgtLVu3B6TzytbCxsbGxsfmrcEwBlm6YkAKjvl3CXU+OweHQePGRQfQ7vQHbdm5ly/YSNBSqZvu5bEg7Jnx6GW1b5PPC21NZs6EIt0tgmiZGqUlcNw7oCQEryDIjkrJgrPy9P+vhaxgmbq/gu19W88MvsxkysDnf/vtCLhzUmtbNqhGPQfuW1XA4nKxcu5dUv4tWTXMpLi2ipCyC1K2xhyIlBIJRurSvwY+/LuWCGz6nqDiKph2uh62CeBziAWldc5J9bYACG7cWoyg+crJ8GCWS5o2qIgRs31XK1h0lCOGiZn4aRqGkSf0chNDYvquU7TtLiceiNKmfg2lKfF4H1XMz2LStGClhwdIdCCEYP3Ud/Ud8wCmDXuH5t2bjdFsCqJoqWLxiB237v87gkZ/T9/QGTP/mCpau2sfajXs5tV19OrWpTmQvnNmzEWPeuowObaqyat0+hPBTNbvyeAWbtxXZJSsbGxsbm78FfzjAkkgURYE4jJ20BkURvPrYWdx6cwfeeXYgrzw2ggsHtUA3TTLTfUycsY4bH/yJdRsLcTmd7CsMoqpgGlYWq3Lju5kINGTC4beykrlE/ilBlqIo6DHo1LoGeVXz+eSruVx809fs2R/g1Pa10HVo3Sab+rVyMUxJeqqDAT0bIYQTsOQRDFOiaV6+fOtCvvpiKMPO6sj6zduYt2QnTsfRg8cKeYaK18nr5NCshjcBKCrohpHozVISfoaWWbKiWoEimGiagkNTkQhiCbVxRRFEY4Ylr6HCvsIQEKdHlzqMeut8crLSeOLlyezdG0HTwDRNPG6N7Co+FEVQMz+dRq2qEA7HQUpcLs3qRYqZOJ0K551TH39ucmVcYrwK6Lolp+BwHCrKaWNjY2Nj81fkDwdYAmulHxp43BqmabB9VylgrUDr2r42bZrnMvrrFTzy4mc0qpfDlG8u4cwzGmFKnbRUNyjg92kIl0BTFTRVwenQcHut1XUup4ritdS3VdUKCBSPwOlUfnc3/zGTkJFI8bm4+fJTeO6BM+netSZTZ2/i8js+Z+X6vUghMaVJcWkIBKxYuwdF0fF7HShegcupAZJAKApRCIatzJyUR26EtnaAFL/A4bd6vjRVIcWn4vcqYEDTRrkYZoClq3cjnIJJMzYBGgXVM2hYJwsp48xdvB3hFUyevQkpJbXzM6iRn0paqp85CzYTi8LGrUVs37WPJg2qggbV81KR0uD8gc0ZdlVT2rcsoKSsjHBYx5kikBJqF2QxcfQVfPrqEHKz/ET2SerXySQnO5WZCzayaVspqdUUQuE4X3+7lq0rA7RpVg3TDLBk1W6ESzBp5kZApV6tLP7TpbCxsbGxsfkrcEwlQiEBE4ad3RKX088ND3zL2ed/Qd8RH9Kq7xP8e/SihNikwtYdZTz7xnR++W098XiAl/41nXgcHn95Kj0H/ptZC7exfvM++o54l+vv+RlFEcxdspO+53zKvU+NxzBMHnz+F/oO/IC5i7fj8nJCvdRMw8TlhS9/Ws49T33DouW76NezPtXzMtBUiZlozG5UN4t9hXvoOewDHnz+FwzD4M2P5/Djx+uZ8NsqdD3C0GtH02fQJ3w/YQEN6tSgbYvqxOKHb3SXUuJywb9HL6HfkI+YOX8rK9buoc9F7zH62xUAXDSoBW53Clfd9TX9B43ix1/n0+/0ltTM99O/R0Oyq+Ry79NjGTjgM97++DdaNa1Pu5bVSE1TuXxoa1au20Dviz7grMs/wjTjXDmsLQg4rUNNsjKqcOfjY7nqop/44ZeldGhVm7waHr4Ys4b5S7eyYOlGHnnpV87t2xC3WyMel1TNcXPbyFMoKi6k1wX/ZsRl33DKoLc4d+TbfP3zKkZe2A63K4Vr7vmaAWeP4rvx8+jTrRnNGlYhHDk5vCdtbGxsbGyOhWPzIlQFBKB313p8+falvPTONJas3E5OlRQev2sQl5/fBtOEVVedyU8TV/HjuCAXDmrBwmVZODQFISEaMygsCdK5XQEKUBoIEonqVrAhJfuKgqSnuzm9czOC4Ri79oZRRHJxe2URpv8tQghMHWrVSKddyzosWr6TWQu2kZqi8erjg2nRJId4Gdxy5Sls3VnC1u1FDD+nJSvXVic91UWwTKd5wxzq12nB3v1BVq3fxbn92vLIbb2oku4iHJXl+l+VSaqkB8Ixdu4tpWObGihCsK+wjHBUR49By8bZfPrKhTzxyiSWr97JiHM788Q9fdANyM/zMubNC3jg+V9YtGI7Z53Rgqfv60NaqpNQKTx8aw+EgG/GLcPjdvHa4+dzdt8GBApN6tRM5eNXLuDBZyfw468rGXhGMx6/8wzcHpVwNM4pbWshhEkoFKcsZOl3KYogGJDccmUn/F4X74yaw8QZG6hfuwrXjhjK8HNbkZGuMfr14Tz+z4ksW72Di87pxJP39EFVFeJxafdh2djY2Nj85RFluvVEN6VBqqby0/pJLNw5j7tPvZPwYQQ9TdMk1aEwZe5cvnx9FC+/+CLFO2KkpToRDoiGwOUDTIiErGPcPoiHweHGypklfGRCpeD1Y3nhmdZ7qIBubXM6QEtJvG8mjlVAL60QSvwzUFVwOaGwRCfNr6FqCW8/ab2vqpY+luqiPP6TURDuxDwS18bthXjE2tehHTifyqFjNAZuF+DF8nNMXqcwBBPX2Oe1grFA0CQ1XSEatkq1AB631etUUmaQlqYSj1X4PAoBHj8EE9fb4YJgoEKE0uuxfi8NmKSmKtaxUevzcCcGaFr3qzIS8CW+B4GgxJ8hQIdIGHRD4vcKa7whk9Q0hVi4QkvMxsbGxub/L+J6nLRcB/c9+DBLdizmogsvoX6jhtSr3wCnQyNmxHly6qNc1OJSmmbXI6SbB7hkmNLEqyks3bOa0Us/5v5uj6Aq6iG9zclY56NlX1ASKeaGdiMpPehcSRwKPDn1CbrX7kn3gk6UHWG/I3F8dLAUQTBkyS6oqkJZsWUqq6oCCZQVmyiKQjRmNahbfm6gqgqB0opm7fLzJbZFYhJjt5XCqfzgVSs1xf8Z6LokroPXrVm+hJHkmCifoxBghirsZBRFYASteScbykuLDTxehbG/rOe9z+fidDgPKXtKKbn5is506VCdwC7zgPKZIiosewJBa0GAw6FQVmJd7+QlCoWtc7ocKmVlEkVUKM+b0ro/mqYQi0MkJssXFQhhWe6AZZBcfqwiCIQlZrDCF1E9qKwngLKy5H0WlBVa91FVBIoQFePVDh2vjY2NjY3NX53jpuRuPehFwmOv4kmZDJYsBXRR6d2K45QjlPlUReDyqhiGlZ05aRACBcuPTwhBZU/mpCG15FCzZq3Sa8s/UEERB16rSh9RHqiBFUwlS3CHI/m+acpyI+eDtxmmPGwgpKpK+fU9ePsB5z04uDuMGXVl1PJjOeKYDjdeGxsbGxubvzrHLcBKcqQsxO/NTigCYnGTbTuDZKS58XsdnMCe9qNSHiYeZVL/aboiIUsfjUL/HvU464x6R7xGsThEIv+dGe9Rx3TUbX/8vP+Jox36d1Bst7GxsbGxOZjjEmCZpqXxlGitAirKYkm9JkVYZb3kfkKxGtWt7ZVOJiu8C+95ejw/TJjHxYO78tAtpxGLWaUk5U9+KJumPEAlIjlXsDS8DhBL5cBsTXlvVTJDBcTjgnj8yNGjHYTY2NjY2Nj8tTj2AEtAit+J5sCKrrTEnzqEwuD1CIQqMOJW07XXL8CEaMQygnY4BE4XVtO2sI6LJQx/O7bK540PJ7FtVynODIEzrGLEIRL985qhpZT4vALhwGq6N7DGFLHG5PNU2mZa28NhKyPn9Vu1Q2kkTKM1a87hoGUKbYdRNjY2NjY2fw+OIcBKrDA04MHnfmXNhv20bFKNCb+tI64bXD60PZdd2IK3P1nEFz8u4sKz29C3ewNuuOFb/F43993Ynfr10tiwsZSnX5vC1NmbSEtx43QILhnalpGXt6Z/jwakpWaxZv1e+g76hMKSIPfd0INBfesRCJ54vSRpSrxewYTftvDyv6ezct0+WjSqyu1XdaVTmzykhG/GreX9L+azYu0+VEVwxbD23HBpe3bvDfPwS7+yZ18ZPbvUIzXFxZc/LaVWfiZP3N0br0fDMOxVdDY2NjY2Nn8H/rhVTqVa4JYdxXw1dgEPv/AzoVCctRv2c/U9n/DB6MUEQzF+nbaQyTM3IlSDWQs28dFXC9i1tww1DR54dgL//mwqA89oRM9T67Js9Q42bClCcUBRSQSXUzBzwXpKyqIsXrGD+54dT0kgjqpaqxFPFIZp4kkRfDNuLQMueYfCohCD+jRh6eqdDLryPeYt2YXmkXw3YRU7d5dy8bmtyMnyc9cTY5gxbxtOL2zYXMhPE2czZuwyxk1Zy8+T57J3fwgpZSVdLxsbGxsbG5u/On/cKkcIDNMEL9x8eWcUxcvAM5oz4/sr+Obd4SiKkw/GLOTiwa1JT61OKBInr7mPy87vZPVYqQqYkF3FB0imzd1MLG5w68juXHJea/QgOB0K4bBO62a1mPLDpQw7qy2r1+1h7YZiPG5xQlcWCiGQBrz98Vx03aBB3RxyqvioXyuH/UW7+OCLhQin4JLBrWndtDqrN+xDmlaWb8OWQnLzvPz4wQhuv2ogq9ftZuL0dTz/4HA+f2swHrcDw7R7rWxsbGxsbP4uHHsPlmmZ9ZqmQZV0L64MhdwcP0KoxGI68biJokAsZoCAskAEAL/XCVG4dGhbDBPmLd7G6x/OJhYLsG1nCW89PxCf10U0btCicS7OXIW8qn5MCS7XiTcFVhAYcUkoEkdVNcKROFu2F1O3ZgY3XNqPAT0asX5VMedfOxohTK4Z0YkUv4vp81bhdmlggj9ToV3LGvzz3WnohiQ/LxXFB0RO7FxsbGxsbGxs/rccFwGiuG7i9bh5/4t5XH7V9wy/8QsMo4yBvRqTmeXE53Uwd/FWnn94Nl/8sAwpJZNnb8RU4YW3f2Ppqm28+EhfRr96Pl6vj2lzNhMJGsxasIVYLMrq9XtZMW0vi1fsBHSmz9l8wvuVdNPE6RecfkodDCNAWoqLoQOb0bheNlNmbiQQirNuYyl79u+hSf08zjuzMW6nhpQG0+duZl9RmJffmMdFN37KGac1oPdpDRh23Uc8+cx0YvE4QtjlQRsbGxsbm78LxxxgScDj1tB1gxZN8pg4cwPrNu7n1pH9uO6S9jidgpEXtmf3vhLufGIsVbP8OB0qn3+/DMIQDutMn7uSARd/zHUPfItTU7n7+tPwZ6h88s0SnA6DVev38dHny5m5YCtOh8Jn3y8lHueEyjWoqkK4RHLryE5cM6I373w6h+5DXuWGB7/H73dSUD2Njq3zOLtPOybNXE+Lni/x6/T1VM+txhc/LGPtqhJeeW8mihKjXq0sCqqn49BMnnh5Cnv2h3Foh/oQ2tjY2NjY2Pw1OaYSoUAgTNi1J0Bcj9K7awNuvqYDHsVFepoD3YBwGdx97akMGdAcl1MlK9NLIBjD5dLQ4/DcA315/sG+lAVilAYi1C2oQtVsD6FSeOups3jp4X6oioLX6+C2kaeg6yYejwN5gpXdBZaUgtvp4NXH+nL/Dd3YVxQiJ8tHZpobTQPDhNGvDWXT1hKEkBRUTycYiiOlxO9zMvu7a4jGDTxuB6Yp+b87euJ0qHjcDmJxuwfLxsbGxsbm78IfDrBMKfF4HOxaI7nk1tFICS+8NYX5S7Yz5u1hRGMS07RENuMG1KuVhgQMHapkupEmxONQKz8VhKUTpSiW4a8VbFi9Vh6PZdZompCa4rQ8/sw/xzpHCEu7SzckVbM95FX1YJhgGJYHIVg2OfVqpQHWXFL8DkveywCf14FfVCjS+30aUlrH29jY2NjY2Px9+MMBlgB03SC9iuDu63ugKQ6iMZ2C6uk4HZaCpqJU7GsFIICwREcTv1rmyInfkyruyUyOYVrGysnEjhVUVRgR/xkkLW5icYCKoKpy9ik5VyEEug4JyXp0o/wIhKgIrP7buRimRJqW/tfBGmBSyoQ3YkLvtZK/nxXEmYfdBta25GwqG0hXVuhPblcP+mzDkEjkAcclP5MK3fpD5ni08drY2NjY2PzV+eMBlhDE4ybudLjn+lMtJXYFS8E9ePj9K15Yf0gJTofA4YBYDIRiBR3JViQBeL1WkCIlmBJMo+L4P5NkoHX4beLA/SQ4nQIJ5RmrykbO/y0pfgFOAVFLHT7ZsWUmrqMvw1LJR0Kw1JKIsEylwZeulB8QKq04p2lKUlIV65sgwAhDOGwd6/cJ8CRvVmK6IQiGk4EwpKQK0AQyCuHEakjL2NsK1iTJjKMsD0RNCU7t8OO1sbGxsbH5O3BsPVgCMKGwKIqmOixdLAmqZj3Mk5kW05QH+PApqkARAk2D3ftC3P/sBAKBMI0b5HHH1V3wuDR0Q+J2CV79YD4Tp63D5VS44bIudG5fjfCfoOJemWRmh8R8hLCa4CtnZVRVwTAkumHiT1WYOWcHr33wG9Vzs7jzmq6k+K1Soar858yNVZqUTJm5namzN5Pqc3Llhe2sYMWUeNyCHXtCjHpnCXv2l9KpTS3O6t2AuA5OB5QEYrz9yRI2bdtPi8bVGXpmMxQFDF3i9Qh+mbKF8b+twet2MXhAUxrXy8QwYOb8XcxasBWElbmKxgxOaVdA+1Z56HGIRg2mzdnGtLmbyc9L4+LBLdF1iaYJYjFJIBjD7VLxeDS8XkEsZmX3vG7Bzj0hPn13CXv2ldKhVU0G9WmIYVrBoh1m2djY2Nj81TkuZs9CETgcCqkpCjiBRAmQGASDlh+h4hHgAAyIl0E0CpoGumGyav0e5i7ayMIVe7jh0o74PBpStzIau/eWMXnmRopLd9OnW0NOPbUaZtmfF2BJieVF6E98vgHoECwFl0ugeQXEIRyClDQBQgUFQuEYn32/lPT0VO689lR82Qp6KUQiR5+LaUp8PsGvv21l2PWfsr+oiNoF1blkaBtcThVNg/3FUc658hPmL1mHqngxzIn83x0Due/GLoTDJsNv/JJxUxbiUFOIGwHmLDydFx/ug8crGP3tCi6+ZRSGoQAx3vtsDl//awRtuuRw79PjmDJrEQ6tCrphIGUh9914Dl0656Eq8M24NVx73xhKy0rp2KYxFw9uidMpWLuhiKHXfkYoHCUU1tE06Ni6Bo/e3otmjTLZszfKuVd9ytxFa9EUH7o5kUduO5MHbz6VcOQPpPZsbGxsbGxOMo698UWCx+UgFIrz7kdLuPv+ibz9/mLeeHcRk2Zsw+mDuYt38+Irc7jptnE89tQ01m0qxu2CWEySk+VnztSRnNahYYXCO1b2KxQ2efzh7rz/0mBU1Y3TeVziwT8+VSlxu+C3OTu45/6J3HHPLzzzwkze+3QpLhesWlfIP16by1c/riUaNfjqh7W88NocViwros+g2pzduyUORWX63C28995iZi/cic979GDCEmmFxvVz+PLti2jXoj4etyORGQS3W/Dp10uYv2QVD908gPVzb6Nh3Ro89dov7C+MMuG3DYybMp/LhnZl46Lb6N65KW98NJXFK/ZgAA+/OBG/18WicTfxySsj2LJjF298NBczBoP6NOGdZy9l3eybee6BvjgcWZzavhYY1r3r0q6AL94YQZ2aBbhdGoqwDL2zq3ioU5DOxq076Ng6n9ZNqvPV2PkMvWY0haUxxvy4nLmLVnLfjf1YP/c2mtQv4JnXJ7JhSxkup5WVs7GxsbGx+V/zv3zaaMmTyyP8HGkwEmslIQ7YtrOE4Td9yeyFVkZCColhlHDVRT1p0yKXq+/+ht37SimonsH8pVv54sdl/Dr6MlJ8LmK6iVkmiOvGYR+sMiwJhWMYhvmn6kRJKXG5BPOW7OLsy9/H5/XQsE4mk2auIy8ng0uHNue32Zu59dHRtGrSkBaNc3nylcnMX7qUjPQradw5A8MwKCwuZui1ozFNHadT4YGbzuDeG7oQjR6pB8nqQauS4aZ6zRq4n9MoDUStMSFBE0ydswlF8TLkzGbUrJ/CsLNa8OhL37FhSxHzFm9DURQuGNSC6vV8XDioJZNnLmXlur1kZ/pYt3Ef5/VvTstmVahfuwpZmVWZMW8zkf1wy8j2SBOEG1as2UuKz0XntvlEwlYfWfVcHzWq+VAVpbyJPh6XZFd1M/jM5vw4cTE3XXEKPXvX4Irr/Px79GSmz9rGvCXbURQ3Q89sTkEDP8PObsFDz3/P8jV7qFcrBaIn9Nba2NjY2JxkHC0mOVyM8t/s83v2+09j+G84pgyWaUrwwhsfzmb2wqVccUFX1s+5hR8/uITM9Co4HRppGRp3XdeNqy7qyI2XdqJj61osXbWLtRsLcbsT56gUV5hScqQ4Skr5pwVZpinRHLBq/T6KS/fTsG4WVw/vwJN39+e5B/oRj8ElQ1rQqmlDQpE41XNTuO2qLqiqBxAICYqiYphR7r72NL7/aATZmSk8+tJ4Vq8rwuUSVsB6GEQiMxQtMzEMax8pZXnjeWFRGEW4UDUFIySpkuFBCEFRcZiikgimqeFxOTBKJRlpHoRQKS4JU1QaRgiD7CpeTMPEMEyqZHgoLI5gSJNAUBKNSbZtDDPmx6Wc3rkO6ZmatbJTEcTjkpIyvfyeSJlYFahDSWkE05Ts3hvAECb9T2+IouisWr+HsmAM03SiaQpGQFIl3YsQgv1FQbsBy8bGxsbmb8Ex1NwkiqJABNZtKkTTPFw6uDUF9VMoyE9h5eQ78bgVli7fzwtvT2bHrjIa1M1m7/4gbpejvElcUxUUt9X0LgR4XBpOh6UbJYRAuAROhwqA06EiXOJPadFRVYVIyCqbDTu7Kz9PXsn5163A7/UyoGczep9Wl6wcJ16Pg5LSCB43VMnwYRjWsWhgShOHI4VbrjyFnFZOBo5vwlsfT2HV+r00bZhRWdXgMJ8PLreCogiEELicqqWnJbECJBklHjdQfYI9+4JIKcnM8FIlw4OixAmEYqhpgr2FQcAgM91LlXQvUmrs2hNA0RSEgD37Q1TL8aMqChJrocHUOZsoDRQxqG8Tq+csgaYKvG6tfHWgwymIJlaDJsu5Xo8D1auwaVsxpqlQNctPRpoHRYkSixmofsHu/QGklORU8f9v87U2NjY2NjYniGPIYAlM0wQvNKybha6H+NeoeWxeHWDOnN3c99TPTJyxgZ8nrmPB0sVceUFHpky6lK4dahLXowRDMaSA/UUhVi8rIhLTMU1Ysmo3W3YEUIRVNty4tpTN20vQNI0tO0rYuLqEaEwv1086UZhS4nDBnIXb0FTBxy8P4+fPr6Rh3Tw++/43lq3ZA05wOzV27ilm3pK9fPb9EjTVIBCMYpSZGLpJPB5i1LeLWTZpP5Omr0dKhfy8NEzzyL3dQkA4orNxUxnxuIFpmKzfXEQ4HAcTuneui2mG+OjLRaxeXMQnXy/C70ujbkEGHdsUYJrw4ZgFrF9ayodfLkRKF00b5JBfw0fj+jlMmLqCWXN3M+q7xRQV7+b0znXweKyVi6gw6psluF0+OrTMt2QysIRhy0I66zYXYZqSWFxnw+ZSYnEd05AUl4TRNJUt24sZ9c5ynnptIpqaRqe2BXRuUwPTjPDRV4tYs6SYT75ehM+bQtMGOei63eNuY2NjY/PX55i6xlVFgTK4dkQH5izawQdjpvHBmHkAOB2S3t0b0LpZHin+XB5/+Veeem0yGWleDCPCHY+Ppeep13L9Az/w469zABdg0vXcl2jRpB5zvr+aybM2ce6V72OlTUzueuI77nria756+0rOGVifsmLTyg6dAKQpUR2CxSt28vFXE/hq7HK6dKjJohU7aNmkAXULMpAx6N+jARNnLKX9gJfweVPQDcH/vTSRWMxg7OT5CJHCLY98D+iAwQ2X9qBl46qEwiYSgTioTGiaktQUhfufmcRL/5qAJTgGzXo+wcO3nM0jd3Vl2FlN+Oy7Fjz/1jief2sSYPDCg+eSmeGkZ5danNuvI6O+ncmobxcBUe64ug/NGmUjJDx5Vy8uuOETOp/9MqBTr1YB11/WAV2XeD0KS5bu54dfl9ChVV3yq/uJxKxxOTS48oHv+fTbGYDG+s1Qt8vj/Pv5EZzWsSYPPvcLuh7l5oe/BgzSUlJ46+lzqVs7layMhnQb04qX3hnPS+9MAXSeu38QNfP9hMJ/rgSHjY2NjY3N8eDYdbB0yM1O4cu3L2Ti9A1s3l5EXk4qbZpVo37tdHQdxn96DbPmb8bnddG+ZXXWby4kNcWFlHDfDadx4aCmqIo1FMM0qJqdgpTQvkV1Rr02HCktpfCkllb7VvlEQ5zQB7GiKMTC0Kd7ffz+KzANyebtJZzdqyF9T29IXlUfkQCMvLAduTmpFJUEadcyn63bS/F6NBrUySI353Kyq/gJBOOs27yXhnWq0qtLHTQNHE7lsNVBKa0m94sHt6Zdy2ooiopIXKcWjasRCUGK38WYt4bx7fhV7NpbSsfWNelxSgHhqFXGe++FcxjUpzEbt+6nReNq9Du9HqYJkRCc1bs+k764lskz1uHzuujfoyG1aqQQCkncbvB5nfzjkbNo1bQ6TqdCJJxQqDfgpis6M6BXfVTVsvwxDZOObWqQlenl8zeGEYnFEQicTpU6BVVo3iiTcEiS4nfyxZvn8+34luzcU0qHlgX0OLUmkeiJvac2NjY2Njb/K45d90BANK7j8zoZck5DS5lbATMK4Yi1Mq5T66p0al8VBMgYtGqVBSYEy+CUdnmc0iWvot4ngLilBp9TxcOwwY0SVjOU9yfFApaP4YlU/rZWyEGjupk0b5aZcH+2xqRHLF0vIcDhULlocGNruwGdOuaCae1Tv2HTSj1M9QAryNmzP8LufYGE6OiBGSwpIS8nhVZNs2jVJuuA62SEIRK1VvSlpboYeXFLa0xAMCDLrXqcDpUR5zctH28okDiFAqGwtO5PO+v+6FFLyd0SC4Ua1VO4+eqOmDFLqT2pi2qY0LF1Lh075R4wJj1oeTAOGlivop9MWt+HUMQKlGMxSE1xceWIQ8drY2NjY2Pzd+D4CI0KgWFIyorkAe8lsxFlQQlSJlbJCSsjpQg0VSEQlJgBa+VgcjWapfKuENchUnioq7OqKH9Kn44QEItLItEKr0Fr5Vxl/z4oKzHLD5DS8vJTFEEoIg/IUpmmJCVF5bvxK3n4xXG4HG5LDR/Kg0opJa8+fhaD+tejZI9xQElUUazFAQjLszFWbPkCSsChquVjNkwoK040eUmJolZkyxRFWPcHoNJcklY+8ThEo+YBc0wOL3nvKqMmmvDLiswDQsXKXoWi0niTYzpRpV4bGxsbG5sTwXFT7hRCoKqHj3pURQACv9vKmoCV8TH0RJAgLT9Ch9PaZuhYq9HEyWcCfOg8xUHbOShYqNiuHXR9FEUSj0P3zrV59fFzcKhqIjyqQEpo3TQPPWatpjxSlkcIgaKCV1WQQMSovK3ymA49Xi0PnA7dduh8Ko9fcPjC5pGPqTzeiutoZ65sbGxsbP5eHLcASyb0q5KVPCEq5BQsw2HJuMmb2LC5EM2h0atrHfKrpRCLSTQVNm0rY8qsjYTDcRrVz6FbpwLi8ZO3bFRZFPXgvqHKvotgWQkJKgyPk6bPSX2rurXSadQg/YifFYv+NyVRq/w2fe9c0hzp1E2phx242NjY2NjY/DkclwBLSqtnx+mwrPcwIRSu2G4YJr5UhWfemMrkmSsBjc9eH0Gdug0JBAz8mRoLlu1g5F1fAUEG9GhH904FWOXEk2vZvlXFtEySFRVMg0TpTySrXZZXYeI6ICASqXg/KUOgOUGPQSQqicWsXqrDNrlDuUbYkTClid+hMGnnDHr81IXqafnM7r+YLFcmurTGZmNjY2NjY3PiOPYAS1qN3WWBONt3lVJcGiHV76Jh3azyoCDFr7BpY4B/Pt6Pcb824p6nx1plKQNS/BrFxQaN62Uz98frOXfkp+imWd5MfTIhpSVPoKqCVeuKKCmLkp7qpkGddOK61X/l0GDpqkIKi0OkpbjRdUntgnRcTpUl64vIzPCgG5Kdu0vJzUmhdg0/4Qgcobr6n8eERBEQ0uP835IHcShOVKERN+JWWHUU8VIbGxsbGxub/w3HFGBJaZ1h154yLrhuDMvX7CYUiePQJDdd3pWn7u1FNGry0PPTeGfUbExdkJPtwzQFumGJlE6evIWHXxjP/KW7aNIgh6KSMhxqLieb36/VmA/BcJy7nhjP6O+WEAhG8PtcXDO8Ew/e3B2fX+WRF6bw0ju/IYSKNCXB8D7GfXIzUsKAS96hQZ3q7CsMsXf/HvKqZvLYHf25ZHBzorE/Vg41pEmqS+XZJS+zMbCB4Q0v5qvNX6AKxQ6sbGxsbGxs/iSOLU+UkCrwehyc3qUuD97Sg4mjr6ROzWze/HgupWU6X/+8ksdf/pYq6T4uGNyMLTtKgDhul0bJboOr7vmGmQs2MvKCtqT6XQSCJTgd6hH9CP8sDFPiSRE89+YM/jVqIlde0J7pX1/LGV3r8/xbP/L5D8tQFHj53ZkIIfjo5SG8/uRZnNe/E9mZXtq3zKNlkxqsXLueXqfW4fWnz6e0VOeae79i/eZiXE5R7rWY7Gf7T0gkHkVla9k+nlv+JK92fJsOVToRNaP4HSl2fGVjY2NjY/MncWwlQgkoEAjF2bmnlM++X8w7n86lsDiI1+Ngz/4Av0xbj6q4+cejZ3LGBQXkpKfywHNf4/M6WbtuP5u2bub8gafy6jv92LY4RKPu2xNWOCdPbUtKazVjpEzy2+xNqKqf2Qu3MXvhNsKROOmp6axatw+ccP0lnXjh7Umcc8UH5Odlcmr7mjgdGpm1nBRUz2T56hSef7Af1Vq5WbRkF++Mmsqy1XtoWDedcARcLoGqgCmtxvajYXkbqry++mX2Fe9lzObPWFa8mLgRp/cv3fi061fU9lcnapy8iwVsbGxsbGz+jhxTgGWYJvitrM1HX07gsTsu4IHbuzBw+Ggmz9xIeqobr8eJYcbYuKUIigvYuK0ITVNwuzScThVQ2barhOhuk/WbC9H1OE6nA0dC6PJkQAhrBaDHL0hLdWMYMc46oxFndK3Hjt2lLFy+k9M710aPQEF+Os/ePxDFYfLThHWM/m46Ho+Dd9sNRJqSWDzM5Bkb6CLymb90B1IqVKuaimFYwdWcRTv4aMw86hRkc8vIzhjGUcaFwJBQw1dA71r9COoBwnoYVdHI99XAr3mtUqsdW9nY2NjY2JxQjq1EmChjud0OwMU341Zw1ohRTJm9iUBoH8+8NpVz+zXG6fBy7X1f07zjW7w7ai66bnDroz9RLTeVXqe2ZPrcZbTs/gbnXTWKaCzIN+MW8+WPa/F4KsRH/2xk4ueaER1wudy8+M40Hnx+Ag8+/wsPv/AzS1ftRgGuvfcbHnh2LHv2BcmrmgIoZGf6kGZF6e/iW7+k+WlvMH/pWoae2Y7WTXMIhk2cPvj36Pm8/el4IlEDl8sqTR4JRShE4pLrGl7JZ6d/Tb6vBqWxUmKRKD7Vh0t1cahMq42NjY2Njc3/mmMze1YVCMANl3bE73UxacY6hFB56p7ezJq/hWq5qfQ8rSafvT6Cdz+bSyAY58m7e7NucyE+jwOvy8EHL53Ls29ks3D5Vvp2r4/P62T95j1kZniQ5skj0aAqgnBAMqBHHX58/wre+Gg2W3eUULdmFa4b0YEhA5sTj8KVF7Rnz74SJk7ZhKJJ7r6uHzdf0QXFbU2kanY2d13TlXWb9tG8US7Dz2sNCBwqlOw3mLt4O/l5dbnhsvbEY/DfWPOFdZNgPMj+SCHtq3TktKqnAxCXBgqV3HlsbGxsbGxsTghaMj+SzNBwhNcHvy+pMHuuku7h4bu68rDeFVzWe9df2wbiECiGQf3qMejMetZBauJHQqgIqmR6+MdTvSEGOLHKWRqYZZb33cnUOyQUQTAk6dGlBj171YAI4AHiEA5YfVNvPDUAzWP5BAKobogGYMK3m1i8YifBUBzDNHj09l5kV3cSLJTE4iapaQrzZ+9m2erNPHPf2VTJcVFaaKJp/1kR3URQxZ3Jh93frfBtxNLW0iW2DpaNjY2NzV8KeZifw71/tP0PF8f8N+eqvO9/s9+ROCCD9YeKcQJ0Q1JaZKIIgSyzzmJKS1lcVRXKArLc585MlMkEoGkKug7RQtPyv0t6EiItixwhEurnRxfaPJEoiSDLDEpURWCUyQPsZKJRSSgsy42bjZDE6VQY/c0yyoJh0lLcPPnKRLIz/Yw4vymGAYoq0OOQnenj/hv7cOnQNkQD/MfgKonACu5KQ3q51Y5AoCnHTajfxsbGxsbG5ndwnMyeK3sGWpGQWml70osQOMS7LnmsxAo0OOA4cLgEcZ2jNnufaJIefBLQtIPnI9BUkZBZEGia9fvT9/bmrmu7oigCVVHIruIlFlbQEncgGoU6BWk8/lB3wsWgG7+/PGoHVDY2NjY2NicHJ80TuXIsIaVEVQXFpVG2bC8hL8dPVhUvxkkmN3C0kVQeppSQmuIkM8MJCb/GeJwDtK6EgFhcEt4rUVXlpMnY2djY2NjY2Px+joshjbQqgJiVIgbTlOXvH7jvgSKaSWHNyucCSwvq7qfG0euCf/DiOzPQ1Ir9/2ySc4PEvCut9DMPmk/S+FnXJaGQJByxfpLHVN5XCIGm2cGVjY2NjY3NX51jD7AElqaVA7xugctp+fH5fQJVBZcTNNUq96kquF0ChyOxOk6CyylwOQ/cV2BldM7t15TSgKCoNIzmtjwALcXzYx71MeH3Cdxua7xul2XinMTnEXjcAmdiLj6vSMxd4PMKnE6BxyVwOASaBl7PydNfZmNjY2NjY3N8OIYSYaJcZ8BND//AitV7adG4GhN+W0tMN7ni/HbceV0nXnpnHh98OZuRw07hnL5NGHbDp6T6vTx3f1+aNs1k0eK9PPj8BGYt2EaKzwUYXH/ZKdxxSyc6tMwnPTWdhUu30/L0NykqDfLobb25bFhzAgGJ8t9oGBxHpJS4XYKPv1rBP/41jdUbCmnWMJu7r+1G/571UAT8a9Ri/jVqDms2FiIQXH5+Ox6+rRt794W54cHv2bW3lP49GpGZ5uHDLy1B0XeeGYTf5/hDfVc2NjY2NjY2Jx/HkMES1oo11WpSnz5vHW98NJ2GdbNxaSoPv/A1b7w/n4w0N8tXb2bukm14UgT7i4KMm7Ka/cUhlBR45MVf+WniQm4d2YWbrzwFoUjCER0ElAWjOJ2CxSu3UbdmFYKhGI/9cxL7C2OJ5vETl8oyDBNviuCjr5Yy4uYPyc1J4Yk7exGL6Vxww0dMnbUF1SNZtno3GWkenruvL6d1qs0Lb//ItNlbSMvU8HmcLFy2hl+mreO3OZtYvGIjudl+FFVUyF7Y2NjY2NjY/OU5phKhaUpwwxXnt0VRXAw7qzU/fDKMz9+6AFX18fkPSzm3f1PSU3OJRHSyG3s4/6w2CJGQYTCgWaNcQPD2p3OZOW8LQwa04tw+TTDDlkxBKBSnc9u6fDVqCOf0acHGrftZv7kYt8uSJjhRKIpAj8HHXy5CCBW3y8H6LYWk+D1EomWM+XEZQhP06Vaf9FQPo75dwqatRSiKg607S6mS6Wb06+fx1D2DWb56J+OnruGDly7j9ef64XRomLbkuo2NjY2Nzd+GY19FaEIkqmOasjxIkInudlVViEUNFEUSjuqgw559ZQiEVQ6Mw1m9G2MYsHbjHqbP38IXP85m/eZCRr05mFS/m7hu0rBuFqRBdpYXRSj4vI4/x19PWtY1ihBkpnvJzfZTpUsdOrfNp9/pDVm2eD+Dr/qE7Cwfj991Bms27Gfpqg3WeBVQXZCe5sE0rYxYIBQFBRQFzJNItd7GxsbGxsbm2Dguqwh1w8TndfH5DwvoM/QThlw1CsMMM/TMZlSp6iIt1c20ORu4+ZrxjPpmCabUGTN2GaaAx/85iW/GLeLSoW144cF+uF1+1qzfRzwq+eGXVURjQeYu3s6077cyZdZGTBnhm59XYpzgfiXDlDg8cGavRhhmhL37A9SolkY0qvPhmAVs3VHC7j0hwtEAudmppKc52bC5ENPU+ebnFWzbHuDexydx7b2j6HVqfXp2qc/193/Ktbf9RDAURVX//NWRNjY2NjY2NseH47KK0O9zEovpnNaxHiXBCKomeOa+wVx5QRtUBW6/6lRUFT4Ys4AOrfPJzUln7qLtEIaMNA879xRy6a1fccsjP1Ctair/d2cvfGkKU+dsIjfHRygcZ+JvW9i5J0BuThpzFm1N+PSduAhLUxVCJZLrLmnHI7cNYuKMDYy4eTSvvDeLzm1q0KppHp3aVGPkhaexct0ezrr0E3btDdCySX0WLNvBzm0hJvy2jrycFJo0qEqDOlnk5aTz/S+rKS6LJcRJ7SDLxsbGxsbm78AxlQiFEBCD5Wv2ENdjNG+Uxx03dCYvIxWnE6IxiATgmuFtGDygGU6HQqpfIxa3ZBvicXjm/j7845EBhMIxyoJRauSl4/EIQiXwxpNnYhhnoghQVLjnui4YpiV/ENeP1yX4XRMGKXj41lO5/aouFJVGyMrw4HZayuuGAW893Z/H7uyFqkBWppNorMIecOY3IytWCkp48p4zcGjWXGLxk8t30cbGxsbGxuaP84cDLNOUeN0OdqyVXHvvGEDltQ+mMW/xdr5/fzg+r8PyHBSCSFSSluIELANiIayABKBKmhtTgt+nkZvjtbwJo5YEhJ4IonQTqKTi/qcEVwlMEwJBS2m+ahUPhgmhSCLzJATBsCQ9Mddg6EDleV0CAkSlRFUsfgIHb2NjY2NjY3NC+MMBlhCCWNwgp5rgjScHoygqcd2kWtUUfF5nYp+KfZNeggcnaXQjEXVAeUBVOSiRMql39ecLjII1fiGsscT1itcV20V58HjgPKxm9mOZg2FIJNb1OLg8akqZMMa2PqPCG9K6hoYhEYpVhlSVA9XiDcNanSCxyq5JfTHDlJimScWKAuvYyvpjhmFaxx00JmueyckeKqZqSolpSIRy6HhtbGxsbGz+6hxDgGU1t2s+GDG4BULDeg7rEAodfv+DkRIcmvXwDYVNNE05JAhxu4RlLSPBkTCDPgniLODITfaHvC8pL5mS8Fn8vYGWEJCSLkARmBHrXMlzmBLcToHms4RfERAqTXx04hr7MhLbFEG4tGLVopSSlDTF6sZTQEYhGEx8nk+AL+lRlBhICIIha7uigDfVCoyMxJiSaJoVdEkJ0rSykFJaKzCPNl4bGxsbG5u/A8fWgwVgQlFxFE11YCR0GlRVAZnIaigiIeFgefIJQFEFCuBwCLbvCjDyzm8IRcK0bJzP43f1wud1oOsmHrfC4y9P46eJK/F5NO67qSc9uhYQLDOtz/iTME2JkRDhStr6qKpSkSlKvDYMia6bpGao/DJpE0++Op5a+bk8ec8ZZKS5MAz+4zyktCyGQmGd7yas5dfpG8nJ9HLPDd1QFYFhSLwewcp1Rbzx4Rx27yvhtI51uGJYO8Cy89m+O8hrz81iw5Z9tG5Wg+su7oDXo6HrEqdT8MmXK/l+wnK8bheXDm1Dl3bVMU34adJGJkxZh8TSLYvFDfr1aMgZp9UiHoOS0iiff7+GyTM30bBuFreO7Ew8bgWQ+4silJZFcbs0fF4HaSlOFEUQjkp8HsGq9dZ4d+0t4dT2dbjygraoqjjhq0NtbGxsbGz+Fxy7DhZWKcztUnD6FXACcayMR8zKZvl9AtzC+jQDjACEIxWlIX+KxuSZ29i5J8RDt55OinAkjKIlqSkO9hWFmbNoEyMGt0NxHluZ7ViRMjEfn7CiK8OaZ7DMyrapXgFxiITAmy5AWBkgr1dj1sKdLFlVxHMP9MGbrWCWQTh89IBCSonLJfht9nZueug79uwroXZBLndc0xXVqeJ0CLbvCnL25R+yfvNucqpkMubHeazfXMQLD51BaZnO4KtGM2/JWnKzsvnyp/ksXr6L914chNen8Pp787nhwS9IS02npDTM1z8v4bt/X0LXPvk88c/JzJi/nJwqeYQiMQLB3aSnuel3Ri0U4Jdp67n10e8oLC6lY+uG3HJlZ5xOwaq1hfQd8QHBcJRgMI6iQLsW1Xj2/n506ViNLVuDnH35x6zbtJOq5eMt5MWHe2NUKhnb2NjY2Nj8VTn2NJAJXo+DHbuDPPbcNIaO+JKHn5zKg09O5dvx63D4JD9N3Mit94xn4JDRjLzxR+Yu3oXbDfG4JDPDyzffDKNrh7oIBI5ERkdRBKGw5NZbO/LKY2eiqi6cDvWYh3ssWF6E8OXYtVx46VcMuWgM1982lmdemYnbDXMX7+LOB3/hnY8XEwjFefO9hdz2wATmz99L1/75DOjRBFVR+OrnFTz2xG98P2EdDsfRAyxFEUSj0KpZNSZ9PpJOberhcTnKM4NON3z05WLWb97Ciw8NYs3sm2jbogGvf/gbu/eE+XnyWuYtWcEtV/ZizYKbOeuMdnzx4xwWLNtFNC55+vWpVM3OYPG4G/npo8soLi3jzY/nYQTh2os78O2717J29o08eXdvnI4sTu9UF6lDJCo5o2tdJnx6FfVr18Dt1lCEdU8L8v30Pq0uJaXFXD6sLVcOa8+M+RsYeu1odu0N88UPy1i3aRPP3X82q2ffTIdWDXnzo+ms2VCM22XNy8bGxsbG5q/MMWWwTGlZ5ayav5fBV49m3aYd5GblMHbiGgKh3VwxrBfdT6nFA89OIBSJ0rxRLp99v5AJU9cy49urqZLuIRI3MfZBJBrHlPKA/iohwCyTFJdErGbqPzF1ZZoSj0cwZeZWLrj+YxrUzqVN81w+/mo+mekp3HVtZ5av2cvzb/1M0wb16HlqXT4cs5CZCxbStGFV2pyeRTyuU1hcxLX3fouVpYly42XdeeGhM4jH4UiZG9MEv9dBdk4mqqqgV2pKR4XZC7eiKH76dKtPWpaTc/o2Yf6S1WzcWsSi5TtRhMpZZzQkJVPjnL6N+X7CXNZs2Edulp9tO4sZdnZrahb4yMnyUTU7h3mLtxEphuHnNUWaIDSYNnczGWlu2rfJIxK2+r4y0lxkpGUDVrO7ENZChbQMJ9061+GDMTM4r39Tep9dE6dL5R//+pnps7eyZNUuhPDQt3sD0rIdnNuvCXMWrWHV2r00qZ/+v76VNjY2NjY2v4s/En0oMnHgH/oxATe89fFc1m3ayF3X9mHV9BuY/MWV1KtdiyoZPtIyNe698XQG9mpCx1Y1aFAnl83bS1i/qRCXC6RhIoQoX3FnmvKQQCqZ4ZGJlXJ/BhKrF2pPYZB4PIzLpdG+ZT73XN+Dfzw6gHgcLh3SnPYtmxDXDapX9XPntV1RVZ81NylQFAUw+MfDA5g77ioa1a3GK+9NZemq/bhcwgpYj4BhSKJBs3z+pimt6y+gNBBFEQ6EIjAiJql+J0IISgMxAsEYptTQNBUjKPH7XCBUyoJRyoJRhDBJS3FiGCa6bpKW6qI0GMOUJoGAJBaXbNwY5PsJKzjjtHr4U9REn5kgHpcEQnq5J2T5KkYdygJRpIR9hSH0mEnXjrVQFJ31mwsJhXWkdCAUMEImfp8LIQQlZRG7OmhjY2Pz/znyoN9/788fPe54n+8YMljWsn+isH1XKZrqYkCPBqTlOWmbls3icbfgdMCs2bu46/FvMUzBqR1qYxgGLqda3tztcmooPqsUJoTA53Xicgv0YEKOwCtwubSKfb0CtfiPj/qPoiqCSBjO7NGQa0f0ZMJvq7jpoW9RhEL3zg3o0CqfvGpuHA5BJKrj8oDToWIYJg5NRTgTF1z1MuzsFlRt5aJb57qs3rCNjVsKadMsi/JVAIfB4RC4fAJVta6T16Na3o8m5Ob4MWWYUCSOmqKwZXspUkpyqvjIruJDETGKS8KomYJtu0qQUicn00dOFT8IB1u2l6JqClKa7NoToE6NDFRVwUz0f02cvo5wpISzezeBShpkLpfA4dDKpR2cXku7TCjgTtwzv8+J5lVYvnoPpqlRUC2dTVuLUZQwoVAcNU1h644SpJTk5aScPEtEbWxsbGxsjoFj6MESlkaSB1o3z0M3wjz/1jTmTdvDj2M3cPblH/Lpt8uYOnsTm7ZtYMR57fj07XNpVDebWDzK9l1lmALWbtrP1F+3UBqIEo8bTJi6joVL96IogrJgjFnTdrJo2S5UVWPJqt3MnrqDkrIIinpin8XJfqdfpq1n49b9PPfAAKb/dA0d29Rm4owFrF6/D5zg9zrZubuIn37ZyLuj56MoJjt2l1K2I0YgGCWuh3j1/VlMHLOFH35ZgZQadWpmHnX1nCJgz94Qs2bvJBCMEY3pTJ+3lb37QyChT7cGmGaU196fxW/jt/HBmPlUyciiTs0MunashSlVXv9oFjPH7+Rfo+aiaT6aN8qlWr6Hts2rMX7qMr4bu4FXP5hFadke+nSrj9dDouEcPvlmKT5PGm2aViNRnUQRsHVnkGnzthKN6ZQFosyaY92beMxk8/ZiVFVl0fKdPP/4LJ585Vf8vip0aleD0zrVwjTjvPrBLKaN384HX8wnMz2TZo2qEo/bqwhtbGxsbP76HFMPlqooUAJXX9SB5av2M+aneXz/y0JAIzfHR06V06hXswrVqtbkyVcm8OQrEyiono2UJg+/+AuD+jbg7qfG8/OkWUAKIDn3qjdo2qA+88dey8z5Wzh35L9JFOh44uVxPPHy93z51lWce1YDyopPnFyDlBJFE2zaWsTPk2fz8+S1tGqax6Ll2+neuSWN62chI3DegKaMn7qcAZe8QVZmDqbp5IW3p6EqgkkzFuPzVuHxlyfx+Ms/Ak4evb0fTetnEQpb9T4hDgwbDVOSlqLw3Fu/8cp74wAPAD2GvsgDNw3isbu7cV6/Rnw3vhPvfTaN9z6bjtPh4u1nhpKaotG1Qw2uHt6dtz6ews+TlgEKz9x3Fo3qZ2LG4bn7+3D+dZ9y9hVvAZIOrRpz7aXtiMYkPq/C/MV7mTRjJad3bkS1aj4iUWtcDg3ufuJnPv9hOuBhy3ZJ57Of51/PXkq3zrV45rWpGIbOwy/8BEhq5Wfzz0fPpkY1H1np9Tiv/yl8OGY6H46ZgUNz8dYzg6lW1UMoLA8QMrWxsbGxsfkrcoxehIAJqX4XH/zjPG6+8hS27yqmalYKDetkkZ3lxjBg8hfXsXjlDvxeF03qZ7N9VxlejwPThJce7s/9N3SlIpkmSUv1YJrQtUMtpn99E4ZpIhDlGavG9bKJBEn0NJ0YFEUhGoIzezWidsGNKEKwaVsxNaqdziltC8hIdxEOwohzW1GvZhZlgTBNG1Zl994gbpdGtdwUOrapTlqKh1AkzuZthdSukUXrpjkIBVL8yuHLg9Iqu916ZReGntkMyq+DpGb1DMIhcDo1PvzHuUyd3ZY9+8po1bQ6LRpXIRyx+sb++Ug/hgxoxubthTSun0v7llamyDThtI41mPbVtcxeuAWfx8WpHay5RCISBORk+fj8jeE0qJODqlhjURJ/Pn7XGdxwWacD7k29Wpmk+FxM+/oqYnEdRQg0TSEvJ5X8PC+hkMTh0Hj/pXO4/Pw27NlXRssm1WjRJItIFDu4srGxsbH5W3DsOlgC4rqB06Fyaoc8IA+AeMzyFARBnYIU6tdtCIAeg4J8H9KEUBjq106jUf20A04pDUsnK8Xn4JQOeYd8ZDRMhWnyCUIIy8y5oHoK9eqkJN4EJEQjEIslldGhx6n5IMCIQ706qWBa2/M65SMT4+7UJhdMiMRg+44y1m8qRNOUQxr8JdCwTha1avipXct/wLZ4zDLM1nVLsLR/r9qQUE4Phi3V9GTpsWfXGkANkBUeiZaCvqROQSr16zQDYc0lErHEQvU4VM3yMuSsxuhxiEat0iBYqwjrFKRSv27qAWOKRcAwoWObqpUddojHKc9O6bqV/TzceG1sbGxsbP4OHDehUSkhEKgUHAjKH5jhiIRIxfsymlB0VywbnIMXzyW36QbEyg7ttFLEod52J4p4HGKxClV6iRV0VPYdrHwdZCSp9i6IlskDklSmKUlJURg/ZR0PvfAzLqe73BcweXKJ5PXHzyK/en2KDyqJJj9XCCsbVVaaPFagJiKhZNBXeUyVs0TJe5DEssARCaNuy28xViYPuJ9JIlGJGeGA5vzkvQkEJIY0SXbKCSHQFLX8MwxTUlaWVMMXh81cSWliIlGEgjgkvWedXyBQhHVNTGlWujZ/DW9DiTxk3AfPVSaurx1+2tjY2Px1OC4BFhxqelyZQx6elV4q4shPDiFAPcmyGkebZ5IjlbkOnktSRLR/zwY0bZiDpiqHNu5LSe2CTGIRgcOhHvEhmwyMrGD3UJmLo435aGW5ox0rhEBNBEsHB5lCgN+hkowHpQmhhEq7lCaKUJCJ3Q1pgFQOCIok4FQVHCrEDYiZByTEUBCkOK2VDqHEykavpqAIK7sWMY44pcOO98/AuhqCFIdaPrmoDropy8eWDHRl8hcbGxsbm78Exx5gSUtkUlFkxdMAQEoURSl/aST0rZLZqWTWy9J1kpUyMVZwUPnYkw1r3Gb5A9KaT+VtkqRkalLCACo0vkQiqJSmxDAFedk+alb3caRnaDSWKIkeZTyqCppqld80hyCuV1gKVR7T4cdrVk5ClV/7yn6LZvm9O/C+CAEpfmGVKytJOLg1wfrAFubvm0dUj9Iqqw1N0xpiSnBpChHDCjgFoGka0oBQYo4mEpciWFWyjlVFK+hQtSNV3VUxEmNQBUQNnW83/kANbwGtMtvgUAS/7vqNqTsm0TCjMecVnEtMmmioiEqB25HGa0gjMVfru5nMKiUzSslMk3UNQRFqeaap4v3DH3vYe4ZETRhfT9w1g3Wla6jiyqJr1dPIdKYSNaxyqsMBhg6a07q3pnnY09nY2NjYnGQce4ClQlqqy8pUaMLy5gNQBeFA8oEgSfELa7sJkSDohkTTBD6/ACEwYlbvjtMtyvuajhZU/Fkkg6CUVMW6ejoEAxXvqyr4fIm5CoiHrP4rRUl4GKoCPQZI0FwCqVu9aNG4POJck8Hn4cdjPYgjMZ27Hh/P2o07qVszl38+0h+hCEzT+uyU1MSYdAgGK8ZbPhcH5fcuFraCj5SE36Khg+q27l04YGWISBxrGpKRd/zEWX0a0b9nXYJBA59TZfyOSVww+VxKwsUgIc2dxuc9v6Vz9ilcOXMku4K7iMgwESNKw7RGXFbvCk7L6UrMkChCokuTK2YMZ+7G2TzV/XnuaXE7pVEDgYLXofDxhlGMnHAJDas35rc+c8n2+piw42eem/0kHWp1YniDIXhMlZgO8UrZL1PC1Xf9RP8eDTizdz1CIYmmVGSRpGlly1ya9TqZPXMIYVk1JTNNcdCtyiluVUFTre9v1MDKrAERHQx5pO+w9blPLX2ah+bca13/OLSv1okvun1NnrsqcWly95MTWbhsM7nZGbzy2ED8PodtiG1jY2PzF+CYAixFEcSCMOm3jWSm+9izL0B6qgeJpLQsSpf2BXjdKiCYOW8Xu/aWkeJz0aZ5NdLTNfbvjzFn4T4isTg18tLw+5ysXr8PRRE0rpdNRrr7pHqYSAlOp9VUPmnaVvbsD5KbnULH1tUTwQaEIzqzF+5m555SkNCxdQ1qVPMTCpssW72XopIoBdVSURSFjVuLyM700rBuVnnP1B9BERCLmnzyzSIK8lK5+coGoFhZK5fTanSfPH0bu/cFqJqdQqfkeE1rTr9M3cL2naVkZXoxTWjdLJesTC+zFu5G1w2yM32sXLsHr9dJ57YFuJ2CmA4uB4RN+NfoueTnpTJwQF3UiFU2XF68hExXJmN7j2dR0VKum3IF769/l1Oyu7AnvIdfNo6jcV4Tst1V+WTtB3y3+WvmD1xGga8GLk3w4vLXmL9/LinpqcTNuKWMKyUuVbA1sI/nlz9Nij8Ft+JGSklch7ub3s+XWz5HCIXZO+eyJbSTjlmdqerOxgCcDivYffvTueRk+Tj7rHo4ooKoEWfx3uWUxIvJdlWlmrcaK0tWYEqD2il1qe7NY1+kiOW7l7I7shuf5qdLTlfSHH5MCZsC21lbtpoCXy3qptRh3PYpmNKkY1YnvJqHg80HJBKnorAzvJ+HFtxLp7xTmHHmdJ5Z+iL3/nY7P237iWsbXk5ch96n1WHm/M2M/m4Bz9zXl1S/g6NUP21sbGxsThL+cIBlmhK3y8HSBUH6Dn+btJR0SsrKcLs8CAHhSBkP3dKfO6/pwvX3/8jHX8/HNHVA0KF1LT55dQhbt5XRa9ibmFJwdu/mtG+VzwPP/gQI3njyPK65uBWBQEU/yp+JlBJVE+zdH+Lqe77l12nricYkmio5/6wWvPhwfzIznFxz30+M+XExbpeLwuIgDetk8+OHF2MYkoGXfszufbsZeEZb8nNTeeOjCdSvXYffvhxJRpqLuG7N9SiC7kdEUQRul0aX9rUZNLg+ZTtMHA6FfUVhrrnnWyb8ti4xXpMhZ7bgpYf7U6WKixvv/5m3P5lF1aw0gqEYxWXb+Oz16+nRtQ5Drh7F3sIyMlJ97Nq7DxD079Gc9188B4/HQWGxTiRmkJritprWC+OEwxLV72REncsZXOsCaqXnEDF0EOBVvfg9Gnc2u5dfN0/gidbPcU7N/jT/tiXL9y2lTC/DqcGG0u08ufRhrm90M99v+4aYEUMIaZUOHYIHZ91DhiuTtrXb89vuyTiUiq+xW3WxZP8iuv58KvFQjN51+/Flt2+QpkZRME4sLklPdWOaktL9cdAFq0IrGPBrTwoDhZxWoztn5Z/LvQtuJx6Nc0fr+3i6zeOcO3kAS4uW4FA0SiIl9M7vx6enfUGG08djSx/mw+Xv0rZ6e3JcVRm75QeIwEunv84tTa+lNKKjKQf+r2ZK8ChuGmc2ZVd0J2O3j2dl8TI8Hi91U+siE6X3vgPqMGPeNuYu2mZLWNjY2Nj8hfjDS62EsAyaW7T10KJJDdxujcfu7EckGuSqi9rTrkU9fpm2nn+NXsiHX06ke+d6TPhiJDdedhpzFq7mzkfH07F1da4efgoQYVCfxvQ/vQFCqAzo0ZRzz2xEKCRPmuyVaUrcPnjqtd/44Ze53HT5Kcz67mrO7deMj76cxIdfLEJxw8BeDbnp8lP55OWhXHtxZ1Zv2MCs+duoVz+VVx8/k5rVq7Jxyz4WLt9Os4b1ePuZs/D7nAnZicTqPf5Y1s40JeFIDLNMYpgStx+efX0a302Yww2XdmbWd1czeEALPvl6Mh98sQhFhdHfLcHhUHnhob688fTZXDW8H43qZZOZ6eDKC9oSjYbIz0vl+48uZ1Cflvw0cTZf/rSCtz+eR06rByjo8CSlZVEe++evpDZ6iOZnvMzewhDp7hRqeXPYXrKX22ffiFtxc1GdS0DC/uh+DE3nvMkDEe8Jlu1eQpuq7antq4MAHl3yCE3TW/B/rZ4moAcsvTMp8GtOZu9ezOhNn/Bhl1FU81TDxEQRarn3k2lKYkaU97p8xIVNLmb8+rHsVXbw1geLyGn1APntn6C4NMKTr04irfGD1On2IrmyPve2eBBM6JTVhRF1L8OpOGmf15Fr6l+NlIIRdS/nnmYP8Hm3rzkjvy/jN41lW2g7Ari9yZ20zmvL/J1ziZtxPuz2Mbe1v5sOVTqiG4euaBQIYqZBlsfHA80fZVPJRgb82IcPl73HoLrncUZuN0IJv0czIAmFY+X9cDY2NjY2fw3+cAZLCNB1iSNToWqVFJAq/Xs05KHnf6Jb59rsKwqzePlOZi/cgqam8ODNp9O9bz5dWtbi8++XMWXORmJxg4du6cm7o+cybd4WSgMxpDR59Pae5GS5KSuVx1Q6O15YTeQKkVLJoqU70dQUJs7YyPip6wCoXaOGZRETMvlt9hZ++HU5H3+1GLdLQ1HchCM6iikYPKQhaakeel/4NiCZ/9OttOmcRdluiZqYpqZVlO7+CEIIFCGs8ZZJFizbgaamMHnWJn6Zth4Q1K5Rg6LSMFKF+2/szpOv/sKw6z/C4/ZxSrsCIlEDxSVoVDcbIUxuvuIUzhxejwy/jx9+ncvMBVt59I5u5GRdTFyXXH/f95zVuxHn9muM06nh9zlxAJtDOxk86RwW7pvPqJ5fcnr1zpg6uFQXGHBpgyvonHMK327+isnbJvL55lGcnX8uH676FwVpNRk0qS+BeIB/LH0OU8JjbR/g+RVPEw1EuGXudSwuWsju0G46jW3JlD5zcCtuomaUJpnNuKjRUMr0AKNWfcTG/Vs5t29LcqtdjKELrrv/Owb0aMjgAU1QNZXsNC9XZV7PKyv+wdx9s5iyeyLBWJC7mz1I3cwCtpbsZcquX5m5ZzrvrnsbQ+ooDoWwHsKQ0CKrITmeqlT1V+Wzbt+Q6XUzQlq6aZHDBFgSiUNR2R8J8vTSx6mRUpN7WzzAz1t/4ufNPzKx/nROz+lCwDATiwr+/P8HbGxsbGx+H8ckFiQEYFir0BRhmRyrioIeN9F1A6/bSa38DHQjyISp6zBK4ecpayksLqF61VRME3JzXVw8uB3vjZ7Nk69O5MxezWjbMptAyckRXEFSZFTi9guys/zoRpjzBzZjzFsX8tz9fRl6ZlsG9mrElBnbePm9CdTKr8LWebfw6O09EMJAKIALdm4K8dr7s2hSP5eGdXO575lx7FgfxOkQGIbldThxxiaGXf8JT/xzMqr6RwdslZfcPkHVbD+6EWLIgKbWeB/owwWD2tOzS12MGMTiBg/e3Jsx/7qY8we24Ndpi3npnWlgQjSmI6XKFz8uZenUvYz6ejG6blKrejq16qYxfGgzLh7cHMM0adUkj6HDGzOoT338Ho0twR2cP3kwK/cv44Puo0h1pPHPZW+gqKCg4JAO+lTrx8jGl9K3+pkEw0Em7foVr8PBlU2upU/1/uR7C3AIjcbpTemS04GYIemZdwaXNbmSeqn1SXNm4HP4GZg/CJ/mKQ8ufZoPzKS5toYRhzr1Uhk+tDkXD26GaUpaNs5l6PDGnNe/AYaqk+p0cFn9q5i6ZzLXzxhJu5wOnFGtJ9KQfLrxY75YPprzap3PpvM3cEHtESiGiiY0VAGmDiE9hM/ppyRWTEk4SlnEIKwfYeGCBIeAHaFdLN21iI7Znbi2zZVcVv9KigKFTNk1CUWhfCWqjY2Njc1fj2PowQKf18GSGWF+nb4E0Hj7kznohuTB53+hapafOYtX0bt7XVo3rc+Tr/7E+58vZMeeQpxOlbuv60pqioauwxXD2vLvz+aye+8+7rzmQqRJuUbSyYKVsYNbR3bmtznruOfJcbw7eh6FRRF279tPkwY5tGmeR4ovjWlzN9HyjDfYszeMYUjufWoczZvkcNmtX7NizSKGntmHaEzn2/ETadpjG/PHXkdejh/NCR9/uYjvxs+iW8eLcbmhrOz3BZpSSkzTKq3qcbj5is5MnrWWe58ez3ufz6eoOMKuvYXUyBtM9y41uPfpn4EYl57ficKSCKDQpEEOUiTNnjW+G7+SH8avwSREq6YNuHxYGyIlEl2X6KakUb1s0lLd6MUmpWUGmR4HV828ktnrZ0AK3D7/Jvbt30ujak24oPaF3LfwTuKxOBf9NoSrZvopDZXg9Do5r2AIfs3LO91e51/LP+TFpc9SFi5jpVxBIB5CMeGaRpczsMY5XDvrMtaVrCEWibG+bD0+h8p9Cx5h/e51rFfX8eDcRxizZQzxQJy7F95K68zJeDUvcUPSsG5W+XiDAdA0lWhcclm9y3h55fPsLdrDCx1eJtXhxjAh31sD3PDxhvf5dedYdoR2ocfi3Djnaib2nkqPCd2ZtXUaKNDkm9rUT2/It6f/TL43l4hhHJrBEpKYKcn35tExvzNj1n5Gq09Xsqp0NSkpqZxTcC66aWUjk9IeNjY2NjZ/LY6pRBjXTarmubj96t5oioMOrWtQu0YmqX4n2Vl+OrXJY8iAZlwxrB3/+nQu6zYXklOlCef0bUK3zjUIhy3toLbNc3n50bMoKo3QoWV1y0PvJMleJVEUQTQkObV9dSZ8OpKPvlzI1p0l5OelcXqnWpzepS4et+DzNy/k659XEg7H6H11PXbtDREIRqmamcplQ9tQXFKPjq3rEI3pNGuYgaa58bqdODTBvt1x5i7eRv3ajRh5YWuikd9nH2M1ujtQUgRqUCESlpzSthoTPrHGu2VHCfl5qXTrVIuep9YjHoUHb+5JUUmAHbtCOB0K/3hkCCPOa40AUvwuhNB5+bHBCMVAmgrn9m1KbrabUMTSOXOp8Muoy3E6VfSogtMhiJswos6ltM/sgCEMokYUdx0XLbPa4FZ9XFZ3JPuq7UUXOnEzhk/z07VqN3rlnk5QN3FIkzRHGqfn9WRQ7fMIx8L4tQwkglDMIKZHqZfSkPqNGuEQGm7NQ9yAU7JP5e52DyAFdM4+jQxXFfZW20uuPw+n5kYIBacDJnx6OU6HNV5Ns3re4qakwJfH6x3fZe7+WQwqOI+wbmXBzi0YzEfdP2PCjnG4VDe9q/VmSfFSqjizAJUhNYdyWnY3VEUloofJ9eaRoqViAk7lcGlIayFDqsPLqNO+5M3Vr7K0ZCmtMjswvO4IWmQ0IaJLFBQUv8DjdlraZcfji2xjY2Njc0I4hgBLEIsZVK2p8Pz/9bF0fMJw7rn1wcTSVHI1QS+xVkw9/nB3iGHtF4FAUJaviorpcP3lbUBCOHQcZvU/QiiCYEjSvFEVXniqlzUfFxCxxh2OQt8etel7Rm2r+Gpi/alArATuuLmj9ToMCBg8xPJnDO6TaE5YvmY3azdu582nziclXaOs2ERV/7vHqmGYxGIGcxdt5tsxa+l5aj2UxHibNazC809WGm8UQgFLt+n/7jjNei+eOJFi+UUunLeXtz6eiZTw629ruHp4R/r2q02k2NLtSt47KSHF77AES6WlsB4zYUS9oZCMLZJT0CEch9tb3FjxnsCKYnQI6hJVKBiGwpDaZzOk/tkVNjxxCOogUKnmzeXFTs9UTF5CMApn5vfizFq9yj+rv9qj/D6EownTnoPGWy6uKgQhXTKs9jkMq3MO4TjlBToJDK87lOH1hiaVUBmsWmMLReG25gfNx7TEYaOGQdSMIGRykqJ8H1OauBQ3+d48nmn/BKZh6ZUhIRCXCcshyc8/bGTyrHWYpp7IKNrY2NjY/BXQKqt9J1dikfjzcJWJ5H4kLTxisH93BIfmQFEUzBKrPJVU/9YSXimRPbJcHVwIgUOrpK6N5aMnpRXEnAw2Jkci6d1nhqwAMVmOU1XLpqWstPJVrLiGqqoQ2Wspflur4qR1rRAoqqUsXrN6Bq8/OYShA5sTCXCA7+CREEJgmOBxa1wypA3LVm/j23Gr6HVqvf84XrACXbOsItiN6wYZmRrrtxSxfvM+WjSuyZxFW8nLSee0jjUx5aG+gQdrlQmgLGYc4LEHVrO3KlRKI/ohZa/kNmtOieOjFcerQi0vtelSEkn642CtytMUjUDcwIiZ5fubcbNcOV8TFf+WOJK2mkAQiJsJlfUDM0+lMb1c0V1gqbUnz3vwfExpkO52M3bzeO5bcAeqklzlaO2jCZVILMpDrf+PC2oPpjgSx6E4MPWKsVvuBjB+6npUBS4e3B6vz4Fpnjy6cDY2Njb/K5IxSOUfZKVYRVZ+0h76/gHHHWE/jnCuyvse7tz/Lces5C4EODQVh2Y9kCqX9io/ojTNsv1I7EY0dqDth8NhlW+EsBTc43FOWhSlIsg4ONiwMk6HfwJqWuWASRxwfWIxqJbr49or2xBOZP1+D06nynP390FIayVi3Kj4chxtvJW3AbicGuEA9D+9Ad063YQ0TRAKPo9mNZEf5rMP98BXhXpIkJJEE9p/FPo62vECgUNxHPK+IlSUSscoKIf9nKMFKEcyia4coCXHd8C2Suc0pYphQk1/bS6sczGqUA9oWFeEQlSPUT+1AYasmMuB87VO+PS9vYjrlC94sK1ybGxsbP4aHDezZzgwUqz8EEt65a3bVMz2naUoiqBJgxwy0lzoupU9KQvEWb1+L4FgjOp5qTSok4munxwio4cjmcVDHPoMPzhiruz7d7jfk/vE4xDZZ6Jqyu/utzEMUBXYG9uHz/Dh0Ty/8wyVxp/4M9VvPfgFVjnR7rX+71CEQtSAZumNaF2l0eF3SiyaiJoc2a9QWv/YUBQ7sLKxsbH5q3FcAqyKMpj1MJCm5TWYDI50w8TnVbji9q+YuWAtmurlszeGce7A+gT3GWSkq3zxw2ouufUzwGDImW355OXzAHFEA+Q/CyvlaPkoKsLKNCWDRLCELjVNlF8HKlnSJP3qhLCyTIZhrdRLHmu9//uVM6Q0cauCZcVr6TXuVKr78/m51yTSnWkJg+Q/dgH18iqcdRNOottw0iOAmCmJGOZhr5vk6GbQlbHLgjY2NjZ/PY5JBwuwNH00BYcGkahBUUmMYFjH5ax4IqSlKITDkn8+3pfbr+qFbsQxTauY6fVoSFPQtWMtvv33pWRXyaC0LHrSPlAUBfx+QSxmUhaME4uZ+H0VZsxejyAcNigsjhKKGJSUxtF1E0WBYNhykTMlFJfGMAxr/2PODCV61h5f8hD7yvayN7qXiB6xbu4xnDtpBi3s4OoPIRCJ3rFDf1Sh/teB78n6/4KNjY2NzZE59gyWCkXFYW599Gemzt7Inv0B8nJ83HdjT64Z3hbDgI++XMFrH8xAEQqZGV6EUDFNE9ywbnkhz731GzPmbaFjmwIM01o5d1JWo6REUeD5N+fy6vsz2LytmLo1M7nr2m5cPLglDid88MVSHnv5V3bsCpDicxEIhRj3yZUYhmT4TZ/QsklN9uwLMH/pVjq1zeeJO/tyWscaRGK/T5IhiS4NUp0qH6//gul7p3JW/XOYvnuq9fAWJ+VVtLGxsbGx+dtz7BksAXHDQFUVLhnShm/+NQKXy8FDz/9KMGzwy7QNXHzLR6xevxe3R+PHX1cipY5DUwmXSq6482s+HDON6lVTmTprA4VFe3G7tJOu38cwTLypgjc/mc+dj39O1w61+PyNC6hRLZWr7xnNuCnrUBW44/Gx7N0f5IN/DOau67rSoG42iiKonZ+Oy+Vg7KR5aJrg+ks7M2v+ZoZcO4qdeyw1dylluVCo+V9cAInEpSgUR8M8tOge7mv+CH2q9SdoBMl0Zf6hgM3GxsbGxsbm2DmmAEsCmODzOmlYN5tJMzfw6EsTKS6NoiiCXXsCfDt+JSB5+5nzmPjrxdx5TTcgis/nZM2qQuYsWsWAnm2Z/OMl/PThJbjdaURjBsdU2/ofoCgKsbDkm7ErUBQPe/eHGPPTcsIRS/Rr3OR1CBf07d6AQLCMGx74gbGT1nJG10bUyEujVnM/rZoU4HT6+PCfQ3j1tb4MP6c9hUX7WbBsJ06H1Wvj0AR+v8Dn+S96c6SJSxO8s/ZtNhZuIGZGGbfjR3RT56a517IjuBeHktRgsrGxsbGxsTlR/OESocTStCIFXnlvNo//82tGXtibW6/pwM33j2P2wu2kplSsEhTC+jQhrAbwVL8LQ5pAIlvjSPb6CJwOFadbEIudPP0nUkoUVaBqVvd680ZVadkkl7JAjP49GtCtYy3iETi3f1Ma1s1i845CpszYzKQZiwHJc8/0wDAMDENn565SCgp97CkMAgopPpcVXDkE6zYXMXbSGnKq+BlyZtP/uHpMSgjEy6idVocP1r/L7vBupITZ+2ZiYqCIxIrFE3GRbGxsbGxsbIBjLRFKCQrs2RcABMFQnB/GrWXJqt2UBgoZ9c1i+nSrh2ka3ProDwwf8i3/+Nd0TFPywtvTqVY1lSb16jJ24mKGXPAlF934OeFICdPmbmDSb9twuzlpfNiklGgOGHZWC0ypM33uZjZuKWLWgi089+Zklq3egyrgstu+5MufltCrWx0uPKclICguDSMT3nKGEee8q0fRue+7jJ+yiE6t69OuRR7BsIk7Bd76eC53PPYJ8xZvx+WyViUeCVWohOOS+5s/wG8D5nJl/WvI99bAMHTOKxhKpjOD+DGsIrSxsbGxsbH5Y/zhAEsAqqJACK67uCPnn9WVX6ev4bUP5jG4f1NaNanNus2FnHNmQ569fzBOh8L4qWsZOrAZHVs3pqgkTIrPxSevDuGMrk2ZMnsNWZleBvXpQHamh8LiMP+FkPkJQ1UVgmWSS4e24M2nLmRfUYhn3/yN6fO2cvnQtgzo1ZB4FNo2r0ZZIMLdj/zCh2Pmc1bvNtx5TVcUl9W4n5mexaA+TXA7NW66vAefvTEMt0tDIAiXSWbO30paSi63XNkZ0/jP40rqxksp+XTDx5TGSmhZpRVjt/9AQA+jCnGAyKWNjY2NjY3N/55jWkUoBBCFerUzGf36eZQFTFL8ihW2JZ78oRDceV0HbrysA6YEr49ygc5QAJo1zGL8JyMoDZikpiSOFWDEDvS8Oxmw/Bfh6hEtuXp4S2vMqVYUGItYopBf/+si/F6V4tIYIKiS6SAeg5XzC9m0pRChCAb0aMA/H+2HL0UhGoZI1DrP3IV7mLt4I7eNPJ3adVMoKzL/o12OEAJDQhVXFWYOmFbh7Yfl+6cfRcjSxsbGxsbG5n/Dscs0CIjHDQIBBU1VCAZluc2LwAqQApW87iyvvopt0ZgkIi2rnECwItdyMvsRBgJWU5NDUwiUyYRopNVn5nKqRGMSv89p7Rs0cWgKT7z0G0tX78DldHH+9R/zxhPnctlFLYhEJaoiME1LZPTs3s254bKOxEJWY/1/iwQCMbM8WyUQR7R9OdEk/ftOyGclGs7soNKi8vfBxsbGxubEcVyU3K3GdZFQnBaoB/1dngyupDzQqzB5rEionZ9M2aqjUaHafuiYzfJeK+u1mgiS7rvxNC46pyWaKhBC0KxhDvGwSLyGcBiaNsjimw/OJxK0bHN+b3xpPUQT/z2BwWnSUPlgDGkgEIksm46a8POTyAN665KLGw45L9IyVT4oWDSlWR60HWzM7FAEJkf3cjyZ3AEkEkOaKInrVPk6HHydgMS9VQ7ZfrhrmLz+ACbmAdfJMi21jrXlPGxsbGyOP8fVi/A//T19tO1/xb/jDzfm5HuVt5kmNKyTQZNGGeXlu2iipFh5/7gO0WITRVH+0PVwOoVlCiwhEv39x/9RnA6BYR7olycEpDhVkJY9kKpqhGPW9F2KQBEVYrKGhLhp1Y2T05ZInIrAoapIE0JGovopJX5HopRsAgqEYtYxqoD9sWJcihuP6j5i55nTwSHj/TOQYM3RoYIBUcO6FmDN1Zm4TgccIyFmHnod46Z1bOW9k9c/ecJwvMJD0+mwDNhN0/re/dnXwsbGxubvxjEHWFJaIpyKMJOtVdb7WNkqIUS5eGZyezLjJSWWojuVM1mJf1Unjj0ZMaVEVppP5bFKmdiezCwkjglHBHrQtBZeClBUpTyVolbyIvxPPVeHQ0rLwmfNhiL2FQbxepw0a5BT/mw9+ngPvDdAeYBnGImnbuIekji28kNfCNi6I4Df7yTV78QwrJJnxIjx2qrX+XLzF2BCz+q9ub3J3Xg1N+vLNrMvuh+HogGCXE8u1bzZ6KaVeTKlid+h8Prqd/luw1fc3OJ2elfvQTCu49c0xm7/lX+ufJHSaAkDCs7ihoa3kuJy8Piipxi15iNOze/OKx1eIWaaqKgHZL/Kx+tzkprixJqiLM+KWZkkBTMhISJQUBKvJWZFCTvxvnV9TUysLBSI8v2OZocjpcShCjaUbWbUxg+ZsWcG3f9fe/cdH0W1NnD8d2Zmd9N7QkJJIKE3qdKrFFEEUQQbVuzYRX3Vey3XXq+9d7CiIhYEKYJI7733ThLSt83Mef+YbBpFgXgFPV8/+bjZmZ09MxsyT055nrTe3Nt8NF7Lac+G/E0UBoswNANKe6sMzaBhTGMMobGuYCt5gTx0oVEvKpM4TwxB28YQGkHb4j/LnuG77eORSAbWGcztTe/GJQyEATv3FLFt10HCwlw0qJtIRLjrpEvuqyiKcio7oQBLShAuSIj3OD0KBmBRdqcOesHvl4R5BEaYcLbbIP1QUiJxuwWuiNKbnwW2CZrHebHlc3phTrYYy5aScI9ADy89nyCYXvCHelF0nCShoVqMJiDB74WouNIhmmDptXMLkOAt4rhvblJKdF1QWBxgyMix7N2fS/+ezXj/ufNKh20l4WEV2muCWeK0VwAet8AIbZOABYESpxB1dFzpZ2PjnI9d+rn4nOsgsAkEJd3Oe4s7ruvKLde0pTjfIjHSzevr3mL0jNtpk96OHH82j819iFh3LCPr30j/Kb3YUbjNCa4tCI8IZ2TD63m81ZNowoVH11iXv427F95KcV4xnWp2YUCd3oTpOgtzljF02mCkZlM3KpMHZt9Drj+HZzs8Rf2YhqwvXEfMwVjCwnTCbB1pgtdyAncpJZYl6TH0bW6+qhO3X98ebwFEeHQ87tLPRpYO/ep62bkXmzi9ZrpWtojANsFXOgzs9KhpzvWRlOZKc4pl++3D5yCzsXHrOpP3TOKttW+yp2gXYa4whHB6ruZnL6XX5E5YtoUdtMvW+0Z6opjW7zeS3Mk0H5+FpmvIoOTMjLP5ptc3yNLaoC+seYF/z/s/emf0RQAPzbsfn+XjsVaPID0wZdZmnnhlKtt25fPmk0MYeelpFOb//qIKRVEU5Y857gDLlhKPR2fHBov/e/QbaqYmsGb9fuqlJ+D3B8k+WMx9N/eibctklq8+yDufzmP5mn2kpURz8ZDWnHNmPZavyOXFd2fhC9h0aF2HenXi+PL7FQjgimFt6d6hDl6fPGnmZklbEhkhmLt4L69+OJe1m7Jp0TiFW67sQovGiVg2FBebvPTeAn6Yup7oKA+NMpMQmuDWqzvxwhO/sS+7iO4d6hEd6ea7KWvIqB3PPTd2J9xjYNnHF1AKACk4kFvMGV2b8P4LgxCAbUkiIwXzl+zjlQ/nsGZjNs0bpXDLlZ1p2SQJW8LKddk8//YsVqzZT1qNKDQN/nVLb5o1TOH2f0/DDFpk1I7nx6lrSUmO4obLOtKtfU0kAj1GBx/kFfqcot8pOokuHbxQL7o+d3e4nyfbPsq8A8vo9kM7Zu+fxe1Nb2VU49sYPftWHuv4ND1q9GL4zCG8vOQFLsu8mlbxzTAE3L/kHpLCkolLSXB6j6TEEIK3179Jia+Y78+aQp+07rT7vh2vrnuRO5v+H8Pqns+jiY0pCBZw7czrWJ+/nhub3Ma5tQdhRAi0aAF+yCvwgZS4UnTiw2DL3j28sOgZsn0HaBrXgg5JHfl86yf4TT9npw/igrpD+GjTZ3y3YzwbCteTElaDW5veyRmpZ6AheHfDGCbu/I4eab1pl3g6z6x6AqTknhb/om1iS3ymfciCA13o+EzJ5VmX0TutD70ndcatuRGA37JoGd+Ei+qO4KMN7/Fln28JMzR+3TuXp5c+xkF/LqclNuGVjm9xz+I7CODnl73TWJi9nM4pbfBbMGnXRDSXxvheE7GkSfzYMGbsm4amP0J+ockVF7YgIS6codd9RCBgqUy0iqIo1ez4M7lLZyipON/Pp98uwbZdpCZH8/3UZaQlJ7HnwEE0TeeBW3rS/5K32ZddSIvG6cxZtIPPJixkzEuX0qxhDb78fimFxQV4XD1wGzoffzUHTYQxsE9TTpJFcABYtk1ElMak6VsZet2HZGWk0LpZLX6euYGfZ67l+w+uonHDBC4a9QWTZy4hvVZtEmLD+WHqQiLCE7hqeFvmLNrO3CXL2LYrj9qpMXz+3S/0794Jy5KlgZVESlG2Eu5YJh+Hdo2JchMV6yI/2yIqRufnmds4/9oPqVs7ibYtazN11gZ+nrmGCe9dSdvTUhhx6zhWb9jLHdd0Y9O2XL75aRFXDmtHw0YJTP9tE8tWbwbCaZSVwvQ5m/hh6mqmf3EtSMmkGesxbYFl2UyeuRHzkQDhYeGMOO80zq51JmfXOhOhw9wDszB9Jm0S22O4BU3imoIGe7y7WV+wGtuyqRVXm0RPIoYB47f9xOQ9E/m46+eMmnctujAQhsAOwOKDC4iOiqFtQjs8hou+af1ZeWA5m4s2EO1qAwjW5qwiYAXZU7yTVXnXcsYFvdm0xMvkWWuxbQ3Tsvl51ibshy1iI8Jpf0YUE3d/x8bdGzm78SDqRtXj3fVvggmtEttg25LX1r2EkILeqWfwxdbPuOSXoSwbvJ6MqBTWF67jq81fMHn3RNy6mzA9gl35O+haowcdUlpiBw8NsABMCZFGGDXCUrGkVTos6fzxEuOJoFFsE5CwqXAT3+74irNrD+Y/7R8jI6ouHrcLgHA9nOfbv8x1v13Jj7sm0DmlDYYGtza5i9XZKznz515IJMmeFG5tcpczJCrB5RYkxoUDJ+9QvKIoyqnsuEMYTQOvN0jjjhH06NiQRlkpvP/8+Wiaxn/u7sPg/qexZXsu73y2kH3Z2Tx299nM+3kk370/gjBPGI+99AstmiTy3nMXAhq9u2TRqW0dwMOjo8/kgvMbUlxsnzS9VwKBkPDKB3MpLvHRqW0Gndqm07ZFbXbt3cYX369k9vxdTJ65nD5dT2Ped9cye8LV3D6yPy0bp5KVEceksZdx7SX92bBlP7/M3cyDtw3j2/cvJCLcVdp75ZQRiogQhIcd33mblkSaoVQF8OqH8ygq9tKpbV06tUmnbcs67N63k3c/WwQucLt0bNvPrn0FtGqaxpP3DaFjm3TiE9zcdX03NE3j9pFdWDTtGv770DkUFR/kqx9XsWDZLh59aQpPvToTf8Bi+uzNPPTcdF55fw7FJQEC0sKlwSebxnH77FGcXrsj1za8HmlCkVkMOry+7mWunn0le4p3E+eJx5IW/qDF/y2+iz5p/akTmU6RWcSGgnWsz9mGJqAkWEK4Ho4lLUzbIsKIREOjxCzBEBp+y09SRBLzzl7APS0fIDtvP9v9G1mweA+PvTSFJ1+bic9vMmPOVh5+fjpPvz2LTE8jxnb7CiPMoHFME85NPx+35ubGFrdwZ7ObEQhGN7+fVgltCMogSWHJ5Pvy2efbi23Do60eoW9Gf4r9xTzW+hmWnLOUxeet5vKsq/AFKZ1DdbifKQjaFl7LC5SvmgytDvRZXpBw35K7mLP1N1zC4IHT76NuZF2KvSZjt34IQIqnBm7DzZdbPyPP70MgSQuvia3bzD3wG/Oz56DpGvWjGzhD0UIgbQiafyCTraIoinJcjNDUH3mEr6oqbZeABoYmCPMYpCZHY9uSlMQoIsMNTNOmqDiApnlo17IW4Qk6HdrUISYqkn05xWTnBhjUryGZGXV4+vWZNG2QQkJcBNdc0hZ/wcmTtsHprRME/ZKCQh+67mLPvkIKi7YQFxvOVcP70rtLJrv3FgIWTRvWILVeOHjh+Uf64isG05TEpLoY0Ksxb30yH6RNu9Nq4YnXKM4GSieqF3uDLFmZQ5hHp0mD5GOemyVEeQ6sYCDUXoO9+wuZOW8LsdFhjLyoHz061cM04dHRfXj/i4X8Mnszn45fgqELYqLcXH9ta6QtsW2bhplJRNZ00TgrGU3T2L23gCce7MVlQ9vgD5hkdn6Wu67rxn23dMHvd+aFRRiCjzZ9zjUzL6dn7TN4u8uHeDQXQkKsKwaC8HbXDxlR/xKeX/UC98y6gxfXPMc9zR5gbe4qthVtZsqen/BaPsas/4B4TwIvdX6OWpG12Zy/Eb/lw3AlsK5wLbawqRVRB5cmkMImK7YhSbGx1InMQBiC/AI/N13VkSsubUnQb1Ov87PcdnVn/nV7t9LVlhattJZ0q92DL7d9Ro4/B0MzuKb+jaDDjD2/cdXMS6gRUYNB6eeRHJaC0ARuzcl15nI7c93SYzO4tuGVCAOSPQn47KOniwAIM3Ri7VgEApdwobk1DNPpVXLrztzGGf3nMmXPZGLcsYz4+Uoeb/M0JUEvSw8sRtcNzp8xkAg9gg3561iUu4A+tbpx/5LRFAYKWHfeNkrMEjp+14o7Ft7MjDOnIQNOj6nquVIU5WR0pHjkaDFK1eeOFMccaZ/fjXeOst+RnNAgnMulUbTfYs+BfPIKvKxctw9Dd7F4xW5KvEFKfEHqpMVg2z4e/u8UfvxmM7c//CP7c/bSs2M9oiNduDxwy1WdWLF2K59/t4ibr+xCUrKbQPDwuZX+CkKAadl4ogWd2mZgWUVkZSRw13Xd6NMlkzUbc8nN89KhXU3CPHG8/ck8Xnt1Md9P2sy5V35On4vex7Itxny0kktv+ZR+3RpwRteGDL3uY15/fTGWZTqT56Pg/c8X0f/SV3nlg3m43MdXi1GWrgD0RAo6t03Hsoqolx7PXdd1o2+3LNZuzMbvN9GAx175hfi4CL4fewn/fWgQpuXj55kbEFZoRaeLfz83lfvumM5tD32PbWv079EQ6XMCQl3XyC/0ETRtNJfTKxKmCz7c8AlXz7yUSHckgzPO48Gl93PZrEvx20GW5CwGASvylvHDzh9YlL0ApHOuaRFxzB64gI+7fsFdTe/Do7kZmDGYUY1vQFowJP0CAt4A/1n+IB+t+5Rxmz7jtORWZMXUZenBlRT6C8nxHmDD/k2szluJlJIluQsJBEx0IdB1QV6Bj6BpobmceWqmDW4Nbmh0K9uLtvHBmnc4v+5wWiY2Agt+3T+DgsJ8zqoziDub3UG8Ox5pShblLMBGMnXnLHYWb6fILOTVtW8xfsuP5Pi9v/PZSQSwIHsFX275DL/tZ3vxNr7bPIncQA5FwRJW560EYPnBZXRN7s7mgk2M2fQBC3MW8MaGl/H6vfxfi3+zashaRja4AWEKXln9X3K8+ZjSJGAF2Fy4md3eXfgsr7OisUIqB7VqUFEU5c9z/JPcbQjzGKxbEWDluh2Am59mrCc8PJwPxi2meaMabNiyk+TEjjxwy2Aefelnzr70LUCjT7eWPHFvHwxDEPDC0LOa8dqH88jNK+aq4W0J+jmp5l+BE0j4CiSjb+jMzj35vPDOL7zwzhTATbNGNUiKj6BB/TjefOpc7n1iIjc98Dmgkxgfw53X9SC/MMjoxyZTXHKQeult8fmC+ANFjHrge87oWp+6tWOwTJg8YyNFxSaXX9AaXXN6QKombv1dUqLpTm3DO67rzPbd+bz03gxeem8q4KJpgxrUrhmLHYD1m3L4bcEqxk9aC9jUSI7n2ktOBx0M3Uk7kFYjmuffnE10lIuH7jiH889ujNfnJHYwDMFDt/ehe8e6mE51IDQBH2/5CNM0Oajncvvcm8AP/eoPIM/v5Z0Nr4OAF1Y8wwtLnwEdutfrxc2NbyNgQ6ea7Xhg3kM8tuRhhEvw/bZv6ZHWiztib+XSehcxY+9UPljzDh+sfoe6cfV4sf0bhHk03t/4NtnFB8j2HuDFNS8zafdEkPDm+te4NPNKol0Gmi546I7edDu9tL2AIXSKA5Jzag+ge2pPZu+dxW1N7sK2nXlSg+sM4cu0T3hxxbO8uPxZmie3QPPoPL/6aS6qewnXzL6cLQc3gwE3/3odqfGp/HbmYmLcqXhN87B/KAicOXb/t/gupm6eDOEwb/8cBk08k+/OmkSdiLp8tmUMCLhp1jVlfzalxqSyOm8Vb6x/BYDvd47n5sa388mWD5GG5NvNX3NZg6t5us0LXHDwHPr/2AOAWjG1eart807pJBFKDnus/woURVGUP+q4AyxdE5R4A7Q+PZzV0+7FMAxiY8J46LbehIW5EAJK/j2A1ORowsM1Rpzfij37C0mIDSczIx6PR+D3AwJSEsOZ+NFlFHuDpCZHEAicfNmlBWDZgphID+8/dy4P3NKT/TnFpKVEUyMpiqhIjZJ8GHFeM/p2zWLrzoO43QZ10mJISvTg98P876/H5w8SEx2GbUnuv6UHHrdBfGw4ugEbN+Uze9F2BvVrQ4/OtSgqlIdkvv8jLRUuUVZ+JzrCzbvPDOb+m3uwL7uYtJQoaiRHERmhEwzCDx9ehsets3t/IVJKmjaoQVpKBHYxFBYHEcLk7hu6071DbXTNIDU5nEAozUTpRPwH7+xKMAgBPxiajteEMV0/p7BDYahFAEQYkcS4Yvil/1y8ptfJt1W6LcmTTKThwm9Lir02NzW+jcvrjyw7q1h3LP4ghOmRfNT1U+5sei+FwQKax7ck2ROL1wsPn/Y4tzUZDUCiJ4m7m9+Pz/QRYUQQaURiS6ctD97ZDTPgtLdsGFoINAw+6foVe327aRbXlEBpGrAWcU345cw5rC9YT7QRTUZUBgf82YRpYQih8euZCygxSwAnP5ZH9xDvSQAEMZ4j/xMzLfi46xeUdCjGxnkzTWgkeZIxNIONQ3ZhSrMsA7uUEk1oJHgSuDhzBEErSIQrAl1ozDtrOQE7gCY0kj3JRLvczB60hFV5KxBoNIlrSlpYEgEbBBrCJRCaUEGWoijKn+SE82BpBtRLj8dlCEwLEuPc2DJUFse5Gfv9kqyMGBrUi0FKJweTr0L6hUAQ6tSMRojS/Ewn6S/9ULZ1IaBhZhyN68eVZcL2+Z0hzeISSWJCGDVS0pxcSJaT80vTBGkpEaXDjU7AlpIUhpTg9Ut0A/blFBEZ4eLeG7tiH8P8Y4mTsDUy3M2P01Zy7e0unvvXmeiaRiDo9AY2qBdHo6zy9vpL29umRQpCQMumiYCTe8wIg6+/W8/dj32LlAbX3zOOq4Z34IWH+lHsdVbEhT4jKaGwSFaqHSmBBE8syWGxldppSyfjeGp4ElXjxqANPiu02k6Q6IkjJTyubLtZmmPKlE6JnPZJpzmfhwXe0tdFuyKJ90SW7R9Tmlcq9L4hhYWV2wulE84lJIUlkBaRgNcqr5/otyQxrmg6J7dF4mRSrxdZC7u03SlhCWgioexYoXQbW4p2OBPMhVZpOE4IQdAK0j7pdBrHZmKHxVbKkhC0neuaEZl2SPoEKZ1etToRqZXOrXZEjbLPJGhDiWmTEpZIrZo9nZ9D6ZyHLSEiWuOTz9bw1OvTkdKuVCBcURRFqR4nXipHgs8fxLJcgMA0Q7+pBUFkaYZ2gc8vS1cwlU7CrnCHFQICwdLM5ydrdFUq1LzQ+Tjfly911zRBMCjx+8vPJ/Qaf6D82gAES6+Vrgm8JdC6WU1WTLmF2GgPPu8fm+QfqnsYHeXmracGs2X7QRLiI3DpGnbpxPmjtddb2s7QDVZKcLkE9TLiuf6yLoR73BQW++nYOp1gUJYVta7ocM8FbYnPtkprBjqHNzQDgcAfyhVAxZ+ByvUGg1LiN21s6QRPemngJRDY0qYwaJadh1Fa4zBoW2W9TprQMGX521TMqH649lLaGlNKgqaskv1dlD1fds1l6DWCgC0rBSimNIn1uFiWu4R7F96JruvOysDSnQxh4PP7eLz9MzSOq0dhIFCWGV4T5b163sNcp4rvL2VprUYh8FrOOSMlovQ4PsvEG2ozAkMz0JDYQWiQmcjIizoQE+2hR4e6+L3HVlxcURRFObpqK/ZcHhhVvBmIKvsc/RinkqOdjxCCqMjSUkClmcFN83DnWP69lM6cp/gYT1kv2R9vC0gpOLNnJpobsKGk+I+1t2wotsI2nw9Oa5xM29Z9nPu7BgSgxHv4dkkkyEOPH+M2ypdR2FBslpbkEQKtwvoKU1rO5OsqBwjXdQxDx7KcrOkaYEmJR9dwGe6y4xaV5pmKNHRsyuv1VT2v32uvs/vh80Id6fnQtorvYwgDnwm9Uvswpf+sQ8vlCKcQc5InmaAliHc7qwVtqzw7vESWBluHa38oYBWEGU52eau0lmHopCSSGFfl6x+6ToEAtGmeQvt2KWA6n7dlHdvPnKIoinJ01VKL0AzVIpTlv6SldCaGOzd/ZwgrNEyi66EahU4CT2SoPh5YdnmvzskadIXaHTpfvUJxZluCS5d8/t06fpq+FsPQGHp2S/p0q0tJiVNHKNQzZdtOD59eOotdSo45uAq9Tteh2CvxHTRxuzXcLr3seh+tvZW2lR5P1wX+ABQVl9aXLO2C0nRxyOciBIS5BaYJ0i7vyPFogrnZi5mxdwZBK0CHlM50T+lW+hpBsenHEE6PVrTLmWNUYoauoSTcEMw5sIiF++fRv86ZZEVn4rcsIgyd3SX7mbDjWwoDhXRO7UrnpNORAsZtn8Ck7T/SMqkV1zQYid+2MYRxSC3CMJcznF2xvZa0Sid+Oz1plnQinVDPUqjeYOii6kJHVKxFWNqTFHqtaUOkK4J4T8YRh98sCSVWkAXZi5mfvYCs6PqcVftMApZ0Uk4AJaa/rOcvNE/LpRnoQLHp5bf9C1mSs5jWiW3pXqMrAdsZ2nRrghn75vLr3hkAdKnRne4pnZzSPcLp0fTmm+i6IDysWmu+K4qiKFRHLUIDEuM9zt3ZhVN7TwA6+Aqc+UaagOhYDdw4te6KnCFBl0sQGen8BS79zl/RRnjp8FmJMzfrZIuxbOlMPI+M1ZzzDYK30OmlEgKkbeOJ08jOLeb7qevIObiPGskxnHlGXWIMHVzOuUoJWpgAs3Jv07EHV878Lq/P5Kq7vmHjlj00a1SHd54+t6wWoa4fub2ahrPNjfPZAcEiJ9CLSyidXG2CiAAs8BU6n5PTVolpSoZd/yUXD2nJsEGNKSqyiPYYfLXtW4ZNP9f5WbDBwOCzPt/QN7U/Q2cMYl/JXortIkrMEhrFNuH6hjcxpM4QgrZEF5KioI+Rsy9l3Y61/KfHUzzQ6m5MW7DHu49BU89i6b7FzkpHzcU73T7i8kYXsvLgCt5d+Sbt0jtwS8vrCZdgBpx6gE6QI7FtuPDGLxg2sAXDhzShpFjiNjQiXHpZW4M2uAznn4Zlgc+EMF3DMDSnR0hCIODM2RJAhKE5xbst8NkQ6TagdD5hiWkfthfKkhYxboOxGz/knnm3Uewt5pwG5zI4/UxsKdhctI0Rs4YRsAIUBPPx2wHcuptkTwrPtXuJ7jVP5z/Ln+aZZY8T8Ae4/rSbOKNmV4rNINFuNxO2/8hFv5yHLUqLqdsa73T9iIvqDkMLh/fGruDVj2Yhpc7Dd57BOf3qU1J88pSlUhRFOdUdf6kcwDA0inLhq2+Wk5wYzY7d+aQkRmLZkrwCL4P6NiEx3o3XJxn/4ya27TxIfGw4PTtnkV47nF27vMyatA2fz6RBvUTi48JZuGwXmibo2KYOtdOiS4fWqvGMT4C0ITxMkF9o8fXEdezcU0BG7TgG9GpIRJiGaUJEuMbcuXvJqB3DuDcvoc9F7+JxGwR8kp+mb+ZgvpdGWUm4DJ0Va/eRmhJF1/YZ6KU9FsdDExA0bX7+dSNNspK45erTERUKPRcUWXzz03p27M532tuzIeHhmhM8+E3G/biOTVtzSU2OAqBv9/rUrBHNhJ82YZo2aSnRLFi2k9joMM7s1ZDEeDfBIISHC3w+wQ/T1tKhdW30KEFY0EATsM+3jw4pnRjT/RMW5Szjwqnn8tmWsZxVcwBJniR+3vQTvTP7UDcqiw82vs3MPb+w4twN1I+qh9sQPLHkObYVbSUhMRFbWkjpBDnvrH+XpbsX81TX5+lXqy9n/NSD+5bcxeA6Q7i7+X18uvUjQDJ+0wQ2F22jf62zaRCVia1DmEcQ8MMPU9fRullNjChBpCXI85UwafdMcv251I6oQ2Z0Fguy52LaJs0TTqNZXCM2FGxl3oHZ7CjZTpwrnoF1BlMrPBUbWJy7imW5i2kc25Smsc35ZMs4pLQZUGsgiZ74son5FQkEpi3oldqTN7q+z20LbsSjewAwpU2cOwqP7mHh7vmc32A4WTHprDq4jh+2TGBnyXbgdIakn0ediHRuW3gjbj0MAF04n+vLa1/Ab/vZPfwgUkpqfZbA6+tfZkT9YRSVWPTtUY+de/N5+IUf2LYzD80Vyrl2kvxjUxRFOcWdQB4sicdtsH5VMVfcMRa3K5pA0A/oeNwG/kABq0f25b6be3DpLV8yacZqQl0omRkpjHvrIgoLglx4o3NDHNyvNae3rs39T30HCN58YhjXjmhF8CRJOCqlxPAINm/PZ8StX7Bq/QHCPW7yCos5o0t93n32PFKSw7j9oSm8OeY3AkGbmKgILMuP26Wza08R194znn3ZO+nXoz21U2N47/PJNMpsxIyvRpbOvZKlQ6fOje5YTlsTAo9Lp2WTNDp3r0XBHhtPmMbWnQVcessXrFy3n/AwN/kFxfTslMm7z55PrZoRXHnHt3z+3TJaNa3FgdwSdu3dxKev3kSf7lnceP8Edu3JJSIigpISLxCkfassvnrrIsI9Bpu2FeMPWkRGuMnNK2HjqoMETUFGzVguzbyC4XUvITk6knX5G8GGlLAahIfpXNXgWr5Y/ylX1B/J4DqDmbN/FlvyN2HaQdwGrMhdz4trnuGeFg/wwaZ3MW0ToTm9blP3TiIsKpxLMi+nVkwC59W9gHdWv8mmwk00immMIQyW5Sxh2IxhBEv8fFbnE6b0m46/QLAxp4hgUBIZ4eZggZf1Kw/iQmefewtX/HYRefl5dKvbgyF1LuCOBaPAD3e3fYDH2jzCRTPPY1vRVpLCktlYsJ6PNr3HD31+JtkTwytr/8uHK9+hYY1GxLhiWbh/PpTAMz1f5K4Wt+Dzmbg0V6XPSwiB35Y0ja1P7Yh63L7gprJhyaBtkRqRyGWZVzN392xua3oXU/dOpE9af4J2gDoRGZhBaJvUgkRPCuYC06ljKEI9rNC7Rh8W7JnLm+texZIWEUYEvdP6OkP6QUlGVjT9utfn0Rc9uF2GWkWoKIpSzY6/FqEAry9Im46RtG+VRUpyFK8+dh4Q4N6butOtQzPmLN7Bm2MXMmnGAi4Y2IZl02/i0dFnsXnbHkY/MpmObWvxr1v6AybDBjZnUJ/GaMLNpUM6cPHQ5hSfREMWti3xhMETr8xk3pJ13HxlJ75971IuOLslP/0yh88nrGTm3J28/P5UGmal8ulbw+l2egYQJGha1MuIZtybF9K6WUO27cxm8Yqd9O7cjnFvDSc60uOkbiiNqHRdoOvH0UYp8fmD2MUSW0o84fDkq78yd/Fabrq8I9++dynDzmnF5JnzeefTRQgdfpmzFZdL44bLO/D0/Wdyz43n07pZTZKS3NxxTRfApEvbdOb9dANXXdiFBUtX8eX3q3j/86W06PMo7Qa8QFFxgBfemUmDbo/TafCbZB/04jHcJHsiWZO9mVFzriU+LJ4rskaChBx/DpZhcdnMC4n9MJw1B1bRLKkFtSJqIyX8a+l9dE7uxq1N7qQoWEhQBp2eTOCAbz+xHif9g2lapIbVREPjgH8futAwpYUmNH7sM5nrTruJBdvnsk/u4L1PVtCiz6O0GfA8BUV+XnpvFo26P07Ls16hjmjK86e/Ahp0Te7B1Q2uI0KPpE+9ftzR9A6EFNzZ7F5ub3o3T7Z5hjPS+rJwz3x2lewC4OFWj9CpThfWH1hHw5jGTO4/led7vUy/mgMImpTlsapK4KROKAjmla0wLFt1KSUFwXwsadFtYnsemvVv9vn2MunMibROaIvPsrEsm8JgQenRQqsUneNcnHUZcRHxPDzvAR6d/yDJkTUYWf86Z8heE8gAFBUHsGx5XNUCFEVRlKM7/jlYAixLQiTERYUR8Es6tamDEIJWzWqycVsuy1btZdW6fRhGNKOu6EjL9sk0Sk/m5Q/ms2jlLoqKg9x+TRdeeHcW30xaw8ZtuQgN7ru5B5FhBkXF8tizmP8JQhP2vYWS9ZuzMYxIpv62mUm/bMTt0mnToglxsWEsWbEHXS/h5is6ceE1zaidFM8P01Y4x7Cha69aPPfvc+g9/A3AZtGPd9C8bRKF+8oTigoNiktMZzL2UZJUHokz0Vo4meeLyts7ffYWfp65CZdLp22Lpng8OraAx+/py+OvTOW6e74AXJzWNJV+3evTqHksaSnRCGFz2QWtOb1/GqavLR+Nm8GSlXv47yP9aN+qJkHTZsjVn3Dpee25fFgrNKERG+MhXIMVeesYMvUccnzZfNXne9rXaI40IdwIBxNGt/4/+tbsy5hNH/P5+k94f+PbXFzvMr7d9BWJUYl0ntiGQrOQZ5c/QcAO8lyHJ4hzJ7CjeIeTdkDXOeA/gI1NojvJyYtlB2ga35w+dbuzuWgzwhDsyNnL1cPb07HDHQSDkiEjx3LhoJZcdWEbAOJjXQxLuJAnkx9l6t7J1IlMxxss4c6m/0eN6HjW5Wzn3fVvsC5/LYnhyfgtL5pLI2gHsSVkxKQR7Y6hZmwt3u70IREe6Fu7N6bpzP+qOMm+KkMTeLSwss8uFGQLhBOYCXiizXOM3/EVtSJqYdsSiY1AQ9c0PJozrKgJvfS1ziSxJ1c8yp7iPbzd+wP8doA7597MYyse4u1Or1MclKXz706Cf1yKoih/UyeU+EbTgCAEgha2hPxCH4auU1jkJxi0CPMYZKbHY5pFfPbtcg7uDPDRV8vYdyCb+nWT0DSN+ASDkRd3YNwPi3nurRkMP6c1TRrFUVR0PFnM/xxCOLX9wmME6bXjMc1ihg1szvcfjODxe/vSoVUmzRokUyMpCssymDxzPbtXlDD+pzXouo0/YCF0WLvsIA888zNtW9ShVbN0rr3na1YtzsFlCCxLEhYO309ZxzlXvsMjz0/DMCjr2Ti2BjvtDYsWZNSOwzSLGHpWM77/YARP/l8/OrfLonXTmsggrN6wn+tHdGH619dx13XdWbZ6M69+ONeZ7B20kFLn7bELmPb1Nl5+dw6madOsYQ0Sk8Pp2akOPTpm4PUHqVMzlk7da9K2ZSqRHp1luWsYOm0I2SX7eaPre+wq2cW/Fj6C0MBn+nAJF41jm9K5RheaxDXD7/ezJHcxsZ4IHmr/GDc2vo2+aWcSpnnontqLoRnnIiX0SO1FSWEx43d8zeb8HYzfNo6kqGTqx9Sn2PQCTukb2w9e04uhGRQHvSQlh9GjYx16dkzH5zOpnRpDp+5pnH5aGpZmEunSuabBDSzInsfd82+nW80edE/tApbky22fMWPzdC5rcBUrz1/GoDpD0CwNv+VDCCjweSkMFuDS3azLX8POgmzyfUH8ljzijKZQT5Xfstnv24cudIJWkIP+8hUPfsuPS7joXKMbE3pP5KJ6l+E3BZrQ0YTAa9oc8O/HEAZe00uBz4chdLymZF72HAzDYHi9S7mw7iXoms7s/bNCPx6KoijKn+yEahFGRLhZPKuEGfOWAS7eHLuAoCl54JmfqVs7noXL13B2n0b06dqa1z+eyjufLiJoFpGYEMuDt/UkKlInGIArhrbmjY/nUlBYwu3XdME+CXPyCE0Q9MHdN3RlwdJt3PWfCTzy32mUlJjYdpBO7TIYenZj3hjTkq9+nM/XP65C0zQsW/L4yzNo36oWdzw0kc3bV3Dh4LPw+4N889NUTuu7l7UzbqN2WgyaAZ9PWMGcRWu4anhn3B5nJZp+DGGwlBLbdhKCBrxw13VdmLtkG3c//h2Pvjwdr8/ENAO0ae5kmn/urVlAIX17tKa4OADo9OhYDylCxZ4N5i3ZyRnnvwuY9OnWmquGt8Jb4KzIs2xJz471qJ0Wi1UoKSyxiA83uGX+TazftQai4LJZF2LlWzRPb8moxrfyf4vvJOgPcvWvI7h61ggIQnxcAiMyr8AjPDx4+n38d8lrvLH6ZQpKCvjFP421eSPomNKBaxtcy7gtn3PTzJHgFmBKXunyFvGR4dw6+0627tvCVn0Ldy0Yzfgd3xAsCjJ60a10TJpPlCsK07Lp0bEu6bXisAolxV6Jruv4gpIRWSN4YfXT7M7Zxe1N7iZcc2FZ0Dy+Je4oD8+vepq317+KQMMMmtw07xrmnrWYjj+2Z83eVaBDm/FNSY/LYHq/OdSJTMVnmmXpHCr9POEU5R4+8zx+2PwtAN8VjidhexTf9ZlMs9jm/GvpPZh+kx4TT2fuWUvokNKKAr+JWzcoChZz9rR+zN8zG2x4e/VrfLDpXab0nUn3tNO5Iutq7pgzitTPnSzxJYESRje/j9IsKNilPyeKoijKn+O4AyxNEwQCJpkNwnnxkYswNBfNGtXgjC5ZxES5iYkOY9g5TTmzZ2NGXd6Rr35syebtuaQkRtK3e31aNEmkpMSZzN20YSIfvTCM/EIfLRol4/OdfMMXmhAEfNCySRKTP7maCZPXsnNvPnXS4ji9VS1aN0tF12Hcmxcy7sdV7N6XT+e2GeTk+QgETFo1SeOxe/qSX9CRZg1rEQha9O9RD7fLQ1x0OIYOe3b7WbBsF6c1bc6l5zXHVyKPqSajpgnCPC60GIFW7NTaa94oicljrmbCz2vYsSefOmmxtD+tFm1apBH0wyv/GYTX52fH7kLQJLde1YUBvRoibIgIdyNEkNefHEZivAvT1OjdOZOoCL2spJHLEEx4f4STjd8PbkMnYMJ9LR7korojsIVF0DZxCzf1YxsQaUTzWOunOeg7iC1sLGni0cNpk9iONvHNKbFs9BKb5vEtuafl/US6o/CbfhrHNSdgQt2odH7qO4XPt35Gnv8gvWr2oV9aHwJ+GJZxMY2im4CANgntOD2pEwcbHyQpIpkwIxKJwDB0vn1/BILS2omlY9CWLUnyxPNhl09ZnreUfjXPxOfkP+WsWmfyfd/JzNz7CxFGJF1TurK2YC1xrng0dB487VFyGmajaRpBK0hiWCLx7gQkgnDj8P/EBE4erOsbjqJf6pm4dTeWtLCkSdPY5sR5Enmj4/sELCcPVu2IdPymRNf00hWV4Yxudi+76+4qe60mNDKjsgiYcEPDm6gXncmMvdNACrql9mBgrbPxW04tQi1cEB3lKctJpyiKolSv4w6wBBAM2sTVENxyTQfnSH7o0aMW2IAFeOoSLHBqs113dSvnOR1sL5UmsAcCkgvOaQhAScmJntKfR2hOXcHaqVHcemO7svPB72Q5Ny2Ijwtj1LVtnWsgS7drECiEC89v7HzvAwT0PqMOSCg6KDHcsHbTAbbv2s+T915KWIRGYb78w5PdLcsmGLSZMWcDb72+lIsHn4amQYlXUis1kltuqNzeYq/zGd50ZZuy/GQA2E4dv1mzdvPUa9OQUvDO2Llcd2lHLrukOSV5Tr3CUFWVqsllBYKghP61e4DWo8LFc96jJAgXZp1XPk5VmsRUmlBs2uhCQ9oafdK60qdO17JKMTIIJZZTXigzKoMHWt1TtvKtOOjs1CWlLV3S2jptMaFjjVbOILgNJYGKbSx/XNY8IfBZkjPSutGnVjdKguUL64K2pG/N7vSt1b3sGnWr2QGkc9zhmedWPh8b/EEoDHo5GMg9NJM7Th6sBHciA+v0Ab1P+ZsJCAacz+DqxpeW7e8POPUESy8XmtAYWu+csrxcIYGAk8dLAOemD+Dc9AFl24qDEmmDJ1xj9ow9vPLBbCzLhz9oHtI+RVEU5cScUKJRUXrjyz3gxzBc6KW5l0KVQ2xZ3kNQkO1MrHVuDlVrEQoKC53XnSzzro5E0wT+oMQbOh/pDB/qpZnoTVPiz5WH3MR1XcN30EZKia5pToHmAtuZzKxr+H3QKDOJ8e9eSe/OmXiLKMvwfjRCCCwbIiJc3HltF1at38PajdllAdDR2gtOoeZQBnNwArW4WJ2DhT40XdC7cxOyDxayZuMBvHk2thSH9C5WDLLA+ewLA5aT3Ty0D5TWFNQp8JvOe1Jeac+ZV6SVnpNT1sUKWGX76KXbnbp7NtKyCUU1oVV6odeEnrNN53prQqCL8h/1qu0tb7eg2LSRyEor/wSCwtLjOnOnBDLgXE9dGBT6TewK52NjE+/xMGHHz9y54GY0XQdZpRZhwMdj7Z/m0szhFPpNdLSya6GXZm4v8Jpl76dr+iGBWqG//BqXJvaotF9hhesXuiYSicuA3fsKCQRtrr6wGx1a1cb0n3rlqhRFUU5mxxVghX5h27aNaQaRWICGZZfvENrHtCq8rvRJS1K+b5UD24d7/iRVVorGPrTdVWe3mFb5hbAq7CwBy7IwTYiNdjG4X30KCoMEKl64P0ATgntu6AI4pXe8/iBVV98ftb2h4sUCCvJtenfKoGeHa7BtG6EJDF0jaDkJP4+lZRWbYJf+V3WbBKzS/470+sNvl2XHrarivjYSm+AxtPrwxyx/11BKBSodt6wTSgpK/EGaRDfl/uYPoQmdildCCEHQCnJaTGv8ARshRaVrYdqVe5Qk8pDnKm//Y/vZOMFYYQEM7FOfQX0bls7FsikuDjqLI06hf3+Kovx9BM0gwaATV/xdGBV/sVd9fLgpsKHnbSmJiY7FleIiSXM5oZqaM3tinDs2MRGuY1/qVeXau4Tr8Psdy/EEOGOKoe9PaNHpP4uE5jXq07xx/cNuCw2ZYvHXLOsr+3kprWt1hFxd1fpeqoNMUZQjCbogBWKiY5B7yv+IrRqPHO45/uA+h9v2e/HO7x3vaI67ByvME85P034g+gEP3gILQzfQdA1d19VQw99E5TlKf107TlVSyqP2hGlof/t/K1KCptlomsSy/sQgTlGUU5plWYTHGkye8RMJdZP/Fj1ZxxxgaZpGiQWNGjXmwVeeoaiwCE2HgoJCtmzcwKaNG8nNPoD6c1VR/tkk4HIF2bM7nez9qTRvuVAFWYqiHJYQzvSV6NpxZGY1IBgMHjbFzank+HqwJLjcLgb27oWGE0r5gHWbtrFp/XoKCwt+5wiKovzdSVsQHhFgxbJ0Nq2vwTnntSYYPLV/YSqK8ueybZtgMEBSUhKxsbEYLqN0NOXU67Q57lWEUkKu35lILACEIDY+njp1M/D5fIddmq4oyj+HZUNUtM2BA1FkZ4eT1agRfp/gJF8orCjKX0zTNeLi40lKSQFO3SkqJ5SmQa+SpCk2NoaoqCgsy1LhlaL8w9k2REXAru2CfXs1GjVKxu8/dX9ZKoryPyIEhmGUphY6Ql6dU8AJBVhVORNaNfRjqe2iKMrfkm071YwMl5OY1q1r2O5T9neloij/Q1Jyyg4NhlRrgBVSNf+Soij/PLI0H15Z/jXU7wZFUf45/pQA65/sb7CyVFGqhW2XfymKovzTqACrGkkJ4W4nNaf6Q135p7OBcCAisrx2paIoyj+FCrCqiZTgccHadVCQr24oimLbEBUGyxZBcdGpPJNCURTl2KkAqxpIG8JdsGgxvPws1G94LPNNpFMoWN19lL8bCZoOhflw3nCnBmloXpaiKMqxsOWpN9dABVjVQEpwCdi1C1q0hntGQ7H1x1ZL6ZrAg1A3HeVvSyv9CgCG+y9ujKIopxwNcOtuBAL7FFopowKsamJLMAxnaNCUYFlHHyaUSARQ7C/h0+Uf4TN96GpcUfmbkraqFa4oyvHRhIYv6GVXwXai3RFYp0iMpQKsEyRxeqpcwgmoNM15rOvOHJTD9WJJACmJc2n8tGEaa/av4Lym51NsBjiFc6opiqIoSrUTCAJWgH71B1InrhZ+U6KdAn+xqQDrBOkCgjbkFEBJCfi8kFsAtg6RERA0KwdMEokuBAHbIidQhDdYQtMaLeiV1RtLCiIEmKgJwYqiKIoSInCmGfhMEKdIL4QKsE6AbUOYG155Hr74BPw+8Hph/FfQsCG8+g64wsp7siTOLF+XLnj61yf5YdV4vLIYn+nngwVv0aJWK/571utowkBKoXqyFEVRFIXS0SLEKdFzFaICrBMgbfAAugErlpY/v2Mb1KgB0R4oMp3hQnB+OExp4REaAli+bbGTKEjAjhJokNKYOMNNviXRNf3QN1QURVEU5ZRw6oSCJyFNhyILLrkc6mU586903emtuvUeEMahQ326puG14Yo215OWWgsNDU3TMKJd3NzpbixNQ6gBQkVRFEU5pRmhyfiywhdVHitHICBgQloC9DkT3n7Vefq0NtCmPfiks3Kq8nXU8Fk26THJ9KrXj0+WvA8mnF63Cy1ST8NbOr6srr2iKIqi/DGhmMWu8n3Ve+mRYp3D3XP/6H5HckI9WFJK9YXEZ0suuUoihHP5h14sSYqQ+HzO9kNfZ2NJm0taXeN0cZlwYYvLidEFAStYWkX8JDi3v/BLURRFUU5lJzQHK9wl+KfPFJI4UWrHNtDvLFgwFy4c4dQjjAk/fAQrMdCAnvU60aVhD7Ye3MR5rYeiC0GMx/WPHrcN/YXgV0WCFUVRlFPYcQdYUkrWbdxKYcFRioxV6YgQ2h+bWxTqwai4FLPsXisPeVDpoRD/29V3AjCDkBIO0bHOcyW5MGMnGIcMD5a/Jmib1HC7iNwfg3bAoGD9bjb6tmBoxj92eFAACIHH46FOejoet/sfey0URVGUU9sxB1jStol0ayxduY4bR1xE3749CARMNE2U5iYHqkzT1nQNpMTnM510BUe9a9p4DBe2tLElWLZz1HAdsIVzFxalwVfFx5ozudwXsAmazmv+1zfnGvFw8UXw1sv84URWDUinocjg9dde+eMv+puSUmIYBqtWreK8Sy/nhitGsN9nYhhqsauiKIpyajmuO5cO5OXlcf75g4iOvonNm7ejiSiEbaJhYRPEFja2tNE1KMkvoO+AJgwZUucPHX9dMazLNRlUp7x5z+ZDngkuP9jFYJeALJFIn43tMxF+i4ICkxsHxNA0+XjOSjlZfPPVV6zbtfcfHm4qiqIop7Lj7hrQdZ2c3AK2bt3BMw+5sWIOsE0zKCYBy8rCv8UgbKekTZhg0dwlfPLTQgYOTCUYtHC5Dp25JaWF0MPYsu4Dnlxal7Z16/F5rs55TWvgD0gmbQ7iMyVFa70E873IIi9mgR9vbhDNH0Qrsdi12qR97YY06JaEaUkMXd2iTyWm6fRWHczLQ9f/6bP7FEVRlFPZCYy9SDQBsXFRxNrLyI6Yy0Ijkm20xvCnY20Lo/ZCOD0S4rf4iE704HK5AO0wAZaFxAV7X6OOPoPkfV0oiovlynYtcLl0/BLaC4sr64ThTw4nKcEiP1+CDikpkn05Eo+lsWFvIXtybFwuF0JTAdapRgiBYRgYhkFx8UGC8tQpiaAoiqIoFZ3w5BbbktgluygJLmOTHsMaUjCCQYI7wihZLinyCIJr9yP7RwDldfkKiyykLdGEhSvMgzv7VWRgHgUr0rnBWkVG18vR3E7zLCmJlhbendC4rc7ECTp5WpCISJ1lr2g07WHjccMvv4bRrmPRiZ6S8hczDIOd27ezdttOwiMiSEhM+J15e4qiKIpycjmxAMtZ9oVRshm/WMhaEcMC6mEgCW4TmAsEfjf4du1DnpnuvEQIBp+7nhqJEBUb5GCBh6ZJz3PXjYVoO+qzbNYavo2+nC3Xf87ZAxpz04juBAMWumWzbLOPtKYuGjcz6H1pLnXruHj5/ngeeKmItZt83HJ5JLqaD33K0w2DHdu2sm7NKlJr1iI6JkZNdFcURVFOKScYYAkIeinYu419yQXsiipgn9wL+Qdgj82uPTb7dcEuazcSZ4J7UZFJYgJcdmcy42eWMKrpWNo281GyKIM3X1jK2vb/ISlCMODcNPbu2gKAbdsIv02BVczM32JpmA5zfowh56CHphmCR/8dgd/rIjrWZO6SE74myl9M1zQO5uSSf/Ag8QmJWKaJy2WoXixFURTllHH8AZYEIXTsYDGrNxxkRQC8kRpC5qAVLsHOicMnLFbqGqut7Qg6OC+TEBMT5Ntf/fw04Qvu7bYE/9Isnn9sOc/mXkfRitXYRTb3/qc2MVGUvcYjJEvWFRO9JpJHZ7u4J30nHTa8yZK4EkqMErYdMHHd8m8iaiRVx3VR/mKytHa6oiiKopyKjj/RKBKhaQSDXlZsPMiafEFxGEiZi+1dgcyJokRK1krBGnZTP/RCITEJEOuyuTTrR8IW5fP4GA9vFFxDmGYRHgm24UZoNjZBwCmgXJgfZOR5yUyc4iJ/v6SkVzz7cgLs9O+iwAywLs+kmbD/8ZnlFUVRFEX5653QEKEmBKZVwrLNuWzaJwl6wCVzEMEVyIIwTJdkg0uwmX00Ks3iLm1wR4AMFvH81/H8uOhcluRlogcDWMU+gl4Lu0SiGwaaYQFOP0ZxoUnHlhHERcLAXtC+dRKF/pdoFAC/BRdH2SzbWMTyTcUnfFEURVEURVFOxAmUygFD09i6M5cNS03yjUgOlhSDvQ+s+eAX7EfyfVDiJ5fuhT5s20bXYeX6PVzdvSk3Pvg0QvjpZ5dgmhambWOaQcI8ghzvDnzeXGzbJtwFB/P93PzWFqLcYOiST+dI3G5nGphTY1mwfb+PC3okY9s2UoJtq0k7pxJV7FlRFEX5uzihHiwhbC4a0YmlLd7F0MOwLROBDdggbKSQCE0ibR9nDWiNpmnExHjo07M2S+dtJzzawhYmQS0IehBdD6K7guguE0/BAc458ww0TSMizM1LV9dj0z4TTTrBnaZRqeaOLSWRYQa1E51Sydo/uWLyKUor/dCcfGmKoiiKcuo6rgDLAuLi4hg3bjx9zjiA4dKQUkNoQNV6hJaTmmHcuJ/54AM/AIkJYQihUXwgtL8oLRwYeizQDZ2PXnmJN7w+QKBr4DKOPunZlhAI2kfdRzl5SSnRdZ1tW7cSHRWNZVl/dZMURVEU5bgcdy3CwsJCzjyzP4899iSBQOB3ex00TaDrTg+FaTpDeE4EdrjhIOc5XdPKejXg94pEO1Ti71NXqFTO1199xQuvvqbK5SiKoiinrBOYgyUxDIPIyHDCwtzHdDP0eI73XZW/M5fLhaZpuN1uNQ9LURRFOaUZoduYrPJlc+S+pbKv0pugM3ld9TYoJ8a2bTRNK/u5qvozqUIuRVEU5XAq3iOOdt/4o/txDPsdiZoKriiKoiiKUs1UgKUoiqIoilLNVIClKIqiKIpSzVSApSiKoiiKUs1UgKUoiqIoilLNVIClKIqiKIpSzVSApSiKoiiKUs2MSokeQv//o4khFOXPphJhKYqiKL/ncIkTj5QIiyrPH+neUvX1x3gPUj1YiqIoiqIo1ey4S+VUZdvloZ0Q4n9WE9C2JVI6NQg1rfKbSimx7VCbDt1uWeVt1vXK20LHPdxrK277vddqWuVrUXmbc60qt7n8Wh6uzYqiKIqinPyqLcD6KwIBKY/8vlJKhBBUrOBj27JsfyllpcAotH/V/apul/Jw28qLTB/+tc72o22r+LhqwKYoiqIoyqmlWgIsw9D4+efNzJ+/E10XXHBBM7KyEioFFJYlS4OUUK9O1R6hUE+UACS6/vujl0LAwYM+li3bS3FxkP79szAMrSwYys/389tv27Esm3btapGWFlVa5855/0WL9rBlSw4ZGQm0b18TKA/a9u8vYd68Hei6RocOtUlMDC87bl6ej3nzdpGTU0LDhkm0a5dW1iZNE6xbl8PKlfuIjQ2nW7d0PB697Lhbt+axZMluwsLcdO2aTnS0u1JPGcCSJXtZs2Y/uq4xaFBjwsONsuCrvP3V8ckpiqIoivJnqJYASwiNceNW89Zbc4ESMjLiKwVY5b1Fh/YYlQdhFSOGo0cPodds2JDLwIFjWb9+D8nJCaxZc1NpIAS7dhVw/vmfM3/+BgDq1k1j3LjhtGmThhDw2GOzeOCBiYAF6Pz73/14+OEegGT16hyGDPmE9et3AtCyZT3GjRtGVlYCmzblMmjQp6xZs720nTqvvjqEG29sB8C4cau57LJxeL0+wGLYsHa8/fYgoqM9/PLLNoYN+5QDB/IBm549m/LZZ0NJSYkEIDu7hBtu+J5x45YQExPNOec0YcCABmUB1uF6zxRFURRFOflUyyR3vz/Aq6+exccfD0fXPbjdzrhcec+MYPnyfUyatIk5c3YQCFiVgquDB31Mm7aFSZM2sWZNNrNn78Dvtyodo6JQ71dsrIfRo7vQpUsWbrde1qujaYLnnpvD/PlreeGF8/j666vYuvUA998/HSEEq1bt59//nkzbtun89tsoevRowCOPTGLevF0IIXjggamsX7+TMWNG8NZbF7J8+Waefvo3NE2wY0cBublFjBt3BdOmXU9ERDivvbaAkpIgti0ZPXoy0dHhbN9+L888M4gvvpjHTz9tRAi4//6pFBT4WL36DsaOvZRfflnJmDHLy9p9++2T+Prr5Ywffzn5+fcxZswQYmI8pefknFdRUQDTtKvjY1MURVEU5U9SLT1YUjrDhFFRbizLLh3GcoICr9fkttt+4r33FmKaQUDQvXsWb7wxkCZNkpk2bSujRn3HmjW7AIOwsAgCgQCrVo2iceOkSnOjQkLfpqREMnJkG6ZO3cL69bll2wMBi6lTN1O7dm1GjmxDVJSbbt0aMmXKJvx+i3nzdmHbxdx8cwc6d67NqFEdmDlzFXPn7qR161RmztxGu3YNueSSFgA8+eRv/PTTJnw+k65d6zB//vWkp8eSn+8jLMxFRISB261j25Cf76dOnVjq1ImhRYtUNM1g4cLdDBvWjLw8H7GxkTRokIhtg6aFs2DBLgDWr89mzJil9OrVgPXrc3nllXlcdVUbIiJcWJaNrmvMmrWD22//gcTEKL744gJiYjyV5nApiqIoinJyqLY0DVJKgsHyXicpQdc13ntvCW+9NYUePTKZMmUkt97alZkzV/HQQzMoKgpw660TWbNmL089dQ7z599I794Z2HZRpRV+R2KaEsuyK70vQH6+j5wcL7VqRRMWZmCaNunpMViWD6/XJDvbixAaNWpEYVmSmjWjkNLNgQPFZGeXUFAQID09BtuWWJakTp1o9u8vpqQkgMulk54eSzBoc9NNP5Kbu5+RI9tgGBqGIejdO5PlyzfSrdt7jBw5ASkhGHR6nPr2zWT//j106vQuQ4Z8hpSBsnNZunQfQsAvv2zlX/+axs03f8lll43H7zfLVkJu3JjDwoXrmDRpPQUF/tCVr54PUFEURVGUalNtPVhCCAzDidd0XZSumoNZs7ZjGNE8+mhvOnaszRln1GPs2FXMm7eTpUv3smbNPnr0aMjdd3cB4IcfLuG337rToEEC8HurE53J8KF9Qv8PD3cREeEiPz+AZUk8Hp28vACg43ZrREQYgI3PZ6LrgpKSIJpmERnpJjrajcejk58fKDteXp6fyEg3huEMfVqW5MYbv2Ps2Nk88MA5XHtt27IWvfzyADwewaJFe6lfP4GdO/eVncuDD/bE5zOZMmULdevGsWHDHmrXjgGgqCiAEAEuvvh07ruvKzfdNJGvv17Gli29aNw4CduWXHFFK2rWjCExMZzatWMqLApQFEVRFOVkUi09WC6XhpTg85m4XDo+n1k6vwrS02MwzWImT94EwE8/bSQvL5+kpAhq1owmLi6Cdev2sWzZPgCWLdvH2rXZlJQEgcPPwQoJBXTgBHehuUlRUW5atKjB2rU7Wbx4DwcOlDBv3mYaNUolPNygadNkpDT45pu1WJZk/Pi12HaQpk2TiY720LBhIvPnb2bz5oOsXZvNmjW7aNeuJuHhLkpKglx99QTeeWcODz88kOHDm/Lcc3PK2puWFsXYsUNZuvR63G6dqKgI+vevD0B8fBhvvDGQjRtvpm7dWIQQDBnSBIAmTZwgql69eJo0SaZ+/XikDGKa5TmxNm06yHffreHbb9fh85nV8dEpiqIoivInMA5XIYcqjyuquJ9VevOfPHkTV175HdnZXmw7yOWXj+fWWyfwzTcjuOmm0/nyyxU8+OBE3ntvCdu25eJ2C+64oxOZmfHcdlsn/vWvibRp8wYZGfFs2ZJDZGQYfftmls4xOnTlnGWBYQjeemsR//73FPbtKwJMGjZ8jlGjuvKf//TilltO58cfV9Ojx/uEhxsUFBTyzDNnIYSgW7cM+vdvyUcfzWb69C3s2LGHnj1b0rdvJlLC//1fVy64YCytWr2O329hmnDLLafjcmk8+uhMPvzwZyCaV19dyIMPTgZcXHhhMyIiXHz11Rp++GEdEyZsICeniLfeGkxWVjwAU6du4auvVvHjjxvYti2Hhx/uT5cudbBtyemn16JXryb85z8/8/33a1myZCt9+rSgQYOEsjlYP/+8iVdemQhEcvnlp5GVFX/Y3Fp/F79X8UBRFEVR4MgxzOEq5fyR/apuO5770AkNEYrSDqR69eIZMeI0hACPxygNSizS0qJJT49lypSr+OCDpaxfn83gwY0ZOrQp3bqlI6XkgQe60aJFChMnrqe4OMhNN7Vj6NBmpKfHht7l0EaXtrp58xQuvLAF4eEedF1QXOylQ4daAPTsWZeJE6/ko48WEwiYDBnSnKFDm2DbEpdL47PPzue//63F8uV7uOyyVtx+ewciIlxIKRk6tCnffnsFX3yxDF3XufjilvTvnwVAr151se1zkVKjpCSIywUZGQnEx4cDsHz5PvbvL+LCC5sxYsRpdOhQC9O0MQyNNWsOsH37Qfr3r8/QoYPLAjrnnDQ+//wCnn9+DqtX72PAgH7ccsvpeDx6WWb3YcOakZMznKSkCDIz45yro4YIFUVRFOWkc0IBVqjnpEmTZJ59tt9h95FSkpkZxyOP9Kz0fMUcWYMHN2Lw4EaVtluWxO83DxtASAlut0bnznXo3LnOEd+3V68MevXKqPRcqM1xcWE89FDPKq+hLFv7oEENGDSoQaXXCiHo2bMuPXvWPex7Ajz88KHnGRrKHDXqdEaNOv2QaxA6x+TkCJ544oxD2hRqc0JCOPff363SdhVfKYqiKMrJp1omuQcCJkLohzxvGFpZvivLcpKN2naohI0TGQghSlM7lD82DI0pUzZz550TcblcleocaprANE0eeKAnF1zQFL/fwjBEhe1a6SR7UbYSMZQBvWJ2eCkpHXoTZW0LBTqhdjjBlrN/qL3OuVTOQ1Vxgr9zfk6AqGnikBqGQoDfb6FpoixfWHmbyq9T1TZVbHPo2lYn07QrfS6KoiiKohy/asrkLnC5Dg2wQioGGoebL1Qx8NE0JyhLT4/lootaYhh6WV6t0HtZlkWDBglomsDj0Y84B6lysHBoLi2nrA6VArTDtenQczn6uR7pmKFtYWGHv+xOoHbk14fa/Gf4s46rKIqiKP9E1VbsuWrCy8MlwKxac+9w+4Z6jZo0SeL++7v/7vue6ATv4x1iq7i68XDHONz20DDjK6/MJy4ujEsvbXnURKrH26bfa0/VfaSEJ5/8lRYtUhk4sMHfeuK8oiiKovwvVFu3RdWbesXvKw7VOfmxZJVeKef/oaHA0D6WdeQvWTVi+B+yLFl2LqG2hoSGASt+hYSafNddk3nhhbmHPH+8pKz8vqF2hLaFAtiqbQq9r21L7rvvB95/f8mJNURRFEVRFKCaerB0XZRmK5e4XDqWZWPbofxY5XOvAgELXddwuSrHdX6/VTbUFwjYWJZNeHi1da5Vu9AcqWDQwuXSKw1FOudgEQhYeDwGwaBNWJheaZj0k0/OL1t1WB2rAJ2gSWCaNqZp43YbZQsIQscvKQkihDMEa9uS8HCjLNDSdcGYMZeUJURVKxMVRVEU5cScUA9WKA/WCy/MISvrWbp3/4CPP15Onz4fkZHxLO+9twQhBGPHrqRduzeJiXmCzMwXeeihXygsdEq93HnnZDIzn+OGG77n+efnUKvWs6SlPc3PP28GKvcO/dWklEgJr766gIYNXyI8/DGaNXuFjz9eXrbPZ5+tpHnzV0hOfobatZ+nRo0nmDrVOZdduwpp3vw1HnlkOh9/vOwPJVM9enucNgUCFo8//isZGf8lPPwx2rV7nQkT1iOEwOs1GTnyO1JTnyU19Tlq1nyas88eW5aodNWqAzRo8CLPP/8bn3yyQtU2VBRFUZRqcGJDhKWvbt68BvHxEcydu4VFi/bwyy9bqFUrmvbta/Hzz5u59NKP2bmzgNtv70SNGpE8/PAEHn30VwBatEjBNCVvvDGPZ56ZTb9+9alZMwavN3ii51atQqsK33prEaNGfUGXLul8881w0tKiueyyz8oy1d9880T27i1i7NjzueeeLmRlJRAe7gKcye2DBzdm48aDTJu2tSzzfMXUZaHhvj8SWNq206bHH/+V+++fwNChTfniiwsAGDr0YzZsyGXKlM28++4vDBzYiE8/PZ8+fepTo0ZUhXQVHgYNasTixXuYM2dHpaFFRVEURVGOzwkFWHrpTbp//wbMnHkNPXs24MUXp9GvXwNmz76OFi1SGDNmOUJovP32YJ56qg8//ngJ8fE1+OSTFZSUBLniila0alWbyEg3M2Zcwdix57F69SgGDXLyYp0sk61Dk++//HIVmhZGbq6Xr79eQyBgA0G+/349AP37Z1FYWMioUT8wefImzj67aWlpHoiN9fDYY71p27YWhiEOmb/lvA+HpHc4HKeYtsDvtxg3bjUuVxTbt+fz7bdrAZ1g0Md3362nZcsaxMUl8+mnS7nvvqm4XBrDhjXD7daREmrViuG5586kQYPk0rQaJ1evoaIoiqKciqppopOgpMQkEDBJTIxiz54iNmzIoWnT5NJ5WHZZj5QzNCUr9ZBYlk1KSgwNGyaWPXeyDlU56RtsmjVLoVWrVAoL/Qwc2IBeveoBcPHFLWjSJJmNG3OYOXMbkyYtxTDg4Yd7laVCcAIojYgId1kgFTrfrVvz+PHH9aSkRDF0aNOjtkVKJ2+VpmlomqRNmzQyM+Pp1i2D3NwmnHlmfZKTI/j3v3uSn+9j9uwdfPnlSsaNW8WKFTfRoEH59RaCSoWzVQ+WoiiKohy/E5uDVbo6cNKk9XTs+BqzZ2/lnnv6sGLFVjp3fotvv13LRRe1QNd1brjhO2699ScGDBjLwYPZXHVVKyIiXDz00Azmzt3Gli15DBv2Obfe+hNer1maHLRazrFaOBPGnQDKtoPMmbODXbsKWLhwN08+OZMVK/YDcPHFX/HNNys566yGXHVVG0Cwf38xAP/97zxGjPiSRYv2sGlTLkOHfsZDD/1CIGCV9Rq9+uoCbrppDLNn7wSO3Jvk9DQ5SVkvvrg5fn8R8+btZM+eQn79dTuPPjqD7OwSvv12HXfc8QP5+X5uvbUjLVrUxO/3UlQUAOChh37hoou+YNOmXBYv3ssFF3zOc8/NPumuv6IoiqKcSk6oByuUKmHbtjzCwzV69WpAkyaJdO3aiNzcfJYt28e//92Dzz67jCeemMGHHy4lISGc//xnEHff3YVg0GLJkj1kZETj8YQxb94O6tb1cjKW9dV1Z0Xk5ZefRjBo89RTv/Lgg9NJTY3miitac845DQFo3TqNLVsOcOedk9A0GDSoNffd55S3Wbv2ADNmbKFu3ViEECxZsgtd1wFnpaWUklmzthMbm8pdd3X6w226++4uuFw6L744l+nTt1KnTgy33NKBtm3TyM/3Ub9+IuPGrebrr9fgcsGzzw7mtNNSAVi5cj/z52+jWbMUbFsyf/524uMj/rTrqCiKoij/BCcUYIWGvK69tj3XXlteY2/gwIZlj6WEoUMbM3Ro47J0DBV9++2FRzz+yTZEGEpfMHJka0aObE0gYON2V+4E/OmnS/B4DIqKAkgJ0dHusm1vvDEQGHjIcUO9VKtWHWDu3C2MHt2TmjWjS0v5HL2TUQhnLtedd3bizjs7EQzaldJgnHVWA8488xZcLo2cnBISEsIrpWEYN27YUY591LdWFEVRFOUIqqkWYRDDcFbKVRxaCuVnCgUQHo9eluogFBgcbgjsZJnYfiShNrvdWoXkqM75eDwGUkqiotxl+1a9DkeiaYLBg5tzxx0dS4s8/7ER3FC6BiGc3GMV26Tr5fUFExMjytoUusZHatPJ/hkoiqIoysms2moRhgIITROH9HxUnshdefsfWS1n2/KkKkJc8Xyqtj90jqEgs+L23zvXpk2TGT/+yD16RxIK4I7eptCQrjimNimKoiiKcuyqtVTO7wVBxzPk9EeO+1c53PmU11Q89vOV0llReSKTy4/epkODX0VRFEVRql+1BFiaprFzZwEff7wMn888JFGmlBLLsstKuVTeRqVtoe3OUKJk584CPvro8Mf9q9i2LGurExBVrkVY8XxCKy2h/DxD51F1eyhVwvEEQUdrk2XJStc3tK3itT9SmxRFURRFOXZG6FYqKV+7J6t8X9Hhtum6zg8/bOD667+ka9d7qVcvrnz/0np4R+qFCgUVVYWGGydO3Mi1135O1673kpkZf4ynV/2klIdNBBoahnOeP/y5Vj3P6hqeO3KbKl77Q9/rcNf+ZBsylBz951FRFEVRqt4rjnTf+KP7weFjomO5D51gmgbn/9u357Fs2V6EMJg+fQu7diWSmhpF/foJCCHYu7eYF1+cw6+/bqdmzWhuvPF0evbMACAnx8tzz/3G9OlbiYsLJzxc56KLWjJ0aFN27Chg6dI9COFi+vQt7N5dSI0aUTRokPCXJCINBSzLlu3npZfmsGZNDqedlsLtt3emYUOnUPKsWdv5+ONlrFhxAMPQGDmyLSNGtCAvz8tTT/3Gvn1F9OpVj6goNxMmrKFu3QTuu69bWWb1Yx9WdNr02287ePXV+Wzdmk+nTrW4/fbO1K4djddr8s47i5k2bQvbtx+kVatU7rqrK02aJLFtWz7//e8cCgr8DBjQAJ/PZPLkDbRokcZdd3VWw4mKoiiKcpxOYIiwPBv7zTf/wOuvT0fXw7j66q/o1u0F7rxzMgA7duTTvfvbfPjhEho2TGTNmgOcddb7fPXVGgBGj57ME09MpkWLGmRkxPLNNyuYP38XQsCtt07ktdec444c+TXdur3AXXc5x7Vt+7Ct+rOE6v7NmLGVbt3eYMGCXTRsmMCECWvp2/dd1q7NRkrJW28tYtasrXToUIvi4gCXX/4JCxbsIhi0mTJlMx98MJV3313CV1+t4cMPpzNvnrOt4jX9o0OhofqI48atpmfPt9m8+SCZmfF8+OFi+vX7gJwcL7t2FfD883MIBCy6dMnggw8Wcf3132OaNsXFAX74YQPvvTeFTz5ZwZgxy/n445ksXbq30hCjoiiKoijH5gQCrPIJ0y++eDa33noGluVjzJhhzJp1O88+2xcpJWPHrmTDhp106JBBr1516d07E6+3kKef/g2gNC+Wxa5dhWRmxvP44wO44YZ2SCl54YUzue22PliWl48/do77/PP9y4bE/pekdFYGvvDCXAoLS+jRox5nnFGPjh3T2b59O2++uQghBLfc0oEBAxphGBo1akQhhMXatTmkpEQyffrlXH99P9av38/06Zt4+OEL+PbbC4mMDKW4EMdUi1DTBJZl88wzv2FZkl696tGnTz1OO60Wa9as4+OPl1G/fgL33tuNevViCQ93ER8fzbZteRw86KNp02Tmzh3J8OHdmDt3G8uX7+OVV0bw8cdDONIwp6IoiqIov++EhghDAVbdunE0apSCEDadO9ehXr3yuVLZ2SXouov8fB+TJ29GCLj66u60bl0TgFtv7YjPZzNz5lZ+/HEdum6Sm+vl6af7kJERS+PGyaXHrU1mZsKJNPe4hYIZKSV5eT4Mw82OHQXk5nqJifEwcmQf+vbNZPfuQi688Cvy84sZNqwlSUnhgFaWXDU62sO55zbljTcWAJIuXeqUDQ2Ccz293iDr1+fi8eg0bpx0tFYhhCAYtCgoCOB2u9iwIYdt2/LJyIjl2mv70rFjbT78cBk33PAVnTtn0bVrOgkJYQSDErfbaVNCQjgDBjTm88+XEBYWQffu6WXnqoIsRVEURTk+1bKK0EmmKbHtAM89N5cPPlhK9+7vMmbMcgYMyMKy/ERHG9x7b1cuv7wVuble9u1z6vO9+OJccnML+frrYfzww6WEh4cxYcI6iovNstWEth3k+eed4/bu/T6vv76w7H3/F4RwhuM0TdC1azqmWUTjxon8+989OOusBqxbl4uua2zYkMumTdtp3z6dBx/sQePGSUhps2zZXgoLA3z++SqGDfuMAQMa0rdvQ84552Pee28JgYBVtnLv7bcX06PHqzz//FyAIw7VCeH0XoWFGXToUAu/v4DTT6/Fgw92p3v3uqxYkY3HY/DDD+uRsoSbburAHXd0AjRycopZuzYbn8/kjTcWcsMN3zB8eBuaN0+lR4/3GDduNZYl1TChoiiKohynakk0CpI+fTJp1CidV1+dAbioWzeOyEgXZ5yRyYMPDuY//5nGhAnLAIO0tBjOPtspp7N5cx6TJ8/j1193EhPjJhi0uf32jkRFuZAS+vbNKj3uTMBFRkYcNWpEVk+zj0Go7t/o0V3YsiWPp56azlNP/Qy4aNo0hbi4MBo3TqJ37xZMnLiaGjWWk5lZk7i4BF58cR7nn9+Uu++eTEFBDvXqtcHrDeL1FjBy5AT69s2iTp0YAH78cSP5+QGuuqoVALYNun74NoV6mp58sg/Z2cXcc8/33HPPBMBNmzY1SUgI55JLWvLrr5u5+OIxgJtWrWpSWFjIe+8t5v77u3PLLRMJBovJykrC67VYuHAN1133PQMGNCAy0vWXLCZQFEVRlFNdtQRYlmVRv34C8+Zdx5YtB4mO9pCaGlV2g37ooR5ce21btm3LIz4+nJo1o4mJcUrJvPTSAEyzH3l5fvLzvTRunEJmZhzg3NizsuIPe1z436YUcIIMQWysh7Fjz+ORR3qxb18xNWtGk5YWVTYM+MMPF7N2bQ4gadAgkcJCP7YtSU2NYsGCa/H5gsTGhmPbNg891B232yApySlhs2NHAbNmbePcc9vQsWPt381gH8renpoaxXffXcz69bnk5nqpXTuGtLQoDEMjIyOWjh1HsWVLLmlpMaSkRLB/fzHx8eFER3vYtu02gkGL+PgI/H6TkpIzCQtzVZgX9mdeVUVRFEX5e6qmHixnKCs21kOrVqmVnnPKxkhq1oyiZs2oQ7Y1apR43Mf9K4R6dLKy4snKiq/wvDNnKSzMoFWrGmXPhwIVgJSUyj1v8fHhAGXDg3v2FBIWZvDAA12PsU2Hv5ahNtWoEVmp1y8jI67scVpadNljpzB1xDG9t6IoiqIoh6q2ACsUSJXXxCt/HNpWtQh0aL+qU30q9kwd7bV/BWc+lpNuLDT5PVSLEcoLL4f2LX9d+XlUvkblpYDatk1j06ZbiI0NAw7toQulb6i6yjBUB9I07bKeNsMob1P5tvJViqHHTpb98szumla+veJ7hs6lamLSip9LVRU/16rbf++4iqIoinIqq7YAC5wbfegmX/WGeaQ6eH+kPt7JVkPvSJnR4egBYNXzqLqfrmvExoYdcd7TkdI3hAK90MpAoFLwUnVbxeNLCYZRNWiSZf8/WsqIikF0KPA73Laq23/vuIqiKIpyqquWAEtKME0nWWbHju/QokUN3n9/cNlNtuqKtCOVxznZhQKTt99ezKJFuwgPN7jtts5kZMRWCiAsq7x3pmog4dQqlGXFoKsGOEebVL5mTTZz5uwkLEznoouaV+o1LCoK8O2369i/v5D27evQtWudsmOZps23365l27aDNG+eRr9+mWXH1DTB8uX7mTFjM+Hhbs46qyE1a0aV9bStW5fDtGlbKCz00bp1Lfr2rVf2WiEEgYANyEoBXGgbgN9v4Xbrh/S4rV+fw9SpoePWpG/fzL+0Z1JRFEVRqlO1BFi6LsoCJo9HJybGA5QHCkfr8TkV/fbbdj78cClQxLnnNiEjI7ZsvlNoYnrFyemh4Otww3tVHW4oTdOcUjjnn/8J+/blUr9+bYYObVoW1BQXBxky5HOmTFkBOIsHXnttCDfc0Bbbllx22bd8+ukcwAOY/Otf/XnkkZ4ATJq0iaFDP6GoyAtYNG9eh/HjLyEzM57ffttBv34fUlLixfn8LN588wKuvbYNlmUzcOAn7N5dgNut07hxCh98cG5ZUDl27Aoee2wa0dFRaJrNE0/0pUePuggB8+bt5IwzPqC4uPy4b7wxlOuua1sNn46iKIqi/PVOrBuptFOqoMDPjz9uYNy41dx00+n07FmXkpIgzs1T8ttvO/jyy1WMG7ear79ew/TpWwkErBNu/P9aaP7VBx+cy5tvnoOuuw7pudE0wfz5u3j33SV8/PFyNm8+WJZOQdMEa9dm8+67S3j33SXMmLGN8ePXViiVc/j3BKhfP4G33z6XNm2yCAtzVZrf9sUXK5kyZSmjR/dlzZrbqFs3if/7v4kUFwf45ZetfPrpbC66qAPr199Ox471eeyxKaxefQBwShVZlsX8+aN4990LWblyK6++Oh8hYP/+Yho0iGfZsluYOfNa3G4PY8YsLw0iNVq2TGXjxlwWLtzMmDGL+OWXrWiaM0xcq1Y0brfB/PmbmDt3LS+/PL/sXPbtK6Z+/XiWLr2ZX3+9Drc7jDFjlhMIBAFV1FlRFEU59Z1QD1Yo0efy5fsYPnwcJSXBsqGxVatuokmTJPbvL+HCC8exc2cuNWrEsm/fQaKiIlm69AaysuIPmbtzqrAsG8uyyyZyS+kEX3fd9TMvv/wblmUDNikpUbzwwkAuvrgF77yzmNGjfyQvrwQhPEhpATr79t1FSkrkYVdHhr6vUSOSc85pxLPPzmHfvmKEKO/dmjRpE7oezsiRbWjYMJErrmjNQw99z+bNB/n11+1oGlx7bVsaNEhg5Mg2zJ27lhUr9pOcHMHKlfsZMqQZ7dvXpF27mtx99xSmTNkMwDnnNKR370xiY92sWrUfy7IrrUa8885OfPLJcoYNa8HXX6/hk09WcMYZ9bBtSc+edenQIQMpNerXT2LSpHVs355PenosZ55Znx496hEb62b16gNYlkVKSiSGUa1TAhVFURTlL3NCPViibPVbTaZOvYzffruakSNbAxZa6ZHdbmfI8N13z+OKK1oBAR5+uNcpHVxVXNXoPJYYhsakSRv573+n0bJlTebMuY7x4y8jL8/PXXdNZsWK/dxzzxSEEIwffxnr1t3MwIFNcK7V718D23bmUpWv+Cvv5zlwoAQhwnC7dSxLkpYWhRCC/ftLyMnxYtsuoqLcWJYkJSUSIXRyckrYv78EMKlZMwrLsrFtm5SUCLKzvViWjWFoxMa6OXCghMsv/xohTG68sV1Zez/6aBk7d+Zy333daNIkiQkT1nLgQAlut87u3YWMHbuUgQMbMXRoE4qL85k8eRPg9PKVH/cbwOSmm9qX/cycej8RiqIoilLZidUiLP1/WJjB6afXAuCXX7YANlrp3TImxsOvv17JBx8s45lnpjF6dD8uu+w0TNM+ZPXaqSC0SjDUdpdLL+tlWrXqALruZdSo0+nYsTYAvXs35JdftvDDD+vJzS3k4otbM3hwYwC+++4itm3LK0s0erRJ3k76BA1Nc9rgcullQVZCQhi2HcCybHRdkJ1dgpSShIQw4uM9aJqJ12ui64KDB525VnFxYSQmhiOlzoEDJWVz6LKzvSQnR5QFUfv3F3P++Z+wdOlOPvlkBL161SvraRs3bg1g07nzu2RnFwN+ZszYxtChTZg+fSvFxUU8//yc0mO5GDt2JSNHtsEwNA4cKOH88z9hyZLtjB17Kb1718M0TdWLpSiKovwtVEuEI6Us613x+cxK+Y80TfDzz5sYPfp7br65O5df3oru3d9n5cr9QHmSzVOFZUkOHvRx8KAXl8tg794i8vJ8gJN81LI8fPbZSvbsKWLp0n3Mm7cVt1unc+c6REaG88svm1m4cA/BoM0336zl3XeXls5XO3LdQWcbFBQEsEunax04UFI2RNujRz1su5gvvljFgQMljB27grCwKLKyEujQoTa2bfPppys4eNDHmDHLkdKgadMUatSIpH79RCZPXsuWLXl8++06DhzYT7du6Qgh2LGjgMGDP2PevO289toQYmJc3HffVIQQLFy4m6VLd3DJJe144IHuPPxwL9xuDx9/vAzblrz//hLS02vw2GNn8PTTfejUqT5z525hxYr9HDhQwqBBnzBnzjZeffVcYmPd3H//tLK5aKoEoqIoinKqq9ZEo7ouSpNUUjoHCTZvPsgll3yNbRfxzjtLePHF2YBFcXGwut76f8LpHdIYO3Y5V175NWADQQYPHoOuayxceAPnnNOQ888/na++WkDt2puxbRNNkzz99Fl0757Bvfd241//mkT79q8SHh6B11tMy5Z1GD26U1mgKUTl6CI0ofyBB6bx+OPTAGdxQErKozz11NncfXcXLr64Oe+/35D77vuehx6aTiBQxKOPDiImxkPfvln069eK11//hfffX4LPl8+NN/bitNNSEELw2GO9GT78UzIz/wsEqFkzmZtuag/A/fdPZe7cxUAso0ZNJBjMJjW1Dlde2ZpBgz7D789lypTNjBlzHsOHjyMQOMiECctITNxGXl4uYJOaGklWVjyjRn0HFHLppV9Tu3Y0c+cuByK5+eaJBIO5xMWlMnp0R8LD3f+Tz1NRFEVR/kxG6HYuK3xR5XFFh3veMLSy4a19+4qREiIjnRtlSkokY8eeR36+D7/fRghJYmIELVs65WROlTlYoSHP7t0zePnlgWWpKUzTRtMEGRlxuFw6n39+HuPHN2Pp0j2Ehxt061aXbt3SAXjggW506VKH2bO3YZqS005LpV+/LCIiXEd5X+f6DBnSmNTUCNxuZ99gMEj37k5OqoSEcH788VI++mgZe/YU0K1bXYYMcYYhXS6NceMu4KOPGrFhQzZt29bi4otDObRg2LBmpKRcw8SJ64iK8nDBBc1p3NgpuXPjje3p3r0OliUIBi1cLqhbN5GaNaN54YX+5OcX43a78fstLr20Jb1718Ew3Oi6s79pWrRoUYPoaDevvDIIlwtSU2OIjfUwZEhjLEsSDNq4XJCeHl92HYSo/PNY9WdTURRFUSo6UgxT9b5R9bmj3V/+yPGO5oR6sCzTeatvv13HK6/MRwiDKVNW0axZHVJTI5ESoqLcDB/e/IjHOFVyS4bamZkZz6hRpx9xP13XOP/8Jpx/fpOy5yrmwerVqy69etWt9JqSkiB5eb4jBptxcWG0a+es8jscKZ1VhqNHd670XKjN0dGesl6pqufkrPjLoGfPjAqvdeZYdexYu2wuWVXDhzer9P055zQ87H4hVd+/R4+6h+xjmuZRj6EoiqIop4oTm+ReegNPSopACMjL83LttZ24444upZOwne2maVeaVxPK5H6qBFcVhTKxV+X04oXSNdhljytmrdc0UZbaIZRTy+XS+PLLVfzrXz/jdodh25VzYkkpee21gfTvn0UgYFXKgF9xSLZinULbllWywzttDm2reO1DbQrlLBOiPBFqKCN9RUI45+p8prJswr+zCtFJtho691AbnWzy5fUZQ7UTqx5XURRFUf4uTmwOlpAEg0E6dUpj8uTLsCyrbBVYMHjkOVZOaZ1TL9Ho0VQ9n4r5sWz70HOtGHy2bVuDBx7ogctlHDLRXUpJw4ZxWJYzn6tiB6VlOV8Vhb4PBg99z9C237v2VY9Ztd0Vj131+4rndrhjOcWwD39c0zRLg8G/18+GoiiK8s9z3AGWlJKY2FhcrvL5QxV7TSo+rxxd8+ZpNG+e9lc34y8X+plJTEw86opKRVEURTnZHVeAZQNhYWFM/OEHIsMjsEwT3TDQdR1N19H+oeM9lqYhNQ3jD84lkoCODhKCMlRa6FCaEP+IITTLtjF0nUWLFuF2u5H2kUsIKYqiKMrJ7JgDLKFplJjQsEkT7vrPkxQVFSEEFBYUsmXjRrZu3khuTvY/KpeRhsTvctNg+3YS8/OY16w5LstEHjUnucSFm236FnyimIZmM0yOHGT9EzhBpMDj8dCqTTt8Pn/Z6k1FURRFOZUcVw+WlOB2uxh0Zh90nJDAB6zbtI1N69dTVJD/j5q1LGwbf0QEDRfMJ2nXLpoMGozL70ce5RpIbMJFBPNKZpFnHaRf9EB80of4BwdYIbZt4/f7iY9PIC4uHrfH848K2BVFUZRT3wnMwYJcX/lkZCEgJjaO2unp+P3+amncqULYNmZ0NAk7dhBe4iWrYWM0b8lRg0xb2kS5Yti8cyPCq5FZvzFeswghVI8NOCsNo2NiSUlNRdOECrAURVGUU8oJrSLUdb3S97FxsURFR2OZ1j9rpMu2kREewtetxVVcRFij+ghf8HcDrBi3h1XURivSadS0PkUBP5oKsMoYLheaOPyqQ0VRFEU5mVVrZV0pnYznuucfFiRYNlID3eVC03XcukC4Xb8bYLldYOgudF3D7QI37n/sAoHDOVJKB0VRFEU52VVrgBXyj7spSulkpyo98fLHR5mDVfqa0lc6j6X8nYnxiqIoiqKcCv5hXU2KoiiKoih/PoNQriFpgy0Qto2wJdg22PIftRrwuNnOtTverjuJxJY2tlR5n5STn5onqCiK8vsMWTpfSqIhgWBUJP5ID1LXkPrRX6yEONdORkTAMSbHtKWNR/cQLTSER1NdispJzZLgUzW5FUVRfpcR8frbAEhp43a5qb9/JWH52whbHI1mmSov0x8hbaTHjWvRIqxGjUqf43dXUtpAhCuSH9d/gy4EActS11s5KQkh8Jk+GiY1oXdmLwI2CPXngKIoyhEZMiEecHpScLkJ+mPw2RHIhHikaaohwj9KCILde+DvPwBh87vXTRM6JUHomdkPW1oUBYqIdGtULOasKCcLTQi8ppcvVnxIVkJD6sbXwW/aKm+boijKERje4UMBpzfFALbtSWPx7nn0bTsEH/+sdFbVQViAxTEFpgMbD1B9AcpJTQN8NmzKWU/QDqq/uxRFUX6HIUqzsQtpIdwGrsIiwop8CNNCBCVC/Sb9YwSl1ZuPfeJaUcBG9VwpJzNNgM/0O8GV+rNLURTldxmyNCCQEqSuYWsatiaQuo5Uqwj/J9Qwi3KyEwKE0BGI0vxt6k8CRVFOHvIoX8ezHxWe+739jkTd2RVFURRFUaqZCrAURVEURVGqmQqwFEVRFEVRqpkKsBRFURRFUaqZCrAURVEURVGq2f8DU1fMmW66zYYAAAAASUVORK5CYII=
- data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAbIAAAJYCAYAAAAHRGNlAAAWpWlDQ1BJQ0MgUHJvZmlsZQAAeJyVWAdUFE+T79kIyy5pyXkJS84555xzEIEl55wNICoqKEmSBAVUEFFAEERQCQYUyYigiBJERFExIAgqN+KJ3//73t29q/fm9W9qqqu6p7q6uhoAdg1KZGQogh6AsPDYaDtjPT4XVzc+7CsAAQSgAgIAUHxiInVtbCwATH/af9LXx7A0TGOSv3T95/f/lRh9/WJ8AIDcYeztG+MTBuMu+PnuExkdCwDyBswXSIiN/IVnYMwUDQ8Qxl9+4YBtjKL6hb1/Y65tGQc7fRjLAECFp1CiAwDAa8B8vnifAFgPHraFYQz3DQqHzUfCWMsnkOILAFsjLCMRFhbxCz+DsQgsD39nR8FYxftfdAb8Q7/3jn4KJWAH/57XNlEZBMVEhlKS/p+/5v+msNC4PzbI8IMPjDaxg1tB+P9NhkSY7+BwbyvrPzjId1t+GwfGmTj+wT4x+m5/sC/FwHynb6iVxR/sH2RkuqMn1tThD/aLMbT/g6Mj7HZs+Ufr6/7BlOi/duNCHHf4gX6mO/qTAx2c/+D4ICerPzgmxN78r4z+Dj86zm5n/H7hxnp/7RrtzD0s5l/mG2S60zc20MFkZ+6Uv+P3C9f9qzPGZWdsvn4Ghn9lHHfkI2P1dmxFhtrsyPuFGu/wY+Ltd/rGwovzb1+bnX8YTDGz+YOBBTAEBoAP6IMgEA78QBigwG8G8FsMiASh8FtSrF9i7K+J6UdEJkUHBQTG8unC0efHZxruIyXBJycjJwfAr1j+vTw+223HKMQy9JcXBfdXUwUAUf6XRxEHoF0CDqFLf3mCSgDQlALQMe8TFx3/m/crJAAa4AAdYALsgAfeKUSAJJADSkAd6MCjNwPWwAG4Ag/gAwLh8UeDBLAXHADpIBPkgAJQAs6As+ACuAyawDVwA3SDe+AhGAbjYArMgAXwFqyAr2ATgiAsRICIEDvECwlB4pAcpAJpQYaQBWQHuUJeUAAUDsVBe6GDUCaUB5VAlVAtdAW6DnVDD6AR6Ak0Cy1Bn6ANBBKBRzAhuBFkhDRCBaGLMEc4IHYjAhBRiGTEIUQWohhRhbiEaEV0Ix4ixhEziLeIVSRA0iBZkCSkJFIFqY+0Rroh/ZHRyP3IDGQhsgpZj2xH9iLHkDPIZeQ3FAZFRPGhJFHqKBOUI8oHFYXajzqOKkFdQLWi7qDGULOoFdRPNAHNhRZHq6FN0S7oAHQCOh1diK5Gt6DvosfRC+ivGAyGBSOMUcaYYFwxwZg9mOOYckwDpgszgpnHrGKxWHasOFYTa42lYGOx6dhT2EvYTuwodgG7TkVDxUslR2VE5UYVTpVGVUh1keoW1SjVItUmNT21ELUatTW1L3USdTb1Oep26iHqBepNHANOGKeJc8AF4w7ginH1uLu4Z7jPNDQ0/DSqNLY0QTSpNMU0jTT3aWZpvuEZ8WJ4fbw7Pg6fha/Bd+Gf4D8TCAQyQYfgRoglZBFqCbcJzwnrtERaKVpTWl/aFNpS2lbaUdr3dNR0QnS6dB50yXSFdM10Q3TL9NT0ZHp9egr9fvpS+uv0E/SrDEQGWQZrhjCG4wwXGR4wvGbEMpIZDRl9GQ8xnmW8zThPRBIFiPpEH+JB4jniXeICE4ZJmMmUKZgpk+ky0yDTCjMjswKzE3MicynzTeYZFiQLmcWUJZQlm6WJ5THLBis3qy6rH+sx1nrWUdY1Nk42HTY/tgy2BrZxtg12PnZD9hD2XPZr7NMcKA4xDluOBI7THHc5ljmZONU5fTgzOJs4n3IhuMS47Lj2cJ3l6uda5ebhNuaO5D7FfZt7mYeFR4cnmCef5xbPEi+RV4s3iDeft5P3DR8zny5fKF8x3x2+FRIXyYQUR6okDZI2+YX5HfnT+Bv4pwVwAioC/gL5Aj0CK4K8gpaCewXrBJ8KUQupCAUKFQn1Cq2RhcnO5CPka+TXwmzCpsLJwnXCz0QIItoiUSJVIo9EMaIqoiGi5aLDYggxRbFAsVKxIXGEuJJ4kHi5+IgEWkJVIlyiSmJCEi+pKxkvWSc5K8UiZSGVJnVN6r20oLSbdK50r/RPGUWZUJlzMlOyjLJmsmmy7bKf5MTkfORK5R7JE+SN5FPk2+Q/Kogr+CmcVphUJCpaKh5R7FH8oaSsFK1Ur7SkLKjspVymPKHCpGKjclzlvipaVU81RfWG6jc1JbVYtSa1D+qS6iHqF9Vfawhr+Gmc05jX5NekaFZqzmjxaXlpVWjNaJO0KdpV2nM6Ajq+OtU6i7qiusG6l3Tf68noReu16K3pq+nv0+8yQBoYG2QYDBoyGjoalhg+N+I3CjCqM1oxVjTeY9xlgjYxN8k1mTDlNvUxrTVdMVM222d2xxxvbm9eYj5nIWYRbdFuibA0szxp+cxKyCrc6po1sDa1Pmk9bSNsE2XTYYuxtbEttX1lJ2u3167XnmjvaX/R/quDnkO2w5SjiGOcY48TnZO7U63TmrOBc57zjIu0yz6Xh64crkGubW5YNye3arfVXYa7CnYtuCu6p7s/3i28O3H3Aw8Oj1CPm550nhTPZi+0l7PXRa/vFGtKFWXV29S7zHvFR9+nyOetr45vvu+Sn6Zfnt+iv6Z/nv/rAM2AkwFLgdqBhYHLQfpBJUEfg02CzwSvhViH1IRshTqHNoRRhXmFXQ9nDA8JvxPBE5EYMRIpHpkeOROlFlUQtRJtHl0dA8XsjmmLZYIPTf1xInGH42bjteJL49cTnBKaExkSwxP7k8SSjiUtJhsln9+D2uOzp2cvae+BvbP7dPdV7of2e+/vSRFIOZSykGqceuEA7kDIgYE0mbS8tC8HnQ+2H+I+lHpo/rDx4bp02vTo9Ikj6kfOHEUdDTo6eEz+2KljPzN8M/oyZTILM78f9zned0L2RPGJrSz/rMFspezTOZic8JzHudq5F/IY8pLz5k9anmzN58vPyP9S4FnwoFCh8EwRriiuaKbYorjtlOCpnFPfSwJLxkv1ShvKuMqOla2V+5aPntY5XX+G+0zmmY2KoIrJSuPK1ipyVeFZzNn4s6/OOZ3rPa9yvraaozqz+kdNeM3MBbsLd2qVa2svcl3MrkPUxdUtXXK/NHzZ4HJbvWR9ZQNLQ2YjaIxrfHPF68rjJvOmnmaV5vqrQlfLWogtGa1Qa1LryrXAazNtrm0j182u97Srt7d0SHXU3CDdKL3JfDP7Fu7WoVtbncmdq12RXcvdAd3zPZ49U7ddbj+6Y3tn8K753fv3jO7d7tXt7byvef/GA7UH1/tU+q49VHrY2q/Y3zKgONAyqDTYOqQ81DasOtw+ojFya1R7tHvMYOzeI9NHD8etxkceOz6enHCfmJn0nXz9JPTJx6fxTzenUp+hn2VM008XPud6XvVC9EXDjNLMzVmD2f45+7mpeZ/5ty9jXn5fOPSK8KpwkXex9rXc6xtLRkvDb3a9WXgb+XZzOf0dw7uy9yLvr37Q+dC/4rKy8DH649an45/ZP9d8UfjSs2qz+vxr2NfNtYx19vUL31S+9W44byxuJnzHfi/+Ifqj/af5z2dbYVtbkZRoyvZRAAk/CH9/AD7VAEBwBYA4DABu1++z9n8TEj58IODWCZKC3iLKkR4oUTQW/RGzhJ2gekE9i1vDowlkWnO6WPoKhgkiDZMWczJLA+siuxgHhbOIa4gHzavI50fK4m8SGBV8T0YI04rQidLAO9838XcSs5JjUrelW2TOyebI7ZMPVnBS1FESUyYqf1dZUO1Xu6pepnFQM1jLTltLR0KXV49Fn96A2hBl+MNozXjF5LXpjNmk+aDFXcsbVs3Wl20u2tbaXbS/7NDgeMWp2bnZ5arrVbfmXU3uV3Y3eDR4Nnm1Ubq9+32e+L7y++K/FUgTxBLMHyIeqhimHW4a4RjpF5UQfSKmOrYzbjL+YyJ1El+y8h6rvT77EvdnpBSlVhyoTDtzsPhQ9uH09D1Hoo76H3PLsMrUPa54QiSLK5sxhyaXOo/mJH0+WwGpULxIoVjzlGGJZalj2a5yn9MhZ2IrUitzqirPtpzrO/+i+ssFqlqui9J1epccLwfUJzYcbSy8UtVU19x8tb2ls/XutQdtA9dH2sc7Jm9M3Xxx62Xn267VHuRt5jsidzXu2fT63E94kNFX9rChv3tgZHBm6N3w6sjG6PexzUfr46uPP068g1fb/NPnU5PPRqcHnt9/cXfm3mzf3Oj89MulhdVF6DV+ie2NwFupZdV3+u9NP5ivGHyU+8T66dPn3i+nVkO+aqzRrr1Yb/iWumG7Sdr8+L37R+5Pry2Zra1/+F8KzYf+DPv/DdUc9UcaHF6IYEgbSJdN38PwmSjJ5Ml8iuURG4HdkuMwZxfXVx5xXk++46Sr/I8FvgjRkbmEySIkUTYxGrF18TmJQcl2qbPSx2XiZb3kTOVlFFgVfii+VOpTblDJV01W81DX0yBrUmm+1RrRbtM5q5url6afYBBq6G3kZGxuomUqayZgzmyBtVi3fGP1zHrE5r5tj90t+w6HNscWp0bnOpdq10q3kl357id2H/FI80zxSqGkeWf4nPQt86vxbwxoC+wKuh88FDIe+izsZfhyxHoUJpo1RiJWL84lPjzhYGJR0qXkzj2je1/uW01BpOIO0KbhD2IO/jz05fBS+vSRkaN3j7Vl1GWePp5zIi0rITssJyA3IC/4ZHR+csHBwsyik8Wlp6pKaksby1rKb5zuOfOw4nHly6rVc5jzbNViNRoXrGo9L0bWpV7KuVxR39Bws7HvynjTi+bXV1da1lu32jDXCe1MHRw3+G6Sb0l0yndpdpv1uN4OvZNy9+S9mt72+wMPZvo+9aMGWAbJQ4rDeiMWo/Zjzo/cxt0fe0x4Tno98XpKmaI8o0xTnlNe+MwEzkbO7Z3PeFmyUPeqY7H/9fTSuzffl/HvON6TP0itSH8UhlfA1ufZL92rFV/3r7mvq31j+/Z1Y2yz8fuJH8E/jbYE/s3//3P8DxJxTBrMMXD8f4Dj34ezlOsRD4FXgy+EVMR/S2BO8CeZQZgkIiYqKiYsTpLgkKSXopYG0p9lFmUn5e7LtypUKxYoHVSOUtmtaq6mrC6gQauxrjmvNazdpdOse0GvQr/UoMAwy+iIcapJommkWYC5h4WDpamVlrWSjbStqB3ZXtCB35HkxOvM5cLuyuLGuAvvjt0N7f7h8c1zzWudsumD8KXyo/NnCeAKJAWRg8VCpEPlwhTDVSO0I42jbKM9YyJjU+Ny4ysTriR2JQ0lT+95u3d9PyIFl4o/QJ0GwVn05aFHh3vSG46UH804FpdBybQ8rnJCIIsu60f2u5y53Gd5kycn8icLnhROFk0WT5x6XPKodKxspHzo9MCZwYqRysdV03CmWzm/UYO6QKhlvshTR74kdVmhXq1Bu1H/ikGTYbPBVb0WnVbNa2ptytfl26U7xG+Qb/Lf4unk7OLs5ukRvC15R/mu3j3LXuf73g9C++IfpvQfHcgdLB46PVw5UjVaMVb2qGg893HmxKHJfU8SnkZMBT7zmnZ9bv/CZsZ21nnOez7qZdpCwasLix2vB5Zm3nxaRr1jei/4QW5F86PBJ6PPRl/0V7W/qq8prct+E98gb/J9Z/9B/EnYwvzy/+87l1+EgWvKc3CecDwCgEUuAKfVASDjAMDTAmBDAMBBFSD0sgFCXh4gZM7u5A8ILjypAT1gAyQgDpTh+tgWeIIIkALXlFWgBTwA0+AzhINIkBrkAEVAGVANdA9aQGAQIggLuNYrhuu7ZSQ70gSZjGxAvkYJwpXaOdRrtBRci/Vg6DBemGYsFdYL20HFRpVI9ZRam7oGrpP2497ReNKM4A3w1whihNO0zLQn6KjoDtOj6Y8w4BlOMnIz1hKVib1MzkyLzEksNCwVrMqsw2yh7Dj2Og4rji+cZVzGXJ+5K3gseTZ4a/gcSWhSK3+wAEngqWCBkB2ZSB4XLhHxEhUWfSfWLJ4koS2JkRySKpUOlFGRpZF9Idcqn6MQqmihJKfMo0JUpVWjV2fVIGlKa2lr2+sE6x7Sq9TvNpg3whqLmZibBpkdNq+w6LCctFqzYbfVtPOzz3bocHwLr2Vr1zS3q7sWdrN4GHkmeNVRZnzYfe39cv1HAolBLsEVIcth6uFZEYtRhtE1sYS4hPiXiQ5JvXs097bul0tpPCCb1nRI/vCVI5JHqzN4MotPELNycxhy809y5FcVShZ1nLIsmS9LOS1wZrjy8Fnd88jqBxfyLnpekqlHNjy9crU5tyXqmu11mQ6aG3O3WrrSe1zuSNxD9E49aH1YMBA/5DaiNyYzLjIh98Rxqnh6cyZ+7vvCkdesby69M/rw8tORVem1ZxtZPwy2948//mfd9r8S7H8b4AHCwD6QBSpAM7gHpsAKhIV4IGXIBgqB0qGzUDc0g4AQAggjRAgiD9GBeIUkIvWQcciLyJcoEoqCOo9aRiugU9ADGG5MBOYOlgsbjx2Da+l8qm/UXtR9OGVcNQ07zQk8Ep+M/0gIIszS7qKdoHOim6DfRT/HEMKwxniYyEKsZdJiGmMOYt5iKWKVZR2AvU/L3sThwongrOdy5yZwd/JE8wrxTvJlkDRJn/gvCFAEuQWnhErJHsKCwm9FWkRTxSzEWcXnJeolk6SMpJmkF2TaZLPk/OR1FLgUNhWnlW7D+axStUStVL1Ko17zJryfvdLZ0uPUVzNwNzxgVGs8YvLNjMdc28LTcp9VufUtmzk7ans5Bw/HE063nD+7irp57yp1H/PAeep6JVKueL/1FfEL8K8NeBekELw/pC+MPTwkoiuKPTo+ZiJOI/5cIl3SvuT3eyn7JlNsUwfSLA4OHLZJHz1qd2wk0+p4X5ZJdm+uad5gvmPB86KQ4o2S42Wk8o4zrhU/q+rOeVSz1jyqLahzu0yqX2683pRx1aNVoY1wfbGj82Z+p1+3wm1wZ+Be2f2wPp1+1oGVof6RurGs8fiJgCcBU8nTNS/ezum+rFrELcW9XXjvtjL62Xp1eN1p48WPsH/4/3+O/+fb8c+/Hf/h2/F/F45/NEIYYY6IRBQhOhFvkCxIQ2QCsg45h+JGuaFKUM/QJHQAuhH9HWOGKcV8wBpiy7HrVI5ULdSs1Hup53GWuHYaEZpiPBW8ApYJnoRHtBa09+j06Lrp9ejvMVgwjDNSGD8Q9zPRMlUwyzHfY3Fn+cKazSbB1s8ezkHk6OD042Lk6uKO5OHjGeY9wCfH94pUym8vQCvwUDBTyJLMQH4iXCUSJqoqhhYbES+XCJJUlsJKPZGulzks6yGnJs8uv6HwXLFXqUW5TuWCar1ah3q/xqzmhjaLjqKui95+/RqDMSOksbyJj2mOWbv5nCW1lay1m80R22t2Sw48js5Oec7DrvRu9rsK3Sc9ODx3eZVRnvsI+Ab7XQ2AAm2CqoLXQq3D6iJwkWFR4zF6sU3xwgkVSVzJpXu59lWliKW2pOkffHQ4MP370ZwMUmbjCc2sBzlOua9OJhbgC88Va52aKt1TznP6TkVEFe/Zx+cLatxqhS6uXrpff6Yxqcn5qnIrZxvi+nLHxM3uzpru9Nued2V7ofvDfRX90YPGw7wj38Yej7dOlDw5MBU+7f3CczZgPmnh5GLz0uQyeC++4vbp+Jeer5vflDfjf1z/5f8Yf3m57fQB4fUAQD/f2vpMBgCbB8CP3K2tzaqtrR9n4WLjGQBdob/v8bdzDT0AeWQWDLj80D7hP+7Qf9/x/0sd8+8t2M5Ev+hXJtpu4awE/gtIy3Ss+LPLjAABAABJREFUeJzsnXdgFNX2xz9TtqcXAiEJJfTeQboiSFGwYMeCgL0+9dme+uw+e0XFroiIIqAUQRCl9957SICQhPRk28zc3x+T3SQUy/v5CGU+761kZ2fv3Jndvd85555zriSEEFhYVBA0gthkG6N/GI0kSXx40YdohoYsyzxy72P8+44XEAgMAYYukCTzfZIkccxXSZJQZAldN8KvC0CR5fD7agpDCAxDIAFylf4YhsCoOI9QPw1DIIRAliUMAQiBosh/6XgCcMggSZBVloNLdZPoiMCrCxRJIigMEKCjo0oqEhKKBDYZDpUXEGmPJFJV8emwp3QPZcESmka3QJYkZElBooYv6FmCrutERiuMvG80yY2TuPiii2nbri12u72mu3ZW89d+jRYWmAO70y4RlSATGSsTGSUT4ZGIjJKJjJGJjK74N8IcXCOjZSLcEpExMlFxMooCNXn7dHT/ZdnsjyRBRIS5vWo/Izxm3x12icgIicjovybEAgObDLtLMug9qxdtpjWl7dQmfL57Am6HxDULr6Det7Vo82MTmk+uz4S9X+CyQ0mwmGsXXEuzKfXo+ENL5h5agE2F25eP5oJ5ffHpXiJdKgoS1t2oxdmMWtMdsDi9EAZ4PDI79hSzYNleYqKcxEa7cDpVSssClHuDOOwK/oBOXIyLzm1T+PGn3cTHeTicW0JZeYBB5zYlOlLFH+CkW2bCMIVpx54ifl64m9hoJ4PPbUqER6GsXGfp6oNs3JZNZISDC/s1IzrKzoLlBzhSUE6z9EQO5Zjn0LNzPVxO1bTQ/uiYQmBXYH3BOsp1L1POn8KDKx7kqQ2Pc3WDq0h2p/BE26exKw7uXn4bUbZoJBuM3T6WiTsnMKHfN4zdNpbrF1/FvuH7GZk+mjHLbuCngzNRJEG/2gOJd8YSNIRlmVmclVhCZvGn0Q2B0wNzftvLVbd/jaZJuJwqufkFnNu9OQuW78HjclBc6icqwg5IfPvB1dz39Ez2H8glJiqK3CPF9OiUxpSPriMq0oGmnTwx0w1BhEdi+tzd3PTAVJqlJ3Aop5APxi9nxhcj2LIzjzsfn0aDlHiWr9vPlFlbmPrpVbz2wWKm/byEMdcM4NvpG7HbFJZPv5XIiAh8AWFac4AsH/9EZEnBG4QByYO5MOVC3C4FVkItRy1kSeL1zq+hOmHqzlnEOmPoV+d8jAD8kj2HrnW7c3WLK3CoEVw2Zwj7ig+SGlEPERA8suZ+DhUfZHSL2xjXfSwB3UCSlJNzMS0sTiEs16LFnyY0TD/9xq84nCp7ltzHium3c91lXbnl2s4kxkXw7D/7k5oczb//0Y+4GDd+v87oqzohBKyfcwdTP7qexat2MGfBbhxOwvNRJ6v/hgEvvLOAcq+PAb0b0b5lCguWb+HHn3fTtEkc557TkDq1okiuFcWKdQcoL9cZ/84l3HHDBUyeuZIOrZJZ9dNtJCVE4A+Y81uRkRIRkb+vxoYQuBQbblXhxvmj2ZC3jne7jkORJUoCfnS/4J3tr9M+rhMJzgg0Hby6lxhbDIau45ScyMj4dC+a0NCFznd9f+Sf7R7lh8wplAQ0VFlBWE5Gi7MQS8gs/hoCvH4Nj8tBYryT+vU9PHhrL1o3S0KSZFLrRONy2KiTFIXLZcPlUlEUM+hDluWw+aUoMjXhBRMC/AEdt8tGdJSTXl3rc/dN/WjVtBZPv/obH329mgvObUTbVnWw2xXsqkJEjI2EuAiEAM0wcDpUVBUkJDRD8PGEDXz81frftSwlSSChc8vSO/l+/7d8e96PSBIU+f1E2h0cLMtnyeFFDEu9FBDYZUiPbMyG/HXImsKGwrUYikEdV20QYHPY6BLfgbruFGyKik1SLaeixVmLLDAjqqyH9Qg9Qogq/4YekgL3jT6HPRm5NOz+Jq36juXcKz7m1XGLOZSTybivV5KTX8rYL5ZzILuIL75di2EI/AEf7Qa8y/Cbv6RHp6YM6JWOvxzkkzhJJgDFBnfc2IWCQi/TZm/m+1mbmfTjJnTdwDAgEPTx/cxNrN2YTdahLL6dvpk7//kTT70+kauHdWXBsr3U7/oS23cdwRkNGVmFjH7wK5auycLpMQNJjkYTGm67zAubXmLcineRJIl/rLiD3rO7UaqVoqrw+e6P8fq89E06D02X0ITg1ia3kefNpel3zXlk1QPc1ORmarmjeX3LSwQLgzy+7gk+2TWOAzlZTMr4GrsKhjBO2vW0qP6bqenf7dn8sObILP40iizhK4VrL25Fvbq3Mee37Tjsdi4a0BRdhw6tE0hOiufai9uiKjI+v0ZKWgRz5u2hQWoKLz7SH00zGNCnCZEVwR4nmFb6n/W/vBRuvLwNDVJjmfnLdlxOO4/f25cWjRN4/J6+NE2PZ19mIddc3Jas7K40SU8gJtpFq6Y30rF1Gud0TCUvv5wIjxNZgZ9+3YHL6eGJ+/qiBziulSlLMgEN+tU+n9oX1CZAAF/QR1pkPaLt0QQ1aB7dgjd7vkeDyIYEDDAE9Kx1DnMHLWLa3smkt7if69JvxK8JRqaPYWidS0iPbUSL6JaUpJfQIro1Qd08loXF2YYlZBZ/CUmCcq9B72516d2rLgDCD0JAx46JoAEKYABuWL4gmw/GL6OoxM+k6Zv4+p3hAPj94oTBEf/r/peVC/p2T6Xvuamm8PigrAwiI+zcMaqj+asIAioIH0gqYGuIUQ6dOyeBCt4CEDrs3neEW0Z0J62+h5J8gaIce04yMkEDeiZ1pmdy54qOAAZ4AxDQ4dK0C82+aWbkoSxJlGuC3rW60LtOFxDmvpqAK9MvNicFNMx/JTA08Or8V1GLQpht/JV3htIVjmmHE2z/C+3/N/2xOLuxhMziLyPLEiXFApdLQlWhtMwUJVUDBPgDBkhgK4PICCcvPTYYAIddpaRMw+lQa0TEqvW/VECJGRohSxKyLCHLEPCCPyBAYCZBKxJCgDAqEqLLzdcURcZbAi8+OhC7KlNeRDURM4SZbC1VjOoSUBo0MCquDRVCoEgqsgRahSApsoRR4R2UJYnSoI4Ihp7LSEiU+HWzb5KMQIT//j1rTJIqxSckOKJCMVTVDILRDRF29R5v/6ooCuF+mq8LVNW8VppmXqsTta8bItyowDxnM2He7JNNNRPPdb1mbnYsTj8sIbP4y+iGQHXCsjWHOJxXykX9m+D3G+zYU4DDbiMlORJdFxiGTOMGMbRo0c58owBv6fEHxpNNhUEU0hRkGQ4cKqWoxE/9lBhU1RQ3STJNAwNzkJUkKSxYwhCoioQhRHgQDlUJcTsldAMCVXLlqolNuCIKaJrB7owi/H6NeqkxRLhtYZFAyOZxkZAqjqtIZnSibggkzOOd0BIToNoqrrkA3agQJwMcdlO8c474cDsdeNwSfr+5v2GYbt/w/qHPTBIIIVHu1XC7VHQdbCrY7RJ5+UEkSSIuRsXrNduXZMg94sPttONxy/iDEBktgZDM0UeAvxSCQVBVcDok8gqCOOwqkW6JMu/JzzW0OP2wHOoWfwkhzDtoV6rM5FlbePbtX7F7IOtgMX2Gf8htj0zDHSPhccuAwB8QlBQY5qNInBIiJoSZTxaq7BHhlrCpcO9TM+lxyVhy88uIqCNXWBVmAIfbJREZLxMZGbIcwOGQ8ERKqKqExy0RGSejKuCww79fX8DU2dvxRIUsn2MxhMBhh72ZBQy67nN6XfY2C5btw+kBTTcwDIHLKREVJ5uDP4T7Y7dLRMWb2yMjTavn6MPouoErGt75bAV1O71Is3PfommfV7nnyRm44mDdlhy6XPQBzfq+Rreh77B45QFcsfDoi3Op2+kFmp/3Fs3PfY2X31+Myw3BoIE7QuKFd36jxbkvs2l7Di4PHM4rZ9B1E0jv8Sqtzn+dr6ZsxhUNazbl0OXCD2ja+zW6Dn2XFesOYZPgjfdX8q8X5vPPJ35h7EdrKCj0Y3eAYej846mfadj9JVqd9zrfztiOx338ABoLi6pYQmbxpxHCvGvOyStjxoTdtG5aizuu70ZhnkbjptGc36sxB3NKWb/mMCvWZmO3SaiKhKzIKIqMcoq4iRx2icUrD/H+R2v5+rut/Lo0C8UB117cBr/fYNHKDKZ+u40jBV5UFTxuiU3b8xn/9RZ+WbAfRQG7A3btK2TarF0cKfCxbnMekyZvo6DIhxDwwfiVzP51J16fjqYZx7WXZEnC6xM0bhjLl28OJxCUKfcGzV+lMCuQbN9TyFffbGHOLxmm61Ex+7P/QCnjv97MjDl7+GVRJkcKfMcRM7N0lRBw1dA2vPhwf4KaYVqadvD5dC4d2JJfJt7Mvqwi3vtyBZINVFXhlhHdeOLe88jOKSUqwo4kg9sts2ZdLmM/X87hPC95+eXICvh8Gp3a1GXhtFHUqRXJE6/OQ5IgENAYPrgVC76/hd0ZBbz16TKUCJg8azPPvf0T8xbv5o7HpjD8lvEY6Pzw805e/+hnnr5/AB1a1+WmByZzMNuL3SadEjdAFqculmvR4k+jC4HNAb8t38fDz89CIFFSEqBj62Tad04gNTmaKbPWcN6VX1BUXMqNV3Rm7HNDzDJOp4B/SDcEngiJ737czg33TqJfj0Zs3XWYWvGRLO0zioQ4D5IM/3xuNnn5RQwf3JZvvxjOW++s4sHnZ+B2uigtK+Oi/q2Y+OFl/DhnO/98fhrtW6VRWBRgb2YWbz19BUtXZ3GkoJBvp29iyqyN3DmyB/9+oDelpeIYMRcC7DaZxg0SsKk2c6NhisankzZw57+mYlMdlJV7GdCnCd9/dBXzFmVy1R0TKC8XuN02jhTk8PW7o7jqkmYEis0kbTDn7HxFcNfILtgj4cihAP6A4NJBrRDF0LV9Hc7pVIfHX/4Vu11m+JCWGOXw7/vOxZkI65bl4XY76dczHaPC9ff4y/O47boufPPjRtwuGwioWyeKZx7rw4dfrGNPRiH339IT4YeuHZI5p2MyT7z6Kx6XjUsuaIHsgjHXdGbtpkMsmDyGeYt2M+ymD5gzbx+LV2aQnFSHe+/qTM8u9Zk6ewOrNx7kokHp+AuNv1yo2eLswRIyiz+NKkv4vTC0fzMGn9eQXxbv55o7JwFm0ITXG8TpdDPzyxHMW7iHx176kWsubsu5PVOPO4ifdIQZbFBU7MPn92K32xh8XlO6tKsHsjlXpWl+xr14Ddt25/LSewvZv6uMR/4zm3PPacz4Ty9hwvjN3PPEN/w0pwN33dmZr6auo7DQy+SPrkHXISkhkq4d6rJwxW66tEtj1HVtaVQ3CS144pw5XRd4fcGK1QEEhiIoLtF54Jmf6NAqlSkTrmT6D7sZef/nzJjbmfe+WIGqKuxZcicFxUEefXEWdZIi0Y9X7ksCr89AdcHHE9cgS9CxdR38ftO6O3i4nFUbspAwKCsPgAE+v46jXOa9L1ZQOzGCZumxyCp89d0WFq3cx+irOvLelyuYMW87rZrUIiLCRlmBwfI1mQgClJcHKwJk4NARLyvWZSFJBqVlfjCgpNRPUNM5kl9Ov57p2FQX2/fk4vUFiY5yQtAM+JDlCgu15u+BLE5xrFsci7+EEGCzySQmuUmI84SjyiQV7HaFqAgXXc+pQ7cOaYBObn65Gb5+CviGJEkiGIAendO4Z9S5OFwy38/azJOvzqGs0CDSY8emuujZtT6N6sdjs9nQKkQmpU40CQ1cpKfFAVBQ5MWZKKPIMhf1b0n7c2vRqV0tkhJcdOlSB5fTQd060Qy+ogmqolBUHEQ5QRlEu1vC7bKjqjIOu4ocIaHrgpIyP3VqRZGQ7ia9Xhwgc6TQS5k3QEyUm9opbpq3iObpBwbQtEECwROIparIyLrMtzM20bNzfeJrmedVUBggKsLJnN9G0LpZCq98sAhhgN0u4y2FGb/sYGCfxticZiTlodwSUmp7eOOTpZT7Akyfu43CUh+BoEZRaYCPJlzEqKu68+LYBXj9BsWlASI9Dn5eMILGDWrz6rjF4ACPy4aqyLicKlNmbSGoeWnfqi716sawOyMXX6nE7owCDEMjpU40IlgZ/WlhcTwsi8ziv0MDKqL1bHaVrF1lfD1tAzl5ObTu/j57MvNo3CCN3l3SCJSZa37VNEIIbG6JT79Zw7ivFnP/7X3YtTuaPfvz0HTBB1+tJKgd5t+vzWPv/gJyj+zht6V7+OdtvfnP2Dls3p7N+q0HadEkjWGDGvPoPb+yZtMuNu84zKJVe3nlX4Po1S2VYKmgcYN43v5kAfMX72Ff1hF++OR6+vaobpkahsDtlnjutcV88d1KyspLuOvxqUyc1pBJ71/OA7f05IV35tClfQHbdufQqH5tLhvcDEWGUQ98TcueY3E6bGzZmcOcr27knE7JlPsFUhXLVxiCiAiZZasPs2r9dj548VrQweOSePHdpXwycQXNGyexcMUuHrytH0jg9khMnLqVA9n7uaj/ZWBAaYnB/Td3pV/PdP753Gz8/hJqJaRRp7aH6bN3ctujk+nYuh6/LtvJ+b0a4YmXee7JJXw6aTmtmiazYt1u/nnb+QSOwPvjV1DuzeecYR+wOyObQee2o2e3uiQlunll3K+0GfA2B7ILOa9HCzq3q015uRWGb/H7WEJm8ZeQMF1hmiHIOlSMrgdx2lRcdhsP3tqLhDg3ezIKMAydG6/oSK0EF17/ya3gcSIkWULzwsBzm+CwS+Tl+OjTrR7vPjcMd4TCgD6NadM8jnoptfB2CNKvZwqNGyRw/fA2tGxSi+Vr9zPsghZcc3FboqIdtG6exEuPDcMQMj5fkOSkKAwdhJB466khdG2fis8fpE/X+nRul4K3nGruVUmS0HVo06w2117SjqgID2VeH9GRboJBePK+c2nXog4LV+zlov7NuPbidkR57Fx/WRvqJkUxe8F23E4Hbz41hHM6JqPYIcpe5UJLgG6mAUgyPH7PEIb0a4rfZ7484tK2yLLEvv35vP3MJVw/vD1+nxnIEh/j5sn7LqFdyzr4fWbunaaBx2XnnA6pXNAnHV0X+MoEvbvW45E7z2fdloM8emc/xlzTiUAZjLikDTabzJ6MI7zzzGXccEUHAqUw6qpOXH5hC/x+QVrdaC46vzmSIdOicTxzxo9h/JTVJMZHcsuIztayNBZ/CsmwVoi2qELQCGKvWCEaSeKjiz4kWLFC9D/veoRXH/kPL7y9hM8mrSTzYDGd26Ux64vrUBQZRxSVyVmAVga+k1yG6g8R4HCA4jb/BrMySXk5eKKprOohY1Yo8ZmVQDzRUtgRHyg188MiYqi8FZRBKwJ/wHxqt4PNU9GOH7xl4cNV744ATyTgBPSK/Q0oL6h4LaqiHxIES832JcygFUKLEmuwa1cJK9dnmZZLRWUMIQROu42+5zQgKlJBdpg5W7phtu10gOKpOC7gLSGcWuByguyo3Bbqq90GtpiK90hmhRNZBkdk5fUMVOSFOZ3Hb98dXXGesnmtvSWVydVuF0gO829/KSd1mZ8/w9ErRA+rWCHaYbcf9/O1ODlYFpnFn0aWwFeuMbBPOoosqJUQwaC+TQCBz6dRVl4RZl6RZSzLEpIscaqVsQ2WCYySUI0lM8lZliUKjoSqZEgVFTOoqPghUZAXKmMBsmImShfkiWo5YopSuXJ0eblALzVfkyUJ+Tilq0IUFohquVKSVLE6gICCI+ZxQ/l7IbdhQYGZ4azrgshIme27D/PqB7+iquZin5IEhm4QG+2mc7s6qKrdjGis0sfSiusgVZyvIleuSFBSar5WdRtAuQ/0A5WfqFoRSVheboTbCSWFl5YJ9JLK6xlqqyDXqFbOquoxikoEorjiusl/bSXuk4Gu62iaOGFuoEXNYAmZxZ/G6XTijFZp3z2J9v2SzDvtMqqXyLA4uVRc9yGDGzFkUKPqEX4Vlll4m/X5/P/RVYgBp8NpidkphCVkFn9IqETSnn27+fDjzzAAQxcoimJaJ9Y8xt+OBKiSDU0E/1B/hGyqlSKME7ovLf4ehDBwumS2795Gn0a9rGVzThEsIbP4QwSmkD3670fJzjmEhERmVibr1q0lMzPTujP9m1GQKaOcmfJMBhuD8OBBD01KVUESgoDdTvrevdgDAbY0aYojEEAc7Y+z7jP+NiTMG4MGzeoRG2OmYlipATWPJWQWf0joh9qyRQtatmgBmF6qtq3bk5uTU4M9O/MQCGySjSPBfJZuXcbI5qOIt8UTFMFjLF9JGAQ9EaQsXIjq9bJvwABsZaUIa02y/y0SBINBFEWhbt262FTV8trWMJaQWZyQ0BIhoYduGBU1PMwAhvRGDUmuW6eGe3lmIYTAJtvIKc+B9YJWrVpR25NEwDhWyDAMREQE9oMHkEpKiG/fDqm01AwjtPifY7fbiYyMPLXCKs9SLCGzOC4SEoqsIEkSDsWM85aPKk0R6Ykg0hNRE90747FF2VAUhYTEBGKcMb+/c3S0OZi63ebD4qRhWWKnBpaQWRyXoBHE6y/mQPEBAkYAVbYdf0drfuxvJRRoeMSXT1mgDE3XzHXEhHHsXIxhgKIgVSR/CQBdtyyyk4VkhTmdKqjWMGRRjYrBsme93jw4/X7a7WtnRWadZGRJxtAMWiS2INoRjTCXmqYiy7l6hrJhVGYTU7Gf5eo6aVjj56mBpFshZxbHQQaKAiVWRGINIFUkh7lsbuyy+ocJ5dKCBXD4MOLyyyuWdrYsMouzC8u1aHFcDCDaHlnT3TjrOUbESkth1SpTrAzDXCRsyRJo2NB83brxsDgLsYTM4oToluOkxgnPwuhmwULpyy8hJwfS08NzZNStixgwwNzPssYszkIsIbM4IdZU9ilEKGLUbkfccgvUrn38/az5MYuzEGuOzMLiVCY057V0KdKPP8LGjVCrFjRpgrjjDjPc3qxubImYxVmLJWQWFqcymgaqijR+PNJ111VuT0vD2LYNXK6a65uFxSmC5VC3sDiVqXApissvhxYtwnNg4h//MEWsYu7MwuJsxpojs6hxLKfAH6Dr4HBgXHEF0r//DfHxGMOGmS5FSbIiFf8EVmHfMxvLtWhRo1gugb/A/v2mVTZ8OHz2WU335rTCSuk/s7EsMosapbS8nPz8fFS1+h2zqPiPBGi68YdGR2hlZ0OI8N13tZvwo95/2t29VYTay3FxiFatEPv3V4bfW/wusbGxRERYNUHPZCyLzKJG0HUdm6Jwzz33EBUVTVmZQNcNQhITqrRkSILoSCc29fdsN4FdVSkPaLhsMkHdbMPQq1RskqTKv2XJrOivn4Zf/bIycDjMRGiL30WWZQzDICMjgw8/+qjaTY7FmYX1a7CoEUIDSp3kOAztEiI8Ci6XDc3QMRAEgwZSAByaj5zScp5+pffvtrc538/WQp1BDd14gKle+CIHIovAn6+hF/nRCgJQHqD0cIDmKW7eGhN/Es7UoqZ57NFHzWLMloidsVhCZlGjGLpOdnY+rz0uUVRrL4tIJEhPtHXR1NsM5yil/HPGDLyahg0wBMih8UjoGLIDJf9DvvypBH/EQBo7k2lZK4KMrCBpfnAdDKDixVsewOnRKBcaRoROyeFSvL4obOppNriFAjws/jS6YYRdz6ehDW7xJ7CEzKJmkcDmcFCevYztcb/wPc0I6C3RVkXSfS50MI5g8/tQVTX8ZTWXOtEBB8aRL9Hyl3BNkQ1P1yGkJ8cAggRJ4zy7jZZ9XGzZG43RUFB4SMLeHCLd8P2CHAxkVNWaYzpTERWuxLLycrZv20b9+g1wuZyWmJ2BWGt0W9QMoe+dEGBIOAI7KFQXsZxyvIqP4D6ZWotBD5ThTy9CBbIPBnji31k0qA9lXhvNkj9nxNBMChc5WXCoOXu/2M6ggXB+z6ZImsbSbQbJdVws3yB47bM8HrujFj/M8FKSL+jWrWonLM5kiouKWLpkKZIk06RJE8vFeAZiWWQWNYqQZCTNR17WLjLqFrJP2oc/mAUZcWRmyexmL8V1S5CAQ4f8JNeTyI+30yZ6GiP6ZrLmIz+vrOiC0aAXqWn5HMjNA5oiBw2OlJczc65Kr1522iVAs0ZF1IspIzJCZlMxBDVrQDuTCVlkXp+Xw4cPU1ZWZgYZ2VQr9e4MwxIyixpFkmUMrYyVGwrZ4pVA8iNpqyC7gCOSwnzWkS+ZWUA2u05QltmzbSUPD/meHZPqc8e3LVivNcJYspkRt8bhiTBXslYMg3Kfxvc/GTz3tOAz90SW+L+jyChhubMF9offRJENwHItni1YltiZiyVkFjWKhIxu+FixOY9dRwSyXI5irIe8QxSpKivFDsqVZgAIEUSyKxi5a3j9dZnvdnVklz8Npy8HX4kCCJDNkk15uQGevKk28+rLFPugffPL2bm6BU7dR6P4aFYHdXTDGtgsLM4ELCGzqFHsNpW8wlLmLg6S43Lg9ZWBsQKy7WwxZPZyiCYl9QCQVBvFhZm063Ylu7KvoldXgz7+EvyBaBQhsEXm4guY+WZuu403Z+QTpSq4IwQTMyNQ03ojI6EHNTIPHCE6wvr6n8nIFXUpLUvszMf6JVvUCKEpipLiMjp0TsTh/jeSJKEFg0gYIBkgC3QRoEFaXbKzs1GVAIY/C6NEIj0mgJACGJE6yAFUh0be4VxqRfQhOzub3vV1Nu/3IUkCQwMMA1FigGSWLry4s5vcw4cxrMmSM5bQHJnf77fE7AxHtX7GFjVBqKDM/sxsmjZZRefOkRiGUT1HSpiux6C2n/fffx9FkWhS14GmCRCS+dAAJIQfYqNcrFm4gCXz5iLLEi6bhECi4v+hJpGALcsNgtrJ+/YLITAqCv4pyt87qBrCCF9PWZaRkCq3SZjXUZKQJbmyL8IUdUVSKttAhJ+fSRw6lI3NbscwDASEHxZnDpZFZlEjhO6Q6yYn89BDT9RwbyzOZLbv2I7P5wu7Gi3OPCwhs6hRdF2jpKQEu915zGuybNZH1KvURDS3SRV1Gc3nQoiKRZIlZLlmXEimxSXCYd2SBIoiV2wTrFuXzbffbiQhIZIxYzoSEWHDMES4v0KYltpfcYEJBKqssiNvB/N2zyPKFcWQxkOIcESwO383W/O2IiMjEDRLaEajuEYoksKB0gP8tP0nEiMTGdJ4CEIIJm6ayO4ju7m1863EuGIAUOXTe3gwDANZltE0zXItnuGc3t9Ui9MeISScLjs21XbCfY5XH/d0qMgRcveZrkSZuXMzWLfuEJdc0oK4OPf/q21DGCiSwvrD6+k8rjO13LU4UHCAS9tcyuQrJnPnT3cyb+c80uLSyDiQwSMDH+H5fs+TUZhB/8/6k12WTYm/hNu63cbYwWNZkLWADxd+yPUdrifJlvQ3nH3NI0mS6Wq1ROyMxxIyixrF4VTYueMIb7+9DiEMiov9JCS4yc0t5T//GUBSUgRvvLGEn37aQ/36Udx/fw9atarFP/4xm7y8UoYObc7evYWsWZPJDTd0ZODARtUsnZNBKKhg4sRNfPLJWpxOlXvu6Ua/fg1QFJg0aQvz5+9l8OCm7NlThM2m8P77q5g/fxeXX96WHTvy2Lz5MC++2J/U1Ohw//9MWUWH4uCx3o/xZJ8nueene/hw9Yf4gj6e6PMEH1z4ATbZRsdxHelVrxcAn677lF35u8h5OIdJmydxx9Q7eKzXYzzY/UHGrx/Po788Sl5JHv/s/U/6N+yPIYzw3JqFxamKJWQWNYowBA67ysSJm4iOtlNaGsDjsVNe7uP991dRVORn7NgF3HBDNxYu3Me0adtYu/Z2Dh0qZeLEhVx8cQuWLcvi++/XMmZMl5Pef103UBSZceNWc8stU3nwwd7s21fA+ed/yNq1d7N1ax7XXDOebt0asXVrHl5vMOx2nDRpHQUFfjZsyKN581js9sqf4x+JWEhcmiU048k+T1ISKGHypsn0rd8Xh+qgV5opXOM3jEcTGn3r9wVg/eH1tEtpR4I7gT71+yAjsyt/F3Ui6uAt9XKg+ACFZYXcPetuNty2AVVWEQgkLKvG4tTFEjKLGsXn10hvVIvOnevSq1cqu3YdITHRg2EI1qw5xObNuYwZ05Nx4y5k5858mjT5D3Pn7mH8+EuZMWM7JSVBCgt9PPRQf847r0FYWE4GQlQGrXz33Raio50UF/ux2RTq149j+/YjfPjhaho3rsvSpaOZPHkrV1wxCcMQjBnTgZSUaAYP/oBzz23FL79cX9Fm9Xmz3xOzkCWYV57HwC8HkuBKYPKVk5EkiYAewKbY+GjtR/RM7YlLdQFgk234dT8AuqFjCAObbEORFSRV4uvLvmb1odVc+d2VlAfLiXZEV0Y/Wlicolg+A4saRVFkfD4fubmlZGeXUlIS4PDhMvLyylEUmbg4F/Pm7Wbr1jwmTtwIQGKiG0WRuOGG9owcOZEdO45w111dMIyTu3CiJBEO7qhfP4aiIi+9e9fj6qtb069fY5o3T6BWrQgyMwtYteoQv/yyB8PQKCjwcvBgCe+8s4xOnRqwe3c+b7+9HJ9PAyQ0zWDkyGlcd9331QJdqhKaf8sqzqL/F/3Zc2QPD/d9mBcWvkBOWQ52xU5WURYL9yxkWLNh4ff1bdCXLfu3sDhzMZ+u/RTFrtAysSV7C/YihCCnPIcDxQfQdI288jzzWFawusUpjiVkFjWKy6GyceNhtm3L5Zdf9hII6CxYkEF+vpfNm3N56KEeCCHo2PE9nnnmN/7xj34MGdIYIeC++7oRE+PmmmtaU7duZDVr5mQhy6aYPf54H3r3bsgdd0xn9OgfWLp0P7Is88IL/ahXL4oePT5g9uw9OBwK33yzhddeW8bMmWu46KKWxMW5uPvuKSxfnoUkQUZGEZ99toQGDWJRlMoIzaroQkeSJH7c/iPr9q9DsSmMnjKaN5e/iU/zATBl2xRsqo3zG54PmAEiI1qPYEirIfT+sDfvr3if1we/TrQzmo/WfoQj6GDsyrFM3DwR2SvzzaZvgErRtLA4VZE0q7SBRQ1gGAY2Reaxxx7jkUcew+sFm01GUUyLRFVl/H6dhAQ3Pp/Onj35xMa6qFMnolo7Bw+WEhfnxOFQT4n1JnfsyENRFOrXjwknPnu9GhkZBaSmRuP16rjdpkff5wvictnx+zV03cDjseN0qrz44iJeemkRmZn34/HYwi7E4+HX/ZQFytAMDQCn6iTSEYmExOGyw5QFy2gY0xCg2lzXpsObiHZFkxqVikBQGijFH/TjsrnQhEZQC+JxeMIuydORUPj9FVdeQdu27Rk4cCCtWre2qt+fgVhzZBY1ihCgqhKJiccOmJGRYBgCp1OhRYtEgGNyr5KTI455X00QEpsmTRKqbRMCXC6VZs3M/ns8le9xu82UA5dLDe8P0LBhLG+/PQSPx/aHEZgOxYHD5Tjua0me6mH0EhKabiAj0SqpFUA4KjHSHkmkPbJKw3/inKu4HP9sMEi1KiRSZWj8ibb/VawFtM9OLCGzqHGEOHYACt0xh8LQTaGg2qBuzlGZRadqevCSpMp+hp6bD6r0v6JeVJWCWaEBu6rVdcUVLSu28adcpYYQSKE+VLG6BGYydtXwebUiEObo1wTi6K5VlPaq7F/V63z0cXRDD5fH+j1kST5u4MiJtv9VQte7pr8PFicXS8gsapTQXb0Qgi++WE9WVgF9+6bTo0cahmEOnoZhVBG2SnGrnDsSNVrVI0SoigeY/QxbG+H+i4rQe3N7MCi45JKvuf32zgwe3BhdFyiKFK4Q8mdrMsoVxwkEdGw2JSwIhm62Y2CEq6R89NFaDENw3XVtsNsVhFRxTL36XJgkSdWOf7SFJCGhCx1FUpCQUGQzQV0XOghQZAXN0MKvGcJAQmJf4T6mbJlCcaCYmzrcRFp0GoYwyC7N5rtN35HnzeOGdjeQHpcedpeG+yOZ7RjCMPsjzO+PLMnIkoymmdfZZrOm/s82LCGzqHFC+vPrr/v47LNF3HxzX3r0SEPXBTabdEw4feiOW1VPrQHLHPgrB/yQlXWidACbTUaISgEOacWfFeRQ+zk5ZVx++bcoisH77w+jSZN4DINjjmsYgk8+WcvKlQcZObJd+PpViuaxxw0EzKCSZ575jeS6kYy6qT2KIvP4r48za/NMCkUhduxc2upSHu/9uDmnVtFMqMRVSGwAhn49FL/mp13tduwt3EtadBqyJDN80nAOFB2gS90u7MrfRcPYhseUyAq5QcMW5lHdffPN5Ywfv5xrrunCgw92R9cFVnnFswNLyCxqFAkJwzAH708/vZhNm3KrTcTruuDjj1czefI26tWL5IEHetKkSTz79hXy7rvL2bgxl1q13Dz8cC9atEg86VU9oFJQpk7dVlHZQ+Huu8+hZ89UAgGdsWNXMXfubux2haSkCN55ZzCSBP/61y80bBgZniP768c1xa+0NMCCBfsYP/4yGjSIrbBk4dNP1/HNN1tITnZz7709aNOmFvfe25UxY37kqad+o7zcz/XXd6B9+yRefHERZWVB/H6dTZsOM3p0Ry69tBl2u2lprVlziPLyoGnxAW1rteX5n5/jveHvkVmYyfNTn6drclf2Fu7lYMlBHun1CE/9+hQpUSnc3/1+CnwFvLL4FTYd3sTI9iO5tOWl9KnXh9JAKW+veJul+5dyeavLubbNtVzQ6AIA5u+bz7sr3iWgBxjTcQwXNbmI+fvm89nqz7is9WVkFGQwfft0Hu39KH3q9+H669vw1VcbWLIk62/4VC1OJ6z7FYtTBk0zCAS0sIvOZpN54IE53HnnTM45J4X167Pp0mUcOTll5OSUsXHjYbp2TWHOnF3cdtsMgGoieDLQddPN9emn67jkkgmkp8ehaQa9eo1jy5Zcli3L4r77viYtLZqkpAi2bctDkkzryO/XeeedRcyYsbMiMKSy838l5F2WJVwuOy1aJGKzyciyxJNPzuemm36gc+dkdu3Kp3v3ceTmliPLMiUl+UyevIVp07bTt+8HbN9+hIMHS3j22R+YO3cPJSV+Lrvsc+bN28s776zgwgs/Z926bH74YTsXXvgZX325mT6Nz8HudvDr3l9ZnLkYT7yHFrVasPbwWl5e9DK6oTN3z1zeXP4mAPnefH7a9ROyIvPrvl/5dtO34WjJH7b/gKzILM9azsRNEwnoAX7e/TP9P+tPjCOGBHcCQz8Zyuxds3EoDiZvnszlEy5n8rbJHCw6yJa8rQAkJnqoVy8mLL4WZw+WkFmcMqiqjKLIqKoZKOH1anz33RZSUqIoKPCSmBiFx6Oyd28hNpuCLMOmTTlERTkoLjarVZxsV1Jo7mjixE1ERTnw+zWcTht160ayfPkBWrdOon37JkydupW1aw/Sp0/9ikhNmVdfHUCzZqnY7Wo4MOTodv8shiEoLw8C5g3BN99sISUlgqIiH3FxEURH29izpwCXS0WS7KxcOYaNG++gpMTPzJk7uf76tihKFDNnXsPChTfhdLqZPHkLqanRtGqVhMdjJybGRevWSSQleigP+BAIgnqQ9Nh0hE2w8sBKRrQegcvuIsGdwI3tbsRpcyIhkR6bzvRrpyNLMl8N/4rPL/kc3dCpHVGbhSMX4lAcjB0ylq8v+xq7YufLDV+iSiqKqiCEoG5MXZZmLaV7anf6Nu5Lx9SO/HrDr2y8ayO3dbo1PK/o9+tW3ttZiOVatKhRREXknterkZlZRFlZkNzccjIyCklOjqJWLQ9ZWYUMGtSE/PxyUlIiSU2NYvjwb9m2LYeVK2/m/vtns379Yfx+HYdDOalRa6ExMyUliuJiLz17phEd7SQqyk7btkkUFHjp3DmVPn3q8913W3jqqekMGdKItm1rs3t3PqWlAQ4eLCYjo4jatT04HDK6Lrjzzhn4fDoffTT0Twd9hM5ZUWRq1fKwcWMJAwakU14eJCHBRXJyJFu25CBEkPnzM1BVGSH8xMY6KS8PousB3ntvFfXrx+DzldKkSTzDhjVl2LCmrF//Fc2bJ/DCC6bbb2nmUoJGgFs730r9mPp8ueZLJm2exN1d78br9bJo/yJm7ZqFP+inNFCKS3WxKWcThjDYnLOZ9Nh0EtwJ6IbO+sPrCRpBtuVto32d9iRHJtMgtgF+v5/2Se1Jj0sn0h5Jx+SO+DQfh0oOkehOZG/BXuLd8UQ5oirm4Wo+etWiZrCEzKJGMXSBw2Xn20nbGTnyW4JBmb17C5g/fw9r197GuHEXcvXV3zBy5GQMQyItLQZFkRk2rCmbNx/kvPO+IDbWRWZmAT/+uJ3hw1tgGOJvX4X5RIQqe/zrX73ZvPkwd901A4fDhsejcM8957B1ax7jxs1ny5bW+Hx+OnRoRPPmiYwfv5G77voeXXcwfvx65szZzS+/3ECTJvFkZhbx/vsL+ec/+4cre/xR/UhZlqoVHX7rrYGMGPEto0ZNBWTq1o1C1w3efXcV0dFR3HTTVPLzS+jXrxXDh7dgxYoD2O1OvvtuC3v3FnDttV0ZPboDmmZGhg4b1pTERA+aZkZAfrnhS+SAzCUTLyGgB6gbWZcHejxAq8RWpMan0vezvqREpXCo8BA/7fqJTsmdGD5pOBISd/5wJz82+5FpV00joziDgeMHYgiDR2c/yuzds5lz3Rzu6nIXy7OW89Cch4hwRqAaKpe2uJQXF73I+oz12N12Wr/VmolXT+TCJhdiGAaKLKOq1rItZyNWZQ+LGiFU2ePRRx/jiSceB1Ryc8sqVvE13US1a0egqjJlZUG2b88lMtJJenpsOJhj164CvN4gDRvGUljoIy7Oict14nXN/tfoumDz5sMoikJ6eixOp0pxsZ/Dh0vJyytH1w06daqL06lSVhYgP9+LosjhYJH4eBcOh8rLLy/m2WcXkJV1P5GR9hNW9ggFtuzZU0B6+pt8//2VDBvWDDCFzefT2Lo1F7fbTuPGcciyxKFDpaiqjNcbpLjYR/PmtZBliVdeWcwjj/zClClX0r59bVJSooAT52QV+gopD5RjYICAaFd0OKE6rzyPnLIcUqJSKAmUEOeKw67YyS7NNts0BC6bi3h3PLrQK7cLgVN1kuCuTCrfkruFoBEkPS6dCFsEhb5CygJlIJnfoVqeWjhUB4YQlJUGueCCL0hKimTKlCsJBs10BKuyx5mPan2eFjWBqPKvEAKXSyU1NfqY/QxD4PHY6NAhufK9FYNro0ax4W0eT80JGJjnoCgSbdrUrrYtKspBVJSDxo3jq2wHj8eOx2Ov1kYo2jA5OZLXXx9EZKT9d6MwQwLj8djp1i2V119fTMuWtWjSJB5NM3A6Vdq3r1PtuNVLfJnXOyOjiLFjVxIdbefee2cxa9aIaqtuG8KoCGoBRTHzxmKcMcQ4Y6r3vyK/K8GdEBajKEdU+PW6kXWPOQdFUo67PZRw3SKxRbX2jz6uMCoF3Vz2p4iLLmp63OsljnpYnDlYrkWLU4bQQA7mIG2u8CuFB1Vze+U8SGh/s6rGyQ+7r0qoD2YqQdVtxyYaH13B5OiqJdde2yb82tHnZFb4r6wcApCU5GH+/BvwejWioszaUub819GVRiqfV72eKSlRLF48Cl033YZJSREgSeH8PlmSkdWjc/lEtcofof2gsmpIqDqImbBd8TlWSIhEZf+Pt11CqmynYrssycdUJDELgpjt3HFHZ8aM6UhUlHmDcLLcyxY1jyVkFjWOEITnYqqiKGBW9qgUslDFDF03Ki2GahU1albMFKV6PchQyaTKah2mC/KLL9bjcKhcfnmLcFUSSTLD+XW9srLH0RU2jj4/XejhepROp4Jm6BjCnCfShV75PmQkTCEIV8bALG+lKArJyZGciAMlB1iRtQKnzUn/hv3NtcskCc3QmLd3HgD9GvSrTGAWphAdvbB0SKCOd92Ot920tkL7mNdOGCCExOJl+1m0aB/16sVx+eUtkSRwOlXcbgldF2iaYQV+nEVYQmZRowgBNrv8u1U6jhfocOy2mhu1QnNYmZnFjBjxPS6XwocfDiM1NSosalUFSNMMXnppMYcPl3Htta2rtaUocoWAV20fNM0UpSef/JU2bZK47LLmgITNplTbv2o1jKMrYwDVK2NAZTmrKtZwyAqWJImDJQcZ8OUAin3FHCw6yG3dbuOdQe+gC53hk4Yzbes0AC5tcSkTL/8Gm6zy3HO/8eOPGxg9ugdjxnQIl976K4RuUqpet9DNiqJIHDhQzBtvLEbXVQYPbhy2REOvWyuBnl1YQmZRozgcCnv3FPDZZ1sQQlBc7CchwU1eXimPP96XWrU8fPTRambP3kP9+lHceWc3GjSI4emnf+PIkTIGDGhMZmYRGzce4vLLW9O3b/2TXt0jNGdXUOBlwYI9TJp0FXXqRIT78euv+xg3bhVCwJgxnTjvvPrce283HnvsF557biE+X4AbbuhAo0axvPjiYiQJiov97NiRxy23dOb88xuEK2osWJCBJ8Iefv7BqnFsyF5Prwa9EIZg4b6F9G3Yl3MbnMvri19n85HN1PHU4R/d/0GT+CYs2r+IL9d+ySWtLiGrKIsZ22fwQM8H6JHaI1wCCirz2KKd0Xw67FO61O3C4AmDmbljJgyCn3f/zLS105h761yEEPT/oD+/dJrHBekXcP0N7fj003UsWZLJmDEdwgWH//z1NEV0yZJMxo5dSTCoM2ZMJ84/vwFg5uxt3ZrLVVd14JtvNuHx2Pn++63Mnr2dwYObk5dXxsqVB7jvvm40bZoYtuoszlwsIbOoUSTMKLa3315BRISNsrIAHo+dsjIviYkReL0aL730Mxdd1J4JEzYyceImVq68hZUrDzJ9+nK6dUvlp592MW3aaoYMaV6j52JW2HDQoUOdsIX54487uOyyr7n++naUlATo128ca9fejcdjJz8/h88/X0dxsZePPlrF8uW3smFDNl9/vZj27Zuh6zqDBn3K4sW3sGRJJkuW7GHPngK+mbiJdWszuO6abhxMzGDsrLHUubIO5cFy3vv5Pdpe35YDxQdYnrWc7vW788HyD9hbtJfZI2ZTGihlwvoJfL7uczqmdiSnKIfVB1fTI7XHMStBCwQem4cudbtw07SbmLVhFh9e8SEAqw6twh5pp1daLwxhEB0bzaqDq7gg/QLSUqOpXz8Wu/1YS/qPVisIWW/z5u1lyJAvufLK1oBC//4f8ssvN7Nhw2HuvXcKbdrUZ8OGQ6SkxACCwkIf48YtZd++YrZsOYLdDnff3e3v+3AtTmksIbOoUbw+jabN6tCtWwo9eqSwe3c+CQkeDEOwbFkWmzfncuON3fn002Fs2pRL69avMGfObr799nLi43djs6n4fDp33XU+gwc3+q/cWH8nul5ZYQPg88/XYbNJOBw2gkFBYqKTtWsP4XbbUBQXmzffQXZ2KWlpz/Prr/sYNao93323iYULb8TjsaMoTzB16jaaN08kKSkCm03G7baRnByNwyXzVM/n+GLV1+axhU6vDr24pdMtLD+wHI/dw44jO4hyRVHoKwRgYKOB9G/en/0F+1l80+JqfVek6j7NqvNWlzS7hN05u/li/ReM7jAam2xDVHFHGlRac0KIigobx16fygCPEyWtm0L35ZfrEULgdpsLj9aqFcGCBRmMH7+eQYNaM3PmtTzyyDw++mgNXq/GTTe1p2XLJLp1G0vLlnXZtOm2cItW4eAzH0vILGoUWZYIBgMUFfkoLvbj82mUlPgxDIHDoRId7WDVqoMcPFjCL7/sAQQREeZKyldf3Zbrrvua+PgY3n9/SDj6r+ap7ETdutGUlwfp2DGZ5OQIIiJstGxZizVrDqHrAVatOkBubjkQJCLCjterEQz6+OSTdURE2DAMHw0bxnLddW247ro2rF79MYMHN+Zf/+oNmKJxf/d/cN9P9yHJErOumYUQgpum3cSBogOsv309t0+/nT0FewgaQYJGkMMlh0nwJHCo5BCRjkgi7BHV1hcLtStJEpnFmaw9uJahzYYyd+9c3lr8FgDdUroRLAsyc+dMhBCUFJTQra5pAR0dmVmVhx6aS3Z2KR9+eJG5jMwJBC0lJYpAIEC7dkk0aBBLTIyDLl3qMnnyVjIyCsnIKGLbtjw0zcDnM5d7mTBhPc2aJVFU5OPtt1dw660dsdkUK2fsLMASMosaxeVUWbfuEKtWHSA/v5wGDWJZtCiTVq1qsWVLLv/+dx8ee2weTZq8SVlZkFGjejF0aFOEgAceOIfx41dyySXNqV8/5k9VwPhfI8tSeD0swxA88MA5rFqVxQMP/ITH40BRBIMHN2Hs2FVERHgYPHgChYWl9O/fhsGDGzNr1k7sdjtvv72CjIwCrruuG9de27pKhY1mNG+eULH2lkC1yVzf9nqeWfAMzROac26Dc5EkiYuaXMS7y97l3M/OxW13sz1nO3N3z2VN9hqW7lyKzWOjyWtNGH/VeIY2HUpQD4bXFDP7bqDICjuO7ODKb67EbrdT7C3mX+f9C4De9Xpz3TnXccmESwC4sfuN9K7XJzwvqChy5SKcFUqSnV3KSy8t4KabOmK3K8edywytNXfnnV1YsmQ/Dz/8M1FRTgxDY/DgJrz11kAuuugLWrR4m5gYN4WFRcycuZPc3HLeeutHHnzwEubP38fdd39DQoKTq69uUy2QxeLMRApalT0sagDDMLArMo8+9i8efuhh8vKC2O0KNptcUTNRxesNUr9+DAUFPrZuzSE+3kPTpmZicehOfufOfJKSPERGOmrMGgsNyBs2HKZt2/eYP38kffrUC+e2aZrBunXZGIagWbMEoqIc7N1biMOhUlLio7Q0QNu2dZBlePbZBTz//GKmT7+axo3jqFcvutr5Hk3IksoszsQu20mKSApbU5tzN1MeLKdxXGPyffnU9tTGp/ko9BaCBLqhUzeqLm6b+3fPL7M4k82HN1Mnqg5tk9pWs95WHFgBQJe6XcILXZaXB+ne/WM6dkzmk0+GhWtgfvbZOkaNmsahQw9Qq5bnhEE5oXPVdcG6dYfQNIMmTRKIjXUCkJVVQlZWIY0bJ1Bc7AuXzioqKicqyo3fr+HzBYmLcxEV5QxX9rjAquxxxmJZZBY1ihACu12lYcOI475uGILYWCfdu6dV7B9Kljb/btw47mR297iEBCYy0kHLlrV48sl5fPHFpdSrF4OuC1RVplOnqpVJBA0axFQ8qzxvsy7jCux2ibvumsnPP19XrcIGVE+IBsKJw6lRqVX6Y77WMrFleFuoGobb5ibOVf2abc7ZzOtLX0dRlLAIGoZBpDOSx3s9TmpUarj9o12QXep2qTipygLQr7yyBK+3lNatk6r1JzLSzssvD/hdEQtdz1CllI4dq183ISAlJZKUFDPvLT7eVXmOMc6jWrLU6mzBEjKLGkWSJDRND+dJheosVr4Oul45Z2MWiQj7rKoIm8RfC/L++0lLi2Thwhvx+TTi411omgZIaJqoVoUkJMIhQpZb/fpRzJ8/0kxSliUSEpzoug4Vi49KkkCIUKK1KSlgnrMhTNejWf0C89pUVMGoKnpAODrREAaKpCAJiShbFLIih6txCEMQoUZgGAZBLWgmUVdU16h6/aseN8Rdd3Xmlls6Ehtr9l+WBbouuOwys9xUMKhVWKrHryEZvjTi2OsG1b8P5muV1zFUTcV8bqAcnZRncUZiCZlFjaJpGhERnpruxt9GbOzvu+l+D1WFxo0T/njH46Dw3w/YLZJa8Nrg1/7r9x9NXNzvDys228kddmQrbPGMxxIyixrBrK9n8vDDj2Cz2/D7/Hi95fh8vgqr4ZQIQfxLhELSpf8mIVsIQnEJpuEpVbsEEgJ/wI2qBFGUYNgi+/8iqlhWR6PIMn/5c6hiKddsGKn5Hdq3L4NOnbtg6PofvsPi9MQK9rCocUpLS5EQHDh4iKVLlrB71y50Qz9u/b2zFSEkbPYAixZ2pX79TFJTDxII2JEk6+f7R3giIqhTpzadOnehRYsWloV2BmJZZBY1TnRkBBLgbhyBTVVp2bLlH77nbMMwwOXSCQaSadO2OS1bllBerljJvr9DyCrUNA2ny0VaWhqqImNF4595WEJmUePo4cr2EvUbNCC57rHrU53tGAa4HLCgrkLjJoJWLQ28fqtqxZ9FURXsqmqJ2BmKJWQWpwzmHbSE0+n4453PMgwDVBlsNrDbQVXA6bSE7K9gidiZiyVkFqcc1qztsVSGlB//bwuLsxlLyCwsTnWEaZEZFbEvvxcIqAvdygO2OOORZblaMJglZBYWpzACUGRwVrgQZRm0E0SRC8AhWwnAFmcHQVGZGKJaN28WFqcmApAElJTBxIkQ9MP2HTDgggq3IpXGlyEMVAmeXfgiUzZ8j65aOVMWZyBCora7Nm9f9C6NYhsQMMzlgyyLzMLiFMXQwanChg1w8ABcejFcMAga1jfvRqsGethkGRl4Z8Xb3Nj2JtrXaUNJ0IuCFQ1icWZgCAOHonDP9HtYmrmYxrENwquaW0JmYXGKoijm3FhQg4bp0Latub2qSwXMvwt8xZT6CrArdnrW68UF6edjk62ft8WZx5sr3jpmGtj6pltYnGIIYYbaZx2EEddAbg4Eg/Dma/DUs3DRYPBpptBRUXH+6u+u4Oets1GcKhd9OQiH3cmiUUtpl9QKv2FUK+prYXE6ohs6TkXBr/mPec0SMguLUxBDQEIc5OXCtq3mNkWF5IpVTUKRi4YQqJJEemw6PxugIKMDiZ5EUqJTkGQFm6RY5b4sTnskJFT5+N9l6zbNwuIUQ5JMd6LbCXfeZc6FyTIMuxg6tgO/XmV+rMLNeFOH0dhcNjP8XoNr2lxLbXcCQcOwRMzijMeyyCxqDCEEhnH8qutnO0JAUIcLL4In/wV5R2DEdeZaXFrYrWjiDWq0q9WGrindWLRjIQ6XneHNrkTTNHTDAPn0XEngf40kSVYB4TMES8gsagxVlpCtvKffJa0uDL8S5s+DS4aa2zwnuGQPXfAIS/cv5eIul9K5bjvA+oH/EUEr/+iMwPqeW5x0hBDIkkR+YRG/zf8Fl7ty9d/wGlvCdIgJASWlfnT9xCOOEAYOVUE3BHqFq82tUGmEhBqv8twfNNBOcWNQ18GuQGmpaYF9+y34gtWtMTDPX5UkjvgK0ddrqKqdSSXf4DfMFaAtqhNaWbpFy5a0bNECQxx/pWqL0wdLyCxOOoZhYFcVli9bypxZc/FEtKe42ItNlpHQQTJAEegIbKrEOV1TiYp0HLvUpmQO4nbVxb78YqJddiJtMkFgcwkIw0AyhFle3xBIwvxXM3Tqx9qJcSun9vKdkinkI66BkTeYguZ0cpwSVBICQZrbw4LbF+ANevFpPlySZBVjPAqBWd4oJyeHzz/5hNdefYXyoIbNZqvprln8P7CEzKLGiIhQiY1rT7TnPAYO1MjXNTTFTdDvJphtUN8GyxZtoW5qS/r2TjphOwdKDrJ9l52YxGgGpdgIAh9ngT8ffJlB9HwfwXwvwYIAclmQ3D0BJr3UlO7pJ+9cLU4tysrKOPjmmwCWNXYGYAmZRY0hSZCbX0S/TqX0HzCXHwiSQW/konOwfw/9BdjkTWQfyUHXE5AkgRxO8tXRURAFsyjZPok9G4fS+YLe6Ho0GSUGPYo1OigKcv0gcj0DhIqsyuheJ/syysnJzkWvH4duCBTZGsjOFkSFGzE/Px+v1xu20CxObywhs6g5BCiqjbL8QjTfPH5TgqyTklH2dMXzE/Qpg8LtB5EvroOiKBw5EuTw4XJkWUPHSYOY2bj1KThWBbnSmUMzjwNFUZBkSCyW6N7QQU6Rg2m/BnDbZPQyFVctP3sz3dRK8qIoCkiWkJ1NhITM4XCQnZ3N5q3bSU6uQ3R0FLphzZWdrlhCZlGDCIQkowTyQVvEVqfBcvoglclEr4aSXPCXHsaomBR68cWDON0aOGTc/h+5+ZIVBHfFsOBIG3bGtOOdZ75nwusjUCUoLA2wYKNEz05O1uwpp1m7GIb1h0efFww9X8Jus+aOzmZsqsrh7GzWrVuLqipERkVZInYaYwmZRY0hAEWRKD58kE2bijkcAWVqJuzYjJFvsL1YYjuZtKwYYGonGXiTosjYM4cP799GzjQPo96KYZnShkHdVdKbxIBuRvAFvAGW7/azbrOTR3sEiNs/j5K5Oo+3LqI4ph1+qVaNnrtFzSLJMj6vl/KyMjRdP7WDfiz+EEvILGoOQ6AqEvsP5pK/WKbYAZKSCdt/Q+iwTjHYrmfStqIAjVCC7Nx5hD7Sx2RM9DBmbAcWaz0oz9zN1ui6JDX0gQxBvyAxRqJQcTB+EviivAw/8i77HHns2p+HMupV2l2WVsMnb1HTSJJkWWFnCJaQWdQYAlAk2HUwi/JigyIFhLwNDtsIBiTWC429ZCAZAl3XQdaJjyxj/LR0Pld6slVOIYFScnAS4fCg2PPRdQ2vT2ATgvvviqBuapDhF6eStfszGnoDNFY1DpRAbnYhepMEdEOAsAazs4XQHJmuW+u1nUlYQmZRY+iGID7GzfJDtSj2d8NbHsBuOCFQiiQEGxxBCvUYkuITUBSFsgAkR0YTM/IJdKOc840SgiICXQvg8GgcOJKPYnPSvC7M2Qpvz/ISHQsfzRTYnCqKZEcSEkcKfFzeJxpFOTa52OLsID4+3rLGziAsIbOoMXTdRnb2as4b3Ba//4aKytYVCdGyMA0lobNz+zxysl141CIythzB7jIwpIr9JB1JMSjVfNSJiWHq1KnIEtQHyrwGohCcMohiAUIggAY2mc3LFNZpVsDH2UbIIisrK8Pv95uh91bS+GmPJWQWNYYQAodTpW/fWui6hhwyj6q5+iTKy4NomkazxtG0bRWPMKis6C4kBOZch6bplHm94Xc67VSpgiGZj4pqIOVeA+uG/OxDCIEsy2iadmyBFIvTFtX6MC1ONqHvnM/v59y+5zJgwNAa7Y/F2clXX32FYRgISbJE7TRAVPn36L8ti8yixpAkieLiYnRdR9M0VNX6Olr8bwm5FgsLCzEsl+IZgzVyWNQosiyjKApCCLPShoXF/5CQkFnftTMLq8iYhYWFhcVpjSVkFhYWFhanNZaQWVhYWFic1lhCZmFhYWFxWmMJmYWFhYXFaY0lZBanDEJYRRYsLCz+Olb4vcUpgRkW/b9rX9OMsEhKEiiKjCSBYQgMI3RsCUWREAJ0vfr+qlp5zycEGIYR3h+Obsdsvyq6blTbLoRA16sf98+0Y2FhcSyWkFmcEthsJ/4qVhWU420/3mtHU1WIqiLLEvJRK0QfLVxHExLCP2qnaj+P3l+SJFT12P1/rx0LC4vjYwmZRY0SslSmTt3KCy8sIDk5hs8/v4SoKAdCCIQgPLCLCuUyl+EQYSvmRAhhio7XG+Q//1lMZmYRDodKdLSD227rTFpaNDNm7OTzz9cRCAS4445z6N+/IdnZpbz66hIKCnw4HApxcW4eeaQnbrcNIQSBgMG9986iW7cUbrihHQCrVx/ivfdWcOhQEcOHt2HkyHYVQmsm4D700M8kJnp44IHuAOTmlvPss7+RmVnATTd15sILGwOweHEm48atIj+/jBEjOnDllS3CSbyGETp/rMrtFhZVsPwWFjVKaEBu2DCO2rWjmTp1C36/VvGaKWLBoIHXGwwvhGhaOBKaJigvD2IYpuvwaELCl5lZzAcfrObgwRKWLcvixRcXhPf//PN1REbayc/3c+GFX+HzaWRkFDJ27EqOHPEyc+ZOXn99abifkiQxduxK3n//J77/flv4WJMmbaagoIyoKDc33fQNq1YdDAvO999v5aWXZvDllxsq+gWXXz6J8ePXUVysMXToFyxcuB+AL75YTyAQRJYVrrpqAjt2HKk4ZxG21iwRs7CojiVkFjVKyNpq06Y2d93VDbvdHh6oDQNeeGER9eu/Ru3ar3LZZd+QmVmMJMGHH64hPf01GjR4k2bN3mD06B8A0HVxTNv168ewYcOtzJo1gquuakWnTqk0bBiLYQgmThzOBx9cRJs2tUlOjkTXBe3b12H//vuYMuVKzjuvIUOGNMHlMp0Xe/YU8NFHa+jfvwtOp7lN0wyef74fkydfQ9++9YiKisTttgNQWOjj2WcXMHBgJ2JjnQBs3ZrLb7/t4r33hjF37vXUqhXFJ5+sBeCddwbz9ddX0L17CvHxkRVWoCmIkyZtZsSIiezYcQSoFGoLi7MdS8gsTgk0zSAnpxTDEASDBoYh+O67rTz66FSuvbYNb789iB9+2Mxjj81jw4bD3Hzzd3TunMLnn19MRIST7duPnLBtu10hMdFDMKgzbtxqBg5sFD6mJMHTT//Gu+/+zODBTfB4bNhsCvHxbgoLfUyevJUBA9LDbT344M9ceWVL+vRpyOHDpQQCethamjBhI7feOolWrWpTv340AP/+96906FCHa65pQ3a2uX9mZjGybKNBg2g0zaBBgzj27y8CzLm5sWNX8vDDU+naNZXatSMqAktg7tw9fPXVsvC5hlyNFhZnO9YcmcUpgarKxMa6UBSJuDg3siyxdGkmbnc0zz7bD7td4ZtvtrBsWRbLl2chSfDcc/1p2jSOgQMbceBACcBx58103UCWZTZuzGH37nwGDzbno2w2GUmSePrpc2nePIFrrvmGO+7oTIsWiQgB8+btobQ0wAUXmEKWm1vO9OnbycgooKgowKFD+bz22lIefrgnANdc05qWLR+gXbv3+P77bYwY0ZpvvtlMdLSNlSsPkpGRwxNPzOfaa9tgGBoFBX5UVSY3t4x27WoDpjv19ts707p1bXr3/pDZs3czZEhjhBC8/PIAhg9vxYABDSrO1boPtbAAS8gsapjQdM/48euZMmUrfr+fJ574maFDWzB0aFPeeGMuI0dOpWXLJGbO3MCtt/akT5/6yLKNkSO/5+abOzF16hbS0mJ5881BFUEg1Y8RCvp4550VxMS4aN/eFI3s7DLuvnsWAwc2YuXKLEBUixh8883lNG8eT0pKFEJATIyDJUtG8fPPe/joo9U4nXa6dUtB1wV33DGDhg1jEEIC/DgcpsjMmnUtCxdm8NlnaxFCpmvXFJo3TyAtLY5HH53DkiXN2L37AC+/PIBAQGfMmB/p0KE2+fleIIjNJldcJ4mnnvqVTz5ZyNdf38igQY3QdcMSMwsLLNeiRQ1SdY7n+++3sG9fPued15jZs7cxf/5ezj23Ph98cDXr1x/m009XcccdPXjxxfNp0iSeKVOuRdcNnn32NwxDcPnlLSvC5qVwUEjoEQqlz80tZ/ToDjidKkIIPB4bkgRPPvkLP/+8m/feu5SmTRMAKC0NYBiC22/vUpGoLbDZFDp2TCYvr5zatd00b57AwYOlyLKEx2PnvfdW8Pbby3jooX5cfHFzdF3Qrl1t/H4dl0umc+e67N1bgKrKfPfdldhsMp99toqnnx7CxRc3A8DttvHaa4v59NM1PP30IM4/v2F43q9580SaNq1L7doewIpctLAIIfmt1eUsTjK6ruNSFX6YOYvSwgKuueaa4+5nGOK4OVWhcPSjKS0NhOe9QlaYYZji4HCceP2p0L5/hhP16USvH2//P3O8v9KnvwOBQOLMF8aqC2sOv/xyrrzqarr16EGTpk3PgrM/vdENHZei0Ob9tvyj+4Pc2GYE5bqGKquWa9Hi1MDvD6KqlWIjSWaoeaj6hfm3EQ4/r8ypkjAMMzjkllums2nTIWw2e1hAAoEA99/fkxtuaFvt/SGquueOl5t2tGjKsnnskDUZai/03lCfQ+2E9g9V6widV9XnVfcP/S1Jx/bneHlkQgh0oYdFSJEVBALd0BEVC8JLSKiy+VMPvRa6dopk7o8AIZ0dYmZx5mEJmcUpgaJIKIp8jCUSKhllJkbL4ddkWQonHCuKjCzDI4/0pKTEjyxXeswNw6B+/Zjwe4625ELHDB3raI5n+ZkW1tHtVO2PdMz+R1tlof5XTfiu3s6x/TmeJShJEqpU/WdcVbiO2f+o18KWmHTUcwuL0wjV8itanGzEUf9CdWvjaKpuO9pCqmqZtGpV63ePe6I5pb/DhVfpQpTCc2ohy9Hv17jzzpns3XuYm27qxnXXtTmhe/TP9if0/n2F+3hr2VvsL9jPwGYDGd1+NLnluby9/G0KfYXYFTtxrjju7XYvbpub0kApLy9+mZ25O7m63dVc1OQi1mWv46EZD3FJ20u4tdOtprUpcVYImuD430eLU48TfT4CK9jD4hTBbrcBEAyabq+qM7ehYAdNE1WEyxzwg0Ezx6qqC+/ox8mYBQ5ZSz6fFnaFhqwzt9vGOeeksGlTLr/+uq+i/5Ui8f/p3+gfRjNlyxTKtDLGTBzD/H3z2V+4nxcWvMCu/F1M3DiRFxa9EN7/+qnX8/LClzlYfpChnw/l132/kuhJZNmhZSzYvwBDGGeNiFmcOViuRYsaJZTsO2vWDh577GcyM8tJSnLTrFkifr/O4cMl5OZ6SUuLZteuHJ57bgAOh8ILL/xKWloCixfvp02bBN5/fyjNmyf+YTDG399/kGWYPXsXzz33KxkZpbRpk8grrwykadN4Zs3axbPPzichIZLISCcJCW62bctj8OAvadq0FkOGNOHFF+czalRnnnrq3HD/zTk06YTWWUjQH+75MJ3qdsIm24h4JoItOVu4pdMtZPwjg+TIZG6adhOlgVLcNjcZRRlM2TyFdy58hzs630HDNxry5vI3mXLlFM5tci6/7f6Nem/UIyUqhZnXziTWGWu5Gi1OC+SwbW09rMfJfADCEDgdKl6v4NJLx6OqNt5//0ISEz1s23aEiAg7GRlFtG9fm82bc+jevR6vvbaUdu3qsGnTEXbsyOOVV/qzdu1hRo6cdtIrXYQCNrKyirnwwgk4HDaefvpc5szZw9VXT2bfvkIuu+xrhJBo2DCWvXtz0XWDunUjGTSoCYsX72fChHWkpsYyaFDjaukI5nze7x9fCMH5Dc8nxhHD9d9fT4wjhmHNhqHKKsmRyRT6Cvl+6/cMSB8AQEZhBrIk0yy+GZqh0TihMRmFGRjCoNxfTplWxhO9n2BZxjK+2/xdxTkeW8PyjKOmfwvW4y+NG+HPrMpnZ7kWLWoMIQR2h8q+fT58vlKefPI8LrusOfPn38jixSPp2jWFtm3rcPHFzWjePIErrmiNrguaN08gJsbNtde2YdSoDlxySQt27DhCIKBXBFGcHEELuTe3bz+Cpvmx2+2sXn2QoUMbc9559Vm9+hBebxEffDCU11+/gIYN6xIIGERGOnj33SG0b1+bpUt38MYbQ+jWLSVsjWmaQWZmEYWFvvBxjjk2AiQwMBj9w2iW7V3G7JGzSYlKQTM0BIK5e+ZSFizjgkYXABDvjscQBgX+AlRZJa88jyhHFLIkowmNoc2HMqbjGNLi0sj15lYex8LiFMdyLVrUGJIk4fdpNGjgxOOJ5pFHZlNU5GP+/N2oqsqRI142b85m/fpEdu4sYOXKA+zfX8TWrblERtp5662l5OSU8cUXqxk+vDVOp/qnlnf5u5BlU2RatkzE43Hh9/s5//yGzJixHU0zaNs2CUVx88gjc+jRoz579hxg06Zo9u4t5JFH5rF1ax6DBrVhwIBP+PjjS7nsshYAfPLJWh56aCaTJ4/gvPMaIISBJFW/5wyF3d849UYm/DaBUf1G8eqiV2mb3JZHez6KEIK3V7xNs4RmpEalIoSgaXxTmtRqwjPzn2F/0X7W7FnDR1d+xJHyI2w7vI2yQBnLs5ZzoOgAqw6uwqf5sCt2LPeixamOZZFZ1BiSJOH36zidEtOnX0dEhIOHH57Dtm159OqVhixDUlIEDodKenosQkDz5gnk5JQTHe2gQ4dktm3L4/bbuzJu3FDg+CHq/8v+CyGoXTuCGTOuo6wsyF13zWDDhmzatEmiUaM4PvvscrZvz+WbbzZx0UVtEUKwbVseGzYc5oILGjFsWAsaNHAzd+7esCtx0qTNJCZG07t3vYqCxEeJGAJZkgnoAfLK8ujWshtrDq1h3YF1JLoTASj0F1IWLDOjEDFFT5VVJl02CZfq4pXfXuGevvdwY7sb2Vu4l9ru2sQ6Y5m7Zy7tEttRHijHq3mRJRnLKLM41ZF8ulXZw+Lkous6bpvCtBmzKCs6cWWPEzFlyjYuvfQrhg5twXPP9fvDsPv/NVVz307095/lyJFy0tLe4MsvL+HSS5v/1xamQGAIgVLFkqtqWWmGdsJcszOZoyt7XHHV1XTr3oOmTZvWdNcs/gDd0HGrFZU9znmQG9uOoFzTUKzKHhanCoFAEFVVw3NcR99eVRWFpUszOffcdI4cKWXx4kyaN09ECBGuqXiyMUthmR0ORRya2835LlOIqlbzOP68lyxLuFw2vv328vDSMSERC+WmHW1xGqJ6MIZERdK3AAW5WhSnhIQhjHBStC70cGWP480rytKJr6emGeHPRIjKGpdVq5iAFO5/aP/Q9VIUuZrIh1YKD1VZEUKEq7pU3R66FrpumJVJqlwfc9vx9zWPKyFbPqgzEkvILE4JQtUvfD4Nu135XRfhSy/1P87Wmp3DOVGljpC4hla1DnEiS83ttoWXmalK1bJU1Y57ArEJ7Ssf9R5ZqghUFgJFMkuChcXvL3Cim4bjVTH5vf0hdG2qv24Wez5xwvjR7R1v2/G2V4qsxZmEJWQWpwSKIhEM6qSnv8Wrr17AVVe1DNdBDLmDqhsNldtOhYGpquUT6u+uXfk8+OAsevZswP33d6+WG1bVZVi17qIQoZB3qaJclWmdFhf72bw5h06dklFVuVq5rur9MNde++yzdUyYsIbWrVN49dUB4dfDx61SrzJkRf7R/GJVC+yTT9ayfXseTqeKqkqMGNGWhg1jWbPmEF9+uZ78/DKuuaYdF1yQTnl5kHHjVnPoUCk2m0J0tIPrr29DUlJEuM1nnllASkoUI0e2A2D//iI++WQtO3fm0L9/U268sW24BFgwaPDEE/Pp1i2Viy82XYI5OWVMnryFbduO8NhjvahVy1whoKwsyJtvLmX79hyuuqodgwY1+u8/ZItTFsvQtjglkCQFm01hxIg2NG0aD1TepYeshZBbrqp1ciqIGFSKgVl93+yU221jyZKDTJ++M7xPSAiqWmdVa0CGXGOh10NFhrdty2PAgPGUlQWPcctVpzIA5dChMj7/fH34leMdN2RJ/pUgmbKyAA899DPz5u1h2rTtPPnkLA4eNBc2ffPN5Wzdepi9e4sYNOgLDh0q5eDBEh5/fD4LF2bwzTeb+Oc/Z1NeroXPd8aMHTzxxHe8//6q8DG+/noTP/+8k2AQRo78mpkzd4Y/9w8+WM1//jOFr77aEN5/2bIsXn99MW+9tZDs7NLw9ptv/pFXXllEcbHGRRd9xfz5e4HKajEWZwaWkFnUICLsELzuusk0b/4OS5fuY/r07QB8881m2rd/l6uu+o46dV7hiiu+o7w8CMA110ymZct36NXrE9q3H8umTTkANZIUDfDxx2tp2/Y9unf/mLS0V5k8eSvJyZEMHtyEbdsO07TpO3Tr9hFZWcVIEnz00VpatnyHOnVe5frrvycnpwyvV2PgwPH06/clL7+8hHr1XuPccz9n06Ycnn9+IV6vxu23z+DBB38OD9ZHT22FBHXgwEaMGtUlvHyNaSXChAmbaNt2LLVrv8JVV00iI6MISYK5c/fStesHJCe/RqdO73PDDVPR9epzlSHxdDpVVqwYw+rVt/Cvf/WmYcMUOnasgxAwduwQfvrpBi67rAUREQ503aBevRg2bryNJUtGMWpUezp1SqFBgxiEgJISP889t5DevdsSEWEP9/Wee7qyePEY7rijC3a7Kyz0e/cWMHbsSnr2NNeVA7Os2dChTZk48SpcLndYlA1DMH36DkaN6sKUKVcRE+Pi2283/0++BxY1iyVkFjWIFI7sHjq0KXfe2YXMzBJ+/TUDMEPtt2w5wrp12dx8cye+/XY1y5cfAGDNmkNcdVVr1q3LwTAgOTkyPFifLELBF8GgziOPzMPrDXDrrZ3o1as+qalRCCEoLQ1QUODjtts6sXx5Fj/8sJ2VKw8yZsxE2ratzaOP9mL8+HWMGfMjDodCt26p/PLLRr75ZhPXXdeWHj1SKS0NkJ1tLuC5f38RO3fm4/Np4T4cj2BQJz+/HMMQ4WCHpUuzuPbar2nQIJYnnujDlClbGT36Bw4fLmPo0C/RNHj55f4oisyCBRnh63n0IVRVpmHDWADef38VHTok4XLZCAQ0PB4b77yzgnvvncR556WTnByFqsrUrx+Dphl8/PFaBg403XuSBM8+u5AOHZK54YaO5OaWh4NCnE6V337LoG/fD0hPT6Rbt7oAPPzwPEaMaEP//o3JyyuvaCcUZGIQDBrhZXZkWaJv3/q88cYiBg/+iqKiYjRNhI9tceZgzZFZnBJcfnkrAH77LYOiogAAbdokkZISy113deWOOzrz8suLwxbZggUjeeihubRsmcjYsUNwONS/7CL7/xIaQG02haee6sv77y/lkUfmkZrq4cgRb/j1Xr0acO+93fjoo7WUlARYvjwLRZH5+OOLcblUli7NYvr0HciyxKhR7Xn++d+YPPlK6tWLDh/r7bcH0afPZyxYMLJa8MLxzleWzSVxIiMdFW5Kc/9ly7KQZZ0PPhhGUpKbDRty+O67LSxatB+vt4wXXujPgAENufba1uzalR8+ztGDfmhOLzu7lMWLM/j880sAsNvN4eSOO7qQlhbDJZdMYP78vfTr1wAhBOvXH2bXriPhYJaysgCffbaW+HgXS5dmsnPnQR54YA5vvDEQgD596rFx4z/o0OF9xo/fyC23dGTSpA3s359Gfr6PgweP8MYby7j33m4AREU5kWWJ6GhneL7xk0+G8dJLcRw+7EXXFdLT4wAQJ9lyt/jfYllkFqcEpaU+/H4dv19HVISUb92aS0ZGHuvWZTN37h683lJWrDiArhs89tgvfPbZQm64oS1XXDGRmTN3hhffPFmE7vr9fo25c/cwbFhrXn55AKtX7+Pzz9dRVhZgy5Yc9u0rZP36w2RmFrFs2QGaNo1H1wW33z6dTz9dx8SJ6+nZMw2fT2Ps2BUEg0E+/HAVM2bsxO/XEEJQVhbE7y/l0Ufn8Y9//MRtt82o6EPV/pj/lpUFmTx5K3Pn7iE3t4wPPljBzp359OiRimHI3H33dL78cgOffbaali0T6d49BbvdxRNPzGXq1O3cffcMXnttaTjkPxSNGXqEgla++mojfn+QPn3qA1Bc7OO++2bz9dcb2b07H8PwoWmVoe/vv7+KuDg37dvXQQiBw6Hy3XdXcvPNHc0oSkWlZ896APz737/y9tvL2Lkzj2CwDK83iKrK/PTTDQwe3Bhd14mMdNGuXW1AsHbtIcaPX0sgEOCLL9ayc2c+AG63yh13dMXtlomL83DNNa0BkE9S9ReLk4NlkVmcEkREOMN/hybi163LpnnzSAoLffz00y5at05kz54CDEOwY8cR2rZtyFtvLUNVpbCr66+Gkf8d6LogJ6eMtWvXUadOJN26Nebf/+7LoUOlKIqM260wY8YOUlOjOHCgiHbt6vDBB1fw/PO/8dNPO7j00ma8//4w8vLKmTZtG23a1GXChPXs3l1YEWUn0blzXW64oRsTJqwjISGC0aM7VhxdEEo9CEVLlpQEePHFRRQXe2nRIpEXX/wVVbUxalR7xo0bzn/+s5AFC/YxYEA6b7wxmDp1Ipk6dQSPPjqH22//gdTUKO6+u3s4F+xoQpba2rXZDB/emqQkT9gyzc4u5e67ZyAEPPBAv7A1BrBjxxFGjGiD06mEI1J79UpjyZJMDCNIw4ax7NljClBZWZD331+Oz6dzxRUdufnmjsiyxAUXpPPDD9vxeFQ8HoWsrGJAYuLEzXz33Vo6dEjhs89Wk5gYQePGcTz99AImT15PUlIkc+deT2pqFFAz3xOL/x1WZQ+Lk06ossfU6TPxlxZxxZVX85//LKSkJMgLL/zKfff1rBYyfjoQslLy88uJj3f/6fdpmnHSErmrLuZZ9bhVUxiqbtc0o1pSMpjL1thsZlRlIKBjsynHuB59Pg3DELjdtmrbAwEdu12ptu33KpcYhqCsLEBkpONP7X88Cgp8yDJERzsr2jTTE6zKHqcfVmUPi1MSM5BAVMyfZLNlSx633daNhx/ucdzqHtXfd+y2miQ0VxUf7w73/UQVPEKVQGRZQlXlcJWKPzqv0Bxg1WCGE3G8dsz8NeO4x9X16v0B+Mc/ZrNkyT5sNjuGYQqIz+fjhhs6cffdXVBVOfwZhupOGoYIRxOGjhU6vt2uHBOcYhZervysQ/0013mTiIx0VEtiluXqkalVy4Ed77rFxlYKWOVnYt27n2lYQmZRY0iSjKLakGWJr7++/Div/957/4cd+39SdUHME/WzqlVRtarFnzlnUxx+/wL81eMeb/uoUR256KJmFUnpZpuappOeHn/UOVbmvJ2o/cp+nbhaR1WqlpI6WrCP18QffR+OLrysqqrlXjyDsITM4qQTuh8OBoMcyMoiOzubYDCI2+1CltWKhF+JqvM/Zy1CoCsyQpJRNe0PRmyBIlQMDIRkVgf5/9CqZSRK2xiql7+XCAQ0SkpK/l9t1xRViwYHAgGQJKu4/xmAan2IFicbSZLQBbRo2ZJlS5fw3rhxBPwBcnNzyM7Oxuf1nfX6BSAJ0BWZmJJSXH4/hxLiUXQDcYJrIyGRJ+cSJaJwCAfG/3OIFsbx3buSBNJJTHP4u5EkCUM3iIw0Az+EMDBOkVJnFifmdxaItiwyi5OPLMsEBDRp1JCXX3whvH3T9p2sXbOaktISayFHQBKCgMtF/U2biMs+xOrz++PwehEnGHEVSeGn8lm0t3egtlqHoAhY1/FESBKyJBETE0tUZHR4kVSL0xNLyCxqBAkI6AJd183q6zLUrl2bDh07EQgGrPkLAENgREQQoag4oqPx9OqNVFpSfQKpCqpsY9e2nXSs24kGkQ3x6X7LyjgupttaGILo6Ghq10mq6Q5Z/D+xhMyixjCX6qj8CkZGRRIRGWlFlYUwDLApyFlZyH4fteqnQVA/rpAJBHZZJrEgkQYNG9I0viG+KgWMLY5P5YoFNdwRi/8XlpBZnDJUhmBbgy8Qjt8PRweGQgd/N/LPrKQvEYqetK7l72EJ2JmBJWQWFqcyRwvRnxh5RZX/Wfw5rLnE0xtLyCwsTnXMRcoq//2d1URlSUaVVGQk1Cq5XhbHJ5TgoQvzBsAStNMTS8gsLE51gkEoLgavFzQDIj1wgtrIZcEySgIllGveijkyqy747yKZ4fdumwebLBE0rMyP0xFLyCwsTlUkCQSI9HTkn35CffsdyMvD6NoN45JhphmhVNQuFAIFiSZxTfh643gS3Alohlaz/T8NkJDQDB3d0Lir611EO6PRhOVqPN2whMzC4lQlJGQpddH+/RQoEtLuvcg//mBGLsqELTNJkvEbMLzlZQxoNNAKYviTCCFwqjKvL3uTzJJDJLhiCBpWtOfphiVkFhanOroAuw0pIwNp926k/HykdeshuS4iMYFQWQoBBA1BpN0TSpWy+AOEALsM0Y5oVMsNe9piCZmFxamMEKYoecuxXTwMeds2sNlQX3sN7Ykn0B59xMw3q3AxSkhoQlgi9icRQqAioQvdumSnMZaQWVicyphrrIDbjdGvH/L69RAIgN2OMeCCyn2qvsWa3/lLWNfr9MeypS0sThOMG2+CiAjz7z59MTp1MN2OJyhZZWFxtmBZZBYnHcMwMAwjPI1j3Q//CfwBtKZNoHt3lDlzCNxwA7qmQVBHUpQ/fr8FYH7fZFk+Zn0yi9MbS8gsTioCcKkykuUM+O8YfTOsWYPrmqvN56r1E/5v8Fr5YmcU1q/A4qRhGAYORWbF6nXMmD6FxAQPuqEjCK14LCEJAAlZligs8qFrJ8j8rViJyG2zEdANNEOgSBCpmO9Hxpw7kitqN0rmv8VeHU0/Daf1hQBZguxs5Nq10Z99FknTrUW0/iQCc8XqgD9Azz59GdDvPHyabllmZwiWkFmcNAzDQFFltmxZh2zEs3N7cwxdwy6DRBAhaRiyQMdA82vccktHaiV6wqv6ViIQyCA5WLjnAI1rRVHHY+NIEL45bGDTNYRPx/BqiIABfh3hNwgGdK64IJY6sfbjtHl6IFQVIiKQCgosEfsLCCGQZJmNGzawbPlSBp1/nrXKwhmEJWQWJ534+AhWLDHo06UePfoVssUw8MnJBAsSEFsFXV3w1eTfKA1E0q5unRO28/O6KSwrbYeSEEXHunGUemFhAOwHg3hzSjHyvWhFPrSSABQGyc8SXDWgLsl17SfxbP9HeDw13YPTkuLiYjZt31HT3bD4m7GEzOKkYxg6OoKGiXmkpk1mCioHGYbkTyN6Owy3QYMiH0GCJ7CcdPSc52hclEGzQsGgxhcjhKCkXGeMoXNuYxta00iEEoEANASRDplF64soKvQi0mzohkCRLYvmbCH0PdKCQYoKCgho+mlpkVscH9Uyri1OFqLqv5KMvziXMuNXVsouttIJ6QDU+hVuDBiU7jtELdVcT2v+/GJysr2oDghqZQzp+DmRxhGyZvqo0wA2rt3HOZ0aomBQnK2jRNnIOqjy/HvFNE514lBUDhSUothsjLrBqFiny1r37GxDkiRsdjv7MvaxduNG0tLqERsXWzHbaiKqPCxOLcRx/g59VpZFZnHyEQIhyYjigxSXrmOz08Z66SDkBEleK8gv9VOsHwbVFJqvv86hWScnuZlF9E79AHepnyXfCeZGjcLvTyDn+6WmkBmCkrIAy7dAj05uevWFzt3spNWFT79w06Ozl2DQGqLOZlRV5dDBg+zauZOoqGhiYmOt8MUzAEvILGoACVWGQ1mHKFpuUGzXMNTdsH055QGDNbqXrRyki2TmRzVrKrGjXCZJTGDQBRrTnwhw1299ySgoZfiFDtp3jQJAQaLc62PmogBffevm1pgsUuZO5qDDT2+9jEzPTTTtnF6D521R00iApmkYhmEtD30GYQmZxUlHCFAVwfaMHPyLZcptCrKSAdsWoyNYI3vZSS62ilwzryYoy9tFuvd7PvtHW+6ffz5eeywi5zBHDjsI6D4Ayst0OjR2orojeOtj8KZHUpRdSGGwiAO55dgkHdkqDGthccZhCZnFyUcCQ9dYsXUvRZkGh7UAhrQcDh+iyAvz8bIPHYIGmqbh18pIrePmk9l3obnb0aithuTzkm+vRUpqHN7gQTRNw+fzk3m4nD4tVW65U6dZ23gOF75ElG5Q2wEr1h+mqKAETVPRDYGwgj3OGkLBHrqu13RXLP4HWEJmcdLRNEFaShRb3ReA3oTmvgCGUMAtITU3EFKQusJNvbq1UFUFVIVYWWXIlecj9EKEZKDLdmRFxlu+D2QVVVXp2SyGQyUeVmfouN0Ki9YJVNlrLmVvCGKi4ujf1Y2M9cU/W4mLi6vpLlj8D7B+zxYnHZ8Ptm2dSe9+LdCCqSiyjITAnBITCCQkdD7+6AVAQg4aZB0sR5Ir5jQkM1ZJkgRgEB0VxXPPPYciS7gdMoYBBZi1dMOzIAJkWeLlpWZlD0k6u6ZITtcE8L8TSZLIP3LESoQ+A7GEzOKko2ka5553Hn379gIMHA4bhiEIBELlqMxSwkbFU1mWUFVTlcwhqOqALKFrOoYwEJhLc51ovBZCIFeE3p8JGIYIC5T8O25SRZGx2WQCAR3D+PODuBDmMRTl5F0wQxgokoIsywT1ILIkI4TAEFWKIwpTlGRJrtxfkgkawfAcqNl3A5BQFCl8nTL372f1unUn7XwsTg6WkFmcdIQQpKamkpbWAJ9PkJ1dhstlo149R0137YwkEIBDh8pISfFwuhTKD9nlfzd2m+1vb9Oi5rFCuCxqBK/XhxCCt99eRLNmL3HeeR+haTpCCPTjFPU1DOO4LiEhRI0+jrZwdN047vbf4785phCCGTN28PjjP/HTT7sAga4bHJ02ahgGr766kBYtnuPHH7dV6+fx0HUDXTfQNIN9+wqYNGkzmmaccP/fO6cTZRUf75x0QwcB8/fOp+mbTYl9NpbRP4zGMAxWHljJ8/Of51+//IsH5zzI43MfZ9q2aSBgzp45NH6jMdHPRnPPT/fgC/oRwmDX7iM8/vhc3nlnBWVlgfBxfD7fXzoPi9MDyyKzqBEURUaSJEaP7kR2djmffLIWWTa3KQoEgwZz5uzG6w1y3nkNiItzAbB3byFr1hzC59M477wG1KkTgRA1Vz9XkuC33/Zx4EAJPXqkUq9eTHj78uUHyMoqJjU1iogIO3XqRLB+/WESEz1ERtrZvTufRo3iSE2N/kvnEHKTvfDCIrKzCxk0qCWGYV5TXRf8/PMuiov99OlTn6QkD1df3ZpnnvmV3bsLWLHiAGlp0dSuHUFWVjH79xeRkOBmy5ZcGjWKo1WrWuHjbN6cx333zeaKK1oCkFd+hK25W3CoDlKjU9mTvwdFVuiU3ImDJQdZdXAVXs1L73q9SY1KRRc6yzOX47a5aZ7QnF/2/ULtiNq0r93+GIsr5CYcOW0kbWu1ZdzF4+j7YV8GNx6MS3Xx2MzHaFqvKa2SWjFv+zzqJ9bnwiYXMuK7EbRNassDvR7g1m9vpV1Se0a2vxGnUyUjo5hnn13MhRc2oX790OdyhviVLaphCZlFjRAaTmJjXTRsGIssSxiGQJYlcnJKufzybygs9COExOOPz2Py5KtIT49j5MipBIM6eXlennnmVxYvHk1cnOukBzMIIQgGDW68cSpr1mQRFeXh/vtnM27cUC66qAmjR//Ixx8vp27deA4cyKNNmxRee20g55//AU2bptCzZxoffzyfN964invu6YquGyhK6BrIf0rUFEXhwgtb0r17KrouKCjwccUV35CdXYqiKDzyyFy+++5K2rSphcfj4vHH5yHLMh6PwrRp17JrVz7XXfctMTER6LpBWZmPTz+9jIED01mxIoulSw8gyxKTp2yiVnwU+YnruPirYdRPrM+TfZ5k9LTRxLpjWTVmFXf/dDeHSw5TEizhsbmPseLmFbhsLq75/hoKywtpXqs5KzJXUC+uHhtv3Yjb7q72mUlICAQF/gISIhJoGt+UCFcE8/fN5+1Bb5OWksawZsOIdcbSJqkNdtnO7oLd5Obn8sSVT9CrXi/eXP4mM3ZNZ2T7G0mpG83tt3dh+vRdlnidBViuRYsaRdcNvF4NIUDXTbfZxx+vZcGCHVxwQWMuvrgZ27Yd4LXXluJwKAwe3IRWrWrRsmUi27dnk5lZdNIjEHXdHIDnzdvD118vp3PnNK68siW5uWW8+uoSli3L4uOPF/PssxewbdsdvP76RXToUId+/RowffooSksD/PjjNj799AZuu60ThiFQ1ZA1+udEDEwxLSvzhwMyxo/fwNy5mzn//HQuvbQFe/Zk89prS5AkiaIiLxdf3JwlS0bhcqncf/8cLr+8JfHxUQwc2Ih9++7lnHPq88wzv7FixQHuvXcmH364mtzccu67ZxaPPzmPwelDuL7zdThVJ/0b9cdhc/Du4HepF1OP8xqcR5ukNrSu1ZqMggw25mwk0h7Ji/1epKi0iAubXMjWu7Yy5copeOweJKRqAmMIA1mSefCcB/lk2Se0e78d5eXlRDuj0YWOjMw7y97hkWmP0KlOJx7u+TCZxZnIioxTdaIbOonuREr8JRXXBgoLfX/ZJWpxemIJmUWNEBIeRZFxuWzYbDIOh4IsSxQXBwAVl8tGSkoUDzxwLpde2pyff97D44/PJiUlil696mGz2XE4as6pUFoaBCQiIuxERzt5+OEejBzZnsJCHyBo3jyRiAg7t93WmUce6QVA+/Z18HjseL0BEhIisNuV8LXYseMI48atIiOjEOBPzbNVjVgsKfEDCi6X6cZ86KHzGDy4CbJsCmSbNkm0aZNEvXoJHDpUgq4bOBwK0dEOYmNdxMQ4KCjwMXBgI3btuo/33ruQ2rUjyMh4kF/nj8RmV3jwnH+SU5bDtZOupXlCc65oeQW/ZfzGI9MfITkqmT71+2Cz2XAoZuBOUkQSbo+b+8+5nybxTWib1Pa45xGKNvxX73+x68FdPN73cQzJoEdqDxRJIWAE+M+A//DD6B9oEt8EQxikRKVgYLAjfweKrLDh0AYaxjasuC78biSnxZmFJWQWJx0hBDa7jN8Pw4ZN4PHH55GTU0j79m8xYcJGxozpQFycm9mzd7Bo0X4mTtxAXl45Pp9GIOBl48bDLFyYQTBYzBtvLKto8+T1P2RJ9O/fkNatU5k3bxdLl2by7bebWLXqIH361KdTp0ZcdtkEBg4cT2rqS/zrX/NZty6bunWfB6Bfv8ZcdNHrPPfcwnB4+7/+9Qu33DKNSsfr7w/EIYPGDP6Ayy9vQXJyDLNn72Tx4v1MnLiekhI/48dvxOfL5ZlnFtCt2zgWLNjCTTe1x+VScblUPvxwFQ0bvsmMGVt47LFeqKqMYQgiIuykpUVVBEqAbhi0qtWKcxucy2+rfuPB7g8CkO/Nx+vzsvHwRubvnU+wKMgnaz9hZ/5ORv8wmvKictq90467Z92NIQx0Q0cXRz0MM4Vizu45fLL6E16e/zKXt72cQY0GMXHTRA4eOMjzC5+nXZ12NIprhCEMmsQ1YVibYYz6fhRt32uLN+BlTIcx1YJILM4OrDkyixrAnAuy2aF373qcc04qLpedoqJSUlOjadgwlgULbuHzz9dSVhbkxRcvYNiw5kRE2Jg48QYWLtxDx46pDBnShMhIc5HMk3n3LcumcMbEOJk79ybGjVtFVlYR993Xg2HDmuFyqcyZM4LPPlvP7t1HuOyy5lx9dWuOHCnnpZcuoFmzOkRFOejdO4mmTWsDUFoaYN68vTz4YG/q1YuumDP7/ftM0yVpWrGaZtC4cTy//XYzH3+8mqIiP//+dz+uvbYNy5cf4PXXryAhwcPKlVncdVc3rr22DcGgjs+nc++93WnWLJ6GDWPp169hxTlK9OvXgHPOSQlfWwkzLP6Ffi/QrW43Lm1xKQDDmg7j+1Hf88vOX2iT3IYhjYfgtrmJccRwc4ebcXRxUOItoVFCI9PyOt5HVbFtS+4WcopzeHrA01zf9noA0uPSefXiV9FlPTyXJkumK/bLS77kneXvkFWQxQcXfUCHOh3QdB1VUXC7z4AFVC3+FFK5bt22WJwcNE0j0q7y8RdfklqrFgMGXnDc/UJBH38VwxAndZ2xE0Ua/jdRlJs25XDVVd8xd+71JCVFmMnbJ7gGoeszePAENm3K4M03L+GSS5r9KfGryh13zGTs2IWkpibw5ptD/qs2/ipCCBbuX0iBtwBFVirruBg6rWq1Ij3u/7c6gWEYyLLMjh1HuOOOH1mxIpuNG28jLS0agD27dzPq5pu5aczNdOrUmfoNG+KQ4Y3lb3N+wwG0TmxKuW5YxaVPQXRDJ0JVaPN+W+4950FuajuCUk1DkVXLIrOoISrGaL8/iCwr4YANRZHCEYyhOSJJ4riDq6YZFQESZmMne07E7LOoCP6o7L8kScfZLh/jCgwNuooi0bx5AitWjMHttlW0be5susekaseUJLONV1/tz+bNh6lXLzr8nlDATGjfkJsw1BdZltB1A5tNoX//hrRoEY/fr5OY6EbTjPA1NHP5xDF9FwI0XUdgVtQIzdEFNQ1ZBqnCOlRkGVmW0Q0dUZFQJlfMZHy67lO2Ht6KzWYLB3kEAgHu6X4PDWIboBkasiSjyubwZAgDXZjWmCIr1cL2BWYOWih4JHTdoqMdjBnTiccfjyQ5OZJQtRiLMxNLyCxqFFWVCTmtjrakQk+rClRJSYCcnFKiohwkJnrCc2NlZQEOHy7D7bZRu3bEyen8Uf00+y9ViBRhgQ0JS2lpgNzccpKTI7DZlHCkIphi4XbLx1hzx7MuQytcN2+eSPPmieHtoet0dEkpWa4MCAkGBTabWd7j4oubnfCczDaOd2ywqQpQWSJECLCp5lCi6wK7WvlaSIyq8vHQj8PiFm4DgYIpjHaluktQluQTWkgS0nGPkZQUwRVXtKrSR3HGlCazOBbLfraoUYQwQ8cVRQ5bY0A40i6UOB0Ko37qqV9p2/Y1br11BlApEi+9tOT/2DvPOCmKrQ8/1d2TNucMu7DknHMOEhQRxIhivuac9XpN15yvWTEnBFEBUQHJOeecWdjE5jC5u94PPbsEwQAK+trPz3F3enuqq2uGOnOqzvkfWrV6mfPPn3BK+18TMl/T/xqPqcYzOzyk/okn5tOu3UssXJiDoph/OzwyscaI1QQpbN9eQosWb9Cgwas0bfoa/ft/TG6uGV7+xhvLqVfvReLjn+Saa6YgJSxYsI8GDV6mSZPXadr0VYYPH3eEysj69YU0bPgcr7yyFDCN/3nnTSAr6yXq1XuFhg3/x4oVuQC8//5qnntuAW+9tYLycl9tH32+IG+8sZwxY77lscfm8PbbKxECpk3bSePG/yM19Rkee2zeER710ShCQRXqEQ9NaH/okvDh6RwW//+xPDKL00KNJ6VpGitX5lJU5CYlJZKwMBsNG8axZ08ZGzYUYhiSnj3rEhvrIhg0uP32ruzaVcL27cWAaTB03eD66zuwZ08ps2btPmX9F8I0BnPm7MUwDKKinHTokIquSzZsKKRhwziEEGzaVETbtslcemkrnntuPrt2lREfX0BmZgwxMY7atg5fvhPCzIPKzo5l6NBGTJmylTVr8omNdSIl+P06TzwxgLw8N3fdNYH77+9BIGDQrFkiI0c253//W0JBQdURxvLee2ewd+9Bdu0qrY1EXLBgH717ZzJiRBPc7gB16pjVtqdN28n48SsBN17vRdx2WxeCQYPzz/+KKVM2MWRIE774Yg1JSVGcc05jRo/+ik6d0unTpz333juZtm1TGDas0TH33I72xmr4I7UVa75MWPwz0KzvKxaniprPmpQgQpF/V1zxLR9/vJKkpGgKCkrp3bshX399ARdfPBEpIS+vgqSkCGbPvgyn00Z6eiSZmbFs3156qF0JKSkRZGfHM3v2nj//PkI34vMFOeusL9i1q5QmTRKYMWMHy5b9i8pKP/36vc4LL4wkNtbFlVd+zOTJ1zFkSAMcDgd33PEDwaAkPT2CcePOp1271CMCXGp+duyYxqRJFwHw4487GDSoAS6XjUBA57bbupCTU8HNN0+mZcsGxMWZCil9+2YB8MorSxk5silgTugffriGYNBg1KjOoaAYcx9P0xSWLz9AUZGb0aNbk5xsLsveeWdXtm0rpl69aN57bw233daFxYv3M3nyaj744GIuv7w1kydvZfLkraxfX0hxcTlPPnk5bdok8+qrS5k8eSvDhjXimMuTf4G9KnnU43jHLP46HOs9qXmvrKVFi1OOmaPkYM2aMj76aC7PPjuEjRtv5MEH+9OsWSLR0U7OOqsx7dun0qpVCsuX57JnTzmqagYSeL3B2nZqluGCQQOPJ/Cz438OZts+n862bcXYbIIOHVJ54IHe1K8fS58+WdSrV4fSUg+jR7fE4YilutqPrks8Hg/nndeC2bMvo7jYzb//Peu4ezc1y3M5OeVMmbKVESPMPa2aW1u0aB9LluRgt2shYV/z/CVL9rNuXT5nnGFGAJaUeLjvvp84++zGgGTjxnxycipwuWyMGtWM4cMbER8fxpVXfs4PP+xASnj99eV4PH5atEhhw4bd7NpVyr595dhsTjp3TsfnC3L22Y0ZO/ZsvN4giqLgdKrouiQxMYLyclOc19qXsjgVWIbM4pQjMXOxysp8gKBDhzTi4108+GAvHn20L99+u4XHH59OZmYM7dqlEh5uw+k0V8E1zVQCsdvV2n0mVTXrlYWF2bDZDh3/szDbNhOGH320D/36ZTJjxi5efHEekyZtDUUHgs9Xs6ymExXlxOEwAzy6d69D584Z1K+fQE5OOWB6YUfb3hovberU7TidGt261QHAZlOoqvJzwQUtWL/+Nlau3M3332+v3WMcN24jderE0Ly5KQBcWFiNzaYyYcImFizYx4YNecyfvxdNU3jppUG8+OIQxo49GzDD1k0h5L2oqmDatO1ER4czbtxG2rRJIRBws2JFLg6HRlVVgM2bi4iPD8MwdPbtq0BVBVu2FFC/fmztPVhY/NlYe2QWpxxFCNzVAbp0TaJx4zqceeYnDBrUiAULdnLhhe1o2zYFr7eKHTuKKSioprq6iI8/XsONN3bi0ku/ZsGCHNxuLz17vsujjw6kXbsUxoz5lnnz9lBeXk2vXm9z2229GDmyKbr+xxeGrDEwBw5UcMcd0xk0KJvhwxuzfPl2iovdgBlR+MorC5gzZw8+XynvvbeKrVuLCATKuOuu6XzwwWpWrtzB00+fjWFIgkEjFCpfE/BBbRrCU08toF271Fpx5MpKHwMHfoLLpeHxBLHZHLVGq7zcyxtvLOPSS1tjsynoukGTJgls334zDzwwixUr9uNyaTRpkkBpqYehQz8nPt7F9u3FOBwO+vXL4s47p7N371b+/e/zuOCC5rRs+T8efPA7unevw4gRHbj88q+YPHkLK1YcQAiVVav+Rd++TTj//HFkZ8chhOSSS1rX3oOFxZ+NZcgsTjlCMYMVwsIEM2deydixq8nJKefRRwdy4YUtiIhwoOuXsGjRHoYObUj//vVIT4/C5bLRtm0qXbvWwWZTqajwkJgYht2u0rZtCm3bJuN02igrqyI93Qxa+DMcsxpvLyrKwV13dSU/v4rt24t57bXzuOaadgC88spg3ngjhpSUaC65pBUul0ZycjhPPnkusbEuVq7cz7XXjuaSS1oBYLcfu+Klz6dz4YUtGDjQVNwwDIiIcHDPPT347rstGIbkyScH0L59KgAeT5BbbunEmDFtjuir06mRnh7JPfd0r90ji452MmxYI1auPEC/fllcdNFwWrZMpk2bFJ58ciTNmqURFmbjscf6A5CQEMbEiRfw0kuLWLUqj6uuas+oUc2IiXHyxRejePnlxRQWVvL668No0SLRMmQWpwxRbSl7WJwigsEgUXaNsR9/Qt3kJAaeMQgh/tmJqoGAzpIlB/B4Akcsh0opadUq+TfnxP2SmoiU/KJSyG9t5/e85mRrxP3RFaJrSsbUKHtccZSyxytLX6W/pezxl0Y3dCKPUvaotJQ9LE43QkAwqHP4Vm1NzlUwaNSeY06K5l5YIHBkWY6afaFg0Dhij+nwnLQ/E7MiNLVRgDX9rwnUMBO+D1fzkIctHZoe1LPPLiQ/vwJN02qXLYPBIP/97wBSUiLw+3U0TTnifnTdqG1TCIHNZl6nRjHkcFX8Gtmuw/OqasZH143avoOoTWeo8dpq2gTQNHPv0VRUObT8ae7vHVIPOfzavxdDGrUqHYY0+yb4+e81huZQnpywwu3/wViGzOK0UTMRm8EZNRNmzaSkHDbpHjIUNeeaxuJQWzUG41RT08/D+waHltSKity43QESE8NwuWwcrmAiJURG2pk48fyfSVFJCXa7eU/HWnY0E7CP1ytR64UJIfB6gxQVmcuwNptSqwxSYwRrXyV+uW2JNGuDqaJWvPdw6SehSjiqTUPWfCERtUbql7ydmr8FjWCtYkeNSPDR59S0axkwC8t/tjhtKIrAZtNqvYPDdQprElqPPCZqzz3899NJjQelqsoRGpGGIamo8DFkyGe0bfsKn366HqD2vMPv125XcTg0HA619uF0qse9txoPae7cvbz00jzmzt1b2xfzGocmdyklr7yylHbtXmD69J21xrbGMzzUlyP7r+uSvLxKpk/fWXtMIFCFWqs8f7h0lBDm31TFlJmq1VcMnXP4a485jiGD98WGL2j+WnPqPFeH67+/nmp/NQLB7D2zafV6KzKey+DZhc9iGAYSyY6dJbzwwgLGjdsQ0oe0+CdiGTKL04JQBPv2VbJxYwHLl+eyY0cJy5YdoKzMG1q+kixfnsvixTm43UGEEOTlVbFyZT579pRRWFjNypX57N5d+usX+xNRFMHatflMn76ToiJ3rWFQFEFBQTUPPdQLm81FQUEVbneAVavyavu/enU+Bw9W1y45ml7UocfxqMmRe+ih2bz88tLQ8uYhj3Dp0gPMnLmbyko/QgiGD29Meblgz54ytm4tprzch6IIiorcbNhQSG5uJfPm7WXv3vIjjOzKlXlcffXk2mMVvkrWFaxjc9FmSjwlrC9cz6aDmzCkQbG7mDl75vDjjh8p9hTXLgFuPLiRHSU7AFh6YGnt70ere9TshxW5i7i508081P8h3vrpLVbnryZgBBj5xUiSI5K5quNV3PvdvUzbOd28hiH56addjBnzDW53IDQ+f/S7bPFXx1patDgtCCG48865TJ26kppq0BUVbkaMaM6LLw5i9OgJLF58ABA0aBDDjz+O4eOP1/HQQ5MYPrwDPXrU5e67JzF4cCumTLkolK/1c+HhP4uavZmbbvqBWbO2Y7M58Hj8jB07nL59s7juuu/4+ONVpKXFUFlZSXx8GCtX5tGr15u0bp1J9+51eeONmbz44ihuv71rKE2gxsM7pDb/SwghOOecVvTrVw9dNxPCL7vsazZtOohhCJxOlXHjzqNRoziio8P5979n8sADP5GUFMbXX1/EmjX5/Otf3xAXF0lpqQdVlXz88Sj696/H5s0HWb++ECEEc+buIj42gp3aYs4dN5L6ifW5r8d93Dz1ZiKcESy7ehm3TbuNfaX7qPBX4FAdzL9yPjbFxpmfnYkv4KN5cnNm7phJ/YT6rLtuHWH2sFovu+ZepJTc3OlmSr2l3PX9XWRnZtMssRmLcxZT5i7j6TOepn1qe95a8RZfb/mKIQ0H06hhPLff3oOlS/Os5Ot/MJZHZnHK0XUzmXjo0AbExITz0EO9cTo1Hn98AGvXFvDEE/OZN283M2ZcxqpV17J/fxn33DOD227rTJ06qWRlxdCxYxp2exhPPz0ATVOOmBRPRf+FEMyatYe33ppL586ZXHtte3btKuHxx+cxc+Zu3n57Lo8/PpBnnx2I12tQWemje/c6fPzxhRQWVjN58mZefHEU11zTAcOoCRI5JDD8W5BS4nb7al//2Wfr+frrVQwd2ojLL2/DunV7eOqp+QghKC/30KdPPb777mKqq33cfvs0zjuvGeHhLjp1SmfLlpto0iSZ//xnNvPm7WXUqC945pmF5OdXcd6oL/nXtZMZVH8QI1uNMA1UozORwiyymRWTRd96felWtxtd63RlU/4m1uSvIcIRwSN9HiG/NJ92qe1Yft1yPjznQ8Lt4bUBHUfcT8hLW7BvAZM2TyLMHoYiFIo8RaiaSrgtHN3QiQuLo9RTVjsG5eVea1nxH45lyCxOC6oiSEoKJykpgqZNE4iPd9G8eRIul0ZpqZe4uEh6986kRYskMjLi2LKliIgIO3fe2YMvv9zIv/89i/PPb03r1sknXIjzZDGTnxUcDg1dl9x1V1cuv7w1u3aVADB6dEtGjmxKVFQENpu5B3XWWY2JjHRQVFRFu3bpRETYavcE9+0rZ/z4DezfXwEcWkL8JQ6PECwsrAY0hFBwuTRuv70vAwdmh5YGFXr3zqR37yxatEhj165ShACXy0ZWVkztIze3kkGDsjlw4B7eeutMUlMj2bv3LhYsvAKX08n93R+goLqAq7+9moZxDbmq7VUs2b+Ex358DKfmpHVKa+wOOw7NgUCQHZeNK8LFk/2fpENaB3rW7Xnce1GEgjfoZVijYey5Zw/r965n6raptE5uje7VyanIQVVU9pXsIys262f3b/HPxTJkFqccRYDHG2T8+E2sXbub777bxvr1BUyYsIl16wpITg4nEPDRtu2b9OjxPps37+eWWzojpWTMmNZ4vQEWLNjGgw/2+JM1FY9NjScxYEB96tdPYtmyfRw4UM6MGTtZs6aAoUMbEh0dTbdu79Ct2/uUlRXy1VebmTNnD+npz6DrkgEDGtGnz/O89NKSWnX4Bx+cxQUXfInfrwO/ba+nZolTShg5sgmxsWEsX76fvXvL+f77LVRXB/jqq814vUU8+uhcBg/+hJkz13PRRS1wODScTo3XXltCixZv8PXXa7jjjq44HOaOg1nzLYywMBuqoqIbBu1S29GtTjemLpjKHV3vAGBfxT5Kykoo8ZSw+eBm/KV+Pl33KbtLd3Pj1BvxlHvo9nY37p95P7rU0Q0dQxq1D13q6FLHr/s549MzOOOjMxjxxQhQISM6g+zYbNplteOSCZfQdWxX9KDO5a0uRyKPKFNj8c/F2iOzOOUIIfD7gvTtm05aWh/atq1LnTrRNGgQR926UZx7bjNGj27FO+8sIxiU3HvvFQwb1gjDkMTGOvngg3PYs6ecJk0SQu2d2v4rIeX+hIQwZs26ipdfXsyePWWcd15LLrywJenpUUybdgVjxy4jMTGKUaOaEQzqREbaufnmTrRqlUFcnIvWraNIT48EwOMJMH36Tm64oSv168f+Zi/T4bDV5tE1b57E7NnX8Npry8jNreSaazpy6aWtWLhwH//+95kkJkaydOk+Xn11FDfe2AmQBAIGN97YmYyMKLKz+3Duuc1q2+7fvz7t26fVPq8Z5yf6P0GrpFZc1NJU5h/RZATvj3mfn7b9RKu0Vrw46kWiHFE4NSeDGgxieJPhVFRXkBmdiSrU4+a/q6rKTZ1u4tuN3+LTfXx96df0zuyNlJLvRn/HU/OforiqmKcHPk2L5BYEdR1NVYmMdFj7Y/9wLGUPi1PG0coeZwwa9Jtfe6jo5M/rdp0ujnf9E9mv27ChkGHDvmDevCvIyIj6RSWOGiM3cOAn7NiRxxtvjGTIkAbHrP31S9x11wxeeGEWjRql8MorZzJ4cIM/fZlWIlmTv4YKbwWKcqivhmGQHZdNRlTGb2pHNySqItiypYibbprCsmUFHDhwB5GR9uMojVjKHn93LGUPi78chmHg9wcIBILYbIcULWoCF2oSeqGmSOKhiaWmWvTvmbT/LI6uhFwTqq7rh0rJ1Eyshytp1ORy1eRwZWfHsHTplSQlhaPr5tJi6Mcxryml4Ikn+rJiRQ6RkTZ0XQ/1xTiiP6oqMIxDah9mfySaptKiRTyPPDIwVBZH4vcHQtGDhyt6/Nwo1ywJquJQzphu/LyzqlAJGmbJnZqkZoHgmfnPsCl/EzabrValw+/3c0ePOxjdcjRBGUQT5tSkKuoR16wJ01eEgi4FdrtgxIim3HprN5xOpXbsjqbGkB3v7xZ/byxDZnHqEYKYmBjsdht2u+13v1w9vqTFKed4XTnecdtxbtflUnG57L/42qPb7tQpg06dMn52/Ldy+eXtft8Laq7Dzy+kqceeSo71XXnceeN+sX079t90TYD69eO58cb4X2zvcOLi4k5ZdKvFqcMyZBanHEPXmTJlCvkFBRi6js1uR1XVf7B0cKjSrTQDYY5/jkARBopqEAyqSENihDQblROYnPXDCpAqijihNk4ERVGPKQhsSAMpjWO84vjUJJMjzEjY456HuTebe+AAfr8/5Ela/H/BMmQWpwxVVfFJGDxkKEtiYvAaBtVuD1tXrWb71q243W7r2/JxkBJUTaeiPJrcA3Vp3GQDUp7+pdUTwTSexzAjIVHgPxNFUWjZqjXBYPCIPTqLvzeWIbM4ZQghCEpISU7k/HOG1x7fkXOAbVu24Av4/9Fe2S9higgb7M+JYsXyDIaP2EQg8NuTpy1MpAS/30d8XDyxcXH/5ApC/6/QLPfa4lTj1yVe41CZlvjERJrZbBjG71tW+ichJTgdEB6hcmC/ndZt2uMPnN6ozb8rQggiIiIIjwg3A2dUUavjf/jD4q+FPOzn0b9bHpnFKceUYjq0ee9wqCSnJJ3GHv31kRKcAsoqICoaUpOi8Z/m9IO/M78mzGzx98IyZBanHWtS+XWkBEMBaYR+l2Y9NsuQWVhYhszC4u+DOMzg/wYDZvzOCMB/IlJKDCl+VlbG4u+FZcgsLP4mSMDh+G35YkJAhBWV96tITMFZh+o43V2xOAksQ2Zh8TdAAjZg5w4oLf1ltW9FgDfoZ/XBDaeod39fpJTYFcHu0p30yux7urtjcYJYhszC4i+OYZhGbOtuGP85/Ot689ix0A0dhwIfb/iM7UVbyY7LJiANFCvO/JgIIQjoQdqktqd+bBZeQ1o6i39DLENmYfEXRwhwqqADXbtD1/bgBzjKmEnAqalogIHkXx1volFMhrX78xvxWEFHf1ssQ2Zh8RdGCPD74d2PYdNm2LcHSoqgZ1/o3B48uilRZUgDp6KwKm8d83b/xPK85Wwq2EDTxCaMajGacJsLq2zXL2N5Yn9fLENmYfFXRoIw4PFHIWeveejrCfDKm9C9g7nEaNZHk9gEbChcxz3f3AnhgA8S45MZ1eLi0CQtsaQsLP4/Yn0FsbD4CxPUISYMbrjJfK4okJkFF1wIXnkoglFRFDxSck7TETTKaoyCAgpc1/FGkhwRBHQdy4hZ/H9FOaY2i/WwHtbjL/EQQEDCsHMgNs70wM4eAckxmBJVhM6TAr9uEG8PZ0TT8zC8BpERUZzTZBRBKU0x3r/A/VgP63FSjxrkYT+ltbRocZKYJUROdy/+H6Oahqx5Axg4GL79CsZcYf7JppnjX4MSqtl1SZvL+d+CF+id3Y92yU3xAHbNepP+bIJWzc7ThmXILE4YRQG324fX60E5yppJTG+hpl7Ur0kpyVAZ5ZrT5DFPOvLpP0WeSdchygbdusP8OVAvA/YfhGPFJhjSIF2LJ9mZRtf4HpSVlVIRMGorLVv8OQghiIqKssoQnSYsQ2bxu5FS4tAE+w7k88Bdt9EguwEeTwAhlFoDJkIrWaomcDlsBIPHk0uSKMIstlijfm9IsAtqraEQwpy0Qz+FAn6/JKgf09z9v0QR4PbAmUPh5Rf5hQhEczwHVvWjaEYuz895MVT/y5pg/ywURcHjceOKiOTRh/9DpS+IpllT66nEGm2LE0IDKspLadKoNYZ+LvFxHhRUhDDQZZBAUOIUkrKDpbTrXJ/h52T/Yns/7SnD7nDRK9WUCnq4APZXgVqmEyj3oZcH0CsDCE+A0jw/1w5L5uwOzlNwpxYWv467uprHnnwKRUrLKzsNWIbM4oSQgMOhUXDQQ/PsADffmctKKsghG+lpS3C+Sh83FKxfy5TN+zhrWBZ+v4Gq1hSDNEAoKATYt+153l/Sjg4NGtM6pg5OVeVAsR9npSSY78Hp8xKo9KERwFdloJb62LFbQW+bRlCXaOo/Z+IIrcD++nnIP73assUhqqqqzNJEQliG7DRgGTKLE0ZKiaop2GQQo/JHlrvyWKAMQC1rgTJPoW4+uPYW4TxTRVVVXK7D92lUIIjMf4bUit1cE5R06TEYl6JQ4Zd0DMLFWWHIhmEcKAHVBhWFEJcJ+/N0Nu0tCk0cEtWKNrE4zdhsNsrKysgpLCIiMgqHw26phJxCLENmcXIIAUEfSmApuyNzWEgWakBFWSM4dyuk5x8kMDAOgKnflbJwYSlJSQrFJRWM6v0+rRtI1k+3sVZkM+2Z73n4toHY7Q487iALNvnp0NLO3U9V4RE6lwyM5q1nS2mW6aBnv9N83xYWh6HZbBTk57NkyRJatmxJ3czM092lfxSWIbM4CSRCUdCrSig/sIXdRjl7lN2Qlw87XeTs0NDZR9CIBmD79ioSsx3sLCvnigHjaJ3iZ+JT1Yz3n0+dRvWp9G+kqKSC9PREDK/OroJKnI54XnxMo2inQbuWAcLDgzRrobJu12m+dQuLw1BVlYryMvJzc6lfv34oUtdaKThVaJb3a/F7qc1PlKCoGuWlhSxa4qcgViC0g7B/PngcbFPs7Da2EENLAOJidVYWagQLx9MueRvf/C+WOxf1Z2+Jjyab9nDWxRqKCroEuwiyYYufLz6T1Kv08mj1vcx27CVQXcBP3W8gbcwlp3UMLCyO5tBcKo6dPmJxUvxCPrTlkVmcOIaU2FSF4vJSFqz0URwBqloEpUsRPo09mg23sZu+oT0sqehIvQr3lkU8ck8CL6/phZsoKCnGH+VAEkQgkRKcAt78TxqPPQdDzoghPP9SEvNyUXwV1G3Yjhy3F3Cd3gGwsDgKy4CdHixDZnHiSLBrGsu3F3Kw1GBLEHS5Gzw/QgHMRVBKHt29Zn5YWbWPpChBVatH2KrHMKyxB+nzUFUZQWpKJMXu1SAkdgV25/r5YlEJGa1hf1CyM7E9akoXNKGwO78czesF+FkitoXF6cBKOD+9WIbM4oTRDYHd5qFVj64UFLxKU0NgSB2kARgoqiSoe2nRKhG3p5rMLIX5c3fTONNBILgDqQYxlCBC9SPFLopLq7HbNdzeai7s4mBHnpeYBAj4JOFGNVJKJJAWLujULAa3pxor1dfir4Db4w4lnlucDixDZnFCGIArLIxF8+ZzRn9IjlJRDxf+C5kXgZ31S6aybPa3uJwacTYFzx4jlONkyn+YGU+CNLvGC4++ZCqH2AR2TcE4Vt6UgKXfGOj/IGUPi78uiiLw+fxUVlSiaZpl0E4DliGzOCFUoMpTxYCug7n7+tupLgLtOEWBVDVU/NEwpZWO50FJQAut0Eh51H7DMXQWraAwi78CigpVlQYjbh6KrgetaMXTgGXILE4YgSAQDGAEDAJ6EHmcj1PgeDKLx8Af/IM6Z2FxilAVcPuspcXTiWXILE4KIQSKoqAIxSoVb/GPxCxlZH32TyfW6FtYWFhY/K2xDJmFhYWFxd8ay5BZWFhYWPytsQyZhYWFhcXfGsuQWVhYWFj8rbEMmYWFhYXF3xor/N7iD0FKQkobEkVR/vBkZeOoDGkhBEKEEqdD0lWKoDYZ1TCOzOk5WpOx5u+HHzcMWSt59ZvOl6bAsRLqy9HtHN4fCwuLPw/LkFmcPBJsNoWwCAGGwOeBoP7HKm+4HAJVo9aY+f0QDJo5PC6XAAEBH/gD5nXDXAJFPXS+12cqi4Bp+MJcpvHxeA9dIzxMIDTQ/eD1HaonJSU4nQJNBbfn533yekE3TANohNpWbBDwgs8vLWFjC4s/GcuQWZwUUkrQIL+wiukTdqIqgiH9GpOY4CIYAJDoRo3nQq23JiXohkGNCyQAVf35SreUpsTV7pxKikvcCMVsIz0lktgYJ4GAwaIVBRQWVdK2RQbpKWF4fZJtuysoq/CiCoFQBPXrxhLm0gjq4LALVq0vRFEFzRommhrHwLrNxezaV0Tj+sk0yo7B5zO757TD1h2lVFT5aN0s2dSJFGafdu4tpnXTVGJjHASDpnFbv6WYfbkltGmeTlpSGF4ftfdsSPkzD87CwuLksAyZxUkhJWCDA/kVPPX6XPYdyGPmuJvIyKiDz2fgdCiERwjzk+YFTzUYOqgahEcrYAeCgA7uyqPbNr0Zry/I0DEfsWtvEVFRYZSWVfHxyxdw6WXNuffOn/joq5VIaZCcEMnML6/Eptloc8ZrKAI0m0pllZvFk26gU5sUhJDsz6ui+4i3qFc3npXf30B4lODdj9dy31NT0TQVv19n0vuX0b1jOj6fpModZPClH1BW4WPbvNtJTXUybeZerr57PPvzK5j22dUM7JmJZoOPxq/j1ocnY9dUwsKc/PDxpTRpmIDXK7HZBA6HwOcDPYgl229h8QdhBXtYnBSKIsAN3TtmMOWDS1GUcHN+luCwK+QXunn4ybmMvvJb3v1kDcGggc0JlVV+nn1lMRde9jWPPDWPV95awdFSdYeW9gR3XduDVdNu4O2nzyHc5aRj6wz0ShgxuBmb597CuNcvYfvuHLbvKiMyXOOp+89g7ZwbeOjWPqQnx1KvTix+Pzicgv88N5OoSBvRkU6CQUnAB+1bpjH3q2tZ+PUNlFW4Wb7mAKoNwiIET7+2gKpqH2nJUfj8OkEftGmexFP3n0mYy4WUEqGB3wdPvTaX/t0bUZxzP9XuAC+NXYLmND2ysnIfU3/aSVGJF1XjZ/drYWFxYliGzOIPIRiUeP1BDEMSNAykCkUlHgZcOJZX3ltIbmEF/7p3PLc98j1+qXP+9eO496mpVPv8vPjOAm57dFJo2e3IdqUEp0Plmovb0KpLEsvX7KdhvQQa1IvG45b06ZXBuo0Hufimj+jZuQUd26SgqSq3X9ORho1jWbp6P22ap5Kc5sDhhMnTdrI/v5LH7xqCxxskOlbB54V2rRPRVJUhY8aSkRrLuUObgYDlqwuZtWgX/3t8OIZuEBvtxDAgOclFh9bpZmCHBAxzCTQpPoK1m/L48IM1BPUAB/LKIQjhkYJ3v1jBWZc/zf8+WIQjEnT9d6gpW1hYHBfLkFn8IWiqwG5TQ78riEiYPm8H2/fk8tmrFzF74RhuGNOLz75Zw4wZu5mzeBsvPXwOU767kGXf3cDr/x2BpgqMY3gphiFxeySVuTpfTFpL/57ZaOGH9tgyUiIYOaQNW3YUsHZTIZodqqslB3Z4+H72Ns4a0BgMMwDl/qemU+32snjlPnbvK+SJlxaiqoCAiHA75w9rg8cb5KcFOyECHnr2JwqKKlm2eh/788v4z/MzcXt1AHw+U6pf01RzmVBInrzvDFRV8t8XF+DzBUhJigQFvG7JiMHNuPeGCzj/rJYE3KCq1tqihcUfgWIGTFsP63FiDwAElFf6ySuoQhGCgoNVVBfrJMWFAwYbt+VTtN3Llh0HCXPZiYtzAirrNudRsStAUamHsDB7bVTh0UgpCQsXLFuVy/68Mob2bYT0mYrjU6ftJjkxgvtu7MvB4oOs3ZiPaoPwCMEPc7bh9frp36MBuh98XnMpslnDBDbvOIhQzAAThw1mz99PRZWPR+7oi89vMHvRLvBBv2716dutLuu3FCIwUIRAUwV+v6SswgxhLC33EPBLfF7o3TOd7fNu4z+398EfMDh7YFMMHYQiqKj04fZ4qKj0IRSspcX/h5zuf4//3x/HG2/LI7M4CSTSkGCHa++dxIirP8CQBpfd/gUjR49jYN96XHZed+598gcatHuJRat28+S9A+nVM4MHb+7PhxOWU6/Liwy6eCyTpm9CVSW6bqAbEl2XoZ8GQV0ibPD+lyuJDHfRsXU6fh9IDB56fgYZnZ6jRf+XaJxdl0G9s/F7zND898atpGWTVLLqRuL1g5QG/32iN22aZbAv9yCVVX6q3X4UJ7z72XJaDniJuOZPYtPg6os6EqiQ3HNvF4b0bc6ufYV4fAHKKrxERCk89vI8ho4Zi9cXYMytn/LE/xYQGS946/019Bz1Lrc+PJkHbu7H8MENqao0cLhgwfI9vPrBVGbM34Hm+Hmum4WFxYkhKoLW90KL34eUknBNsHrLFqZ9OIUH77qbjeuKqKoOoGkawWCQ8DAHDevHISSs3lhAQVEFTbKTaVAvCr8PbHbYsLWEvftLyMqIo2mDOGwOzK9WR++TBcxAitUb81EUQetmyQSD5p5USZmbFWtz8fmDdO+QRVKiE18o3H3Zmv3Ex4bRuEEcAX+oMWGwJ6ec8goPNk3B5bKTXS8Od7WflevzKCqpokOrOmRnRplh84okN6+S/KJKHHYNTVVp2jCB3IIqCosqsdk0AoEgSQkR1EmPZMHS/eTkltCuZR1aNI7F7Ql9YxTgDxhs21lMdpaZCnA8D9Ti74WqQmWlmwvvGMHZ559Lt+49adSkiZUM/wejGzoxNpWWb7Xm1i53c3WbSygLBFEVzQq/t/gDkNAgKwGHw/wdYYbY1yQbd26bDEoyegDcbolQBEGvpFWTOFo3j8MIgq7De5+tY8W6fdjsdgzDzLcKBAN0blOXS0a2pFObFMBsVwjzNYlxYZw9uAFgGjuvz3wdQJ+uGQR1ag0bgJQKTbJjUbVYkGYis89r7o+d0ScTBAT94Am1Iw1BZp0oGtSPAmkuB3q8UDctgvqZEbX3GwyY1+nbLQO0DAw/VFWb6QMC83UOm0LHNolmcrbO7w6/N/PQDATiT0+yNoNYzPdKOYkJWdaon/wFksKNUMKgEMLMBfwVJLK26rNVOPOvjWXILP4QvL4AgcBhHydB7QRYVf1z6SchBNVuc5IwIxMFumEQCBoIxcAwDIQQBIPmUqMQUO02QhWpa9oAf0DiDXlbymHXrLkuRx0TwjR20nvouXkdCFSG+nnYa4QAv1/i8x15Xz6/xOvjiHaFEMe81xp0afZJHJUQLWsXRY6fKC0l2DSwOxX0ALVJ1r8V3fh9idgRkQKECKmc/Pq1pJQ/80CkBLtNoGlHKqjUJIarp9C4GdLApSqoKviD4A+NR80XAwCEeR+KUDCkxKYIHDaBroNHN2qNmfl2me+Z5XX9NbAMmcVJYxjmfpbANBzI0MSnCqSUh2kSAoiQLqOp6aQo5jker+Rfo9vwr8vb/PwCAah2H1v5QwjB8YL/jucFHG1IzGPmfRihvgvl0DmHH0eafzukp2j+LoQZhfhLnofAfO0RSLDbBYoAQ5qenSQ02RuGeV3A4VAoLPYwa+F2srMSadc8mUAQNE2pVUmp8fzA7Is4zBhHRgh8ISmtGnRDHuq7Yp4vMa/71ZQdlJZX06pJGm1bJuP1GrVjakhZq8RSo3XpcJgBMDXja0iw22Hv/krKKjw0a5hoHjdAU818Po/H7K9EokszElRBwcC8lirMKFhd6rWGUhUqAtMAGdI0LqbnZKAq2nE9rTBNYUflPvZW7qF5bEuSnbH4JURoCroEVdSMu8Cng1MVlPgr2VCwnoyIOjSIrIMnJIlms5n3KCWHlqwtTiuWIbM4KaSUKOGCOMMONsDA3OcKQnUFaJogPPKQskd1pTnB2cIVMED6QThMySdvOQSq5M+W3I7l3fwZRMYo4AT84K00ly6FgMhoBVxAwLy/gDvUf8DwguISYIC74vddzzAkrjDBj7N38crYOTRtWIen7hsACBQFwmNCyidukAbszyvjstu/4IKzOzHu8xG4ysDtBk2D8EjFVEixAxL8Faa3KpBUe4Lc9d9Z3DimC/XqRqHrptGKjBQQJiAAvkoIBEJtRShMmLqO8VNWcMnIrnzy5nDsTgU0MDygOM33wl1uynchBHc8Np17ru9JerqLynKJppq5hcOv/IQde0rYufBOEuNdSGmw90Alr7y/mH/f0ofIcDt2VSHcoZlLtzoIVQFh6mkKATabZn6mdPAFIGhAhE0BVUEP7ZWiqAT84DeO/PjoUifMpjJxz2T+tehyDEMS7Yxiav8ZpLnqcPH8MVT4yqkKVqIKjeSwZF7p8CY+o5rBMwaQU5WDXbUztvvHXFBvBFV+nYeen8PaTXu48bLeDBvUAJ8Xi9OMZcgsThhpSJwOjSVzDzJr3ma8PogMt1Ne5aNuWjRXXdiGgiIvH7+7ih17SujVOZPRI1uydWcZ46esJTLCRcc2GSxcvhdpSMaMaktivItg8OfLVH8mQgEkvPfJWmYv3k2b5ilceUEHwiM0jCB8OmEjPy3YSXbdOCIjnAzp15DJ0zeDhK7t6zJ78S6S4yMYc16b3xXAIaVEtQtWrMtl7tIDPHrXEECgquDx6Lz52gpWbcijV5csLjq7FV26p9KvR3P255bx2svLCXc6uGh4KwoOuvnk7dVkpESzYVsBDrvKNRd3ok5qGEqMwFFi56MJq7j24o646ir49psG4stvNzN15jays+K4+qKOpKY4KSsL8tGE9QzoWZ89OeVIKdF9klfeXY7HG6BXl3osWZUDSG7/V2e+n7WbcZPWsmZjPvsOlDG0X2MuP681tjB46qUl7D1QSlpKJNVuP2nJLhwZCkqBwofjV/HEPQOJqKOwc+cBxm38HCEEPZJ6srJ4BZX+Ci5tcCU+3csXuz5hR9U2WsS04sqG/yLeEcXknGksPbiYEZmjWFa0hC1lm7ihya1kR2bi1w99fgSmx/7f9Q/TOr4dc4b8RPr4DJ7d+DTv9RpLrucAW0o38kibR9lQton3t7zLw63+y1vbXqfAU8C6kRu4fent3LHiZoakD8apuRh1ZnPe/GgJHVvt55yzGyA9v/g2W5wCLENmccJIKbHbVLZsreTBZyeRlVGXPfuLyUiNpbjUQ2ZGDA88PZ0tOwto1TSd98YtZPXGflwysg2PvTyDmOgo3n9+JA88PY3UpCguOqflKRfTNQyJyyW47JZvmTF/K+cOacWL78xn6sxt/PDlpTz4xE+8NHYm3Ts0Yc7i3ezdv5tWze5k0vQtLFy+icvO68FHExZxxXnduez8NqFxObRn9Fvux6YpZKbH0rVDKu5qSVA3GH7Vp+QVltG3W0PuePQ7Fizby8fvDMdhU5m1YAO5hZXs3lfIjPk7eeSO/rw8dhFFJaW0a16PDdty+WH2Dia+cz5vPrOSwqJKFKHwyEuzSPk0nPtu6sk7n63kpXcXcMnIdnz2zSomfr+R6ePGcMlNXzNr4TbqpiWw90AurZom4zck0+ZuZ/q8VYwZ1YuPv1rBGb2acuPlnWmQFU1VtZ9N2/cSGeGgUf1YNBts2VLOxO838vp/h/PYy7NJSghnf14Vzz08n4IiN6qqcNNDk0hPjGTo+Sm8tOVpij0lfN13Ko+v/w9ev5dLs8ew+OACZuXOoGV8Kx5YeTfFvmKe7/YUG8s28OTqR3ln2xukhqWxv3If3ZJ70iQmE69uoGIuS8rQXlasPZYdlVuZsHsCwaDOfvc+7KrCkLSzyKs6wPqyjdgVBx/3+Zx4RyKLDs5nUJ2hNElqyPlZF/NjzlRy3YU0js6kS7sU6tWNwxYSALA4/VihOBYnjFAEPr/O8EH1iYyI59kHB1MnLY4n7hlI4+wEPv16Las2HOCTVy5i8bIruf7S3rw8dh5N6ifw4n/OwWFXSUmMIjY6jA9fOpd69SPx+U6dN1azt7NnbxXjJq8nNSmG8DA7GWmxbNxayIpleYz9YgWjR3ZhwezLWTr5Op66/3xaNk5mwaTLGXVmZz6ZuIBn7j+H998ZRiBg7gVqGkSEC+w2jp3F+bN+QCCgU11lGtVV6wqYt3Qb6SlxRITbqZMWy7yle/CWQlA3aNaoLrvW3cKjdwzhi0nLcThUhg1oQuP66axcdg0fvnwBq9bvYMXafKqqfOTml2MYkoPF1RwscZOb7+ajCWtISogkMtxORmosObnlfPD5GmYu2M4b/x3J7pW3kJacRLU7gMulMG3caG65chCffr2AW67oybRvL8bQoUl2POFhdq6+qDtxMS6aNkxGhMEjL8wkt6CcTdsLOZBfxhOvzqW41EtBkZvCoioMXVJ40M3e/Arax7bktc7vEG4LJy0snXAtnDe6jaVefDrxjgTinHEU+YqIscWy370PgnBviztplNCELkndWXP2Gnadl8+wjHPwBA7trYHpkQUNeLTN09ixc8fyuyjzlZDgSAQBnmA1Zb4ypu3/gZzqfVza9CISnfH4dR82odW2gTDzFgVQ7ZH4/PphQToWpxvLI7M4adweM2ggGDwUaWgYBlGRDsBg975iKg5ksmd/CQ67nWqPn9EjWvLsm/MYec17tG9Vh/49Mqkuk6dctskwIMyloakKLqdG7y71qJseTU5uBakpkbicNvbklFKW46ey2kdqYhSKIti6vYwD+RU0yEph9pLdXLC1OUlxEWg22LmnnOfemk3vLg25ZFRz3NW/rSaZogikAZER5kZXXIyT/j2ySUkMp6zCh+owg2Qqq/yUlPgoq3QDmOMtJQdLKlg2J5clK/cCKg2y4hh1eSPc+yCl7VO88uhZtOubgC/XvJ6qCLp1zKRx/QQ6talDZp1YIEh5lYfCYjcer9+crCXs2VPJ9t3FNKyXyor1B9i4poQGmXFUVUsevLUvWekx7M8rRxUKejV0aJ2OougsX3sAISRl5R4aZccz/qtz2bKkjI5nvskXb1xIfKaGr1AyNOwssiLqcc6MoSRHJHNe1igOVlYxZuGFNI1sxtgeH7GuZC0+wwwVLfd78QQ9NItuRrXuxqa4UMxwoyPHVCj4gtA7tRM7R+1k4t4pnDf7bIaknwkCqoLV1Imuy3d9Z1DqL6Gyyk+k3U6L2NbMzv2JwooSfsidQpwrnhRXEn5DmqWBrGDFvxSWR2ZxwhiGxOXU+OaHrVS78/j0mzW43X7eH7+K3IJK9udVcOWFnbnrv99Rr9WLzJi/lWcfHEpsjIPERAeXn9+WvMIibruqG4oGxm9xX/5AhBAEApKUJCdP3DuALTvyufuJ73nqtTksWrGXtOQInr5/EMvX7KV+lxdpN/g1Xnx3IQUHq+kz6n0Wr9zLqKEd+HH2CgZe9BFev44tAn6YvY33v5xLcmLEb5rwRCh6U1PB7ZW0aJLAbVf35acFW7nnv9/z3JtzySuoZNnyXGYt3EZBURX1W73MS+/O4eqLepDdOBKBwOP1MfyKcbz1yRLuv2kgLRrHU7VHp6rax7CBTbDZFNw5BjYbPHX/GZRVVHPfkz/w2CuzmDprK107pHPR8A7c99QUmnZ9HbcnwNc/bmL5ygIuuGE8P8xezXlndmDRih10HfYOB0vcOByCxvViEAKyM6MJD7NRXW1w192dufic9uzJOYjX58XnDyKlxHfAQBpw9sAm+LwBqvMNfEGDKKeD6xrdQn5pLrc0vYNwmw27UOmc0JUNpeu4bMFFlAdL+XbvRDaW7OCaxZeRU7KXZzc+SfZX9VlXuga7ahAwAuhSr334DT92Vefj7eMYNG0Q1yy4jBub3soVDS5hX3EBX++dwKbcDby+5WXaJTZDl2YwyT3N7yeITvaX9Zi4azxPtHmWWEc4fsNAVc33yzJmfx0sZQ+L302NsseqzVuY+el3XHHxjWzdkk9cTDQebxC7TcXnDxIZ7qBBvRgWrThAwcEKmjVKoVnD2JBiBlS7A6zdWEDntumoys+/TZ9KXE5Yu6mYTdvzSUmKok2zFMLDbNg02LqznA1b80iMj6BDa7OvazbmoWkqifHh5BVUoGkqTRsmEuYSdBv+HlGRLqZPuJjqUvnzkPsQum4QGavw+PMLeeOjJWyddxuaai6LOeywbHUeu/eXkJkeR5vmKXh9QTZtKyQ+Noxtu4uIinDRo1MGARnk7DFfUFkd4MXHBhITFk7ThnH4/abHqShgt0EgaD6XEsJcsG1XOas3HCA2Jpw2zVKIj3fg80rmLd2DEILM9GiKyzw0a5DEngOl+HxB0pKjyCusREpo3igJm00JpV6YuQk1YelClezPrWTv/hJcDhuaptKySbKZByjMEHZ/4FC6gCLApwdYVryETvFdsCs2VAWqAm4WFM5HU2w0jGxAvqeAFjGt2OfeS6W/ojZUv1l0C+IdYYhjbVspMDNnATvKd9A2oR0d4lvhN8CvB9lcvpGAHiDelUBWRF0MKQCBS4XdVbksKVhIdnQjOiW0xhM0PetAUKdF/1e59Ny2PPFQb6rLwOO2lD3+bCxlD4s/BSHMEOvkdBcJkfVCYfLm5FSjvOH1Qe+u6aCkYwTMZUhFERg6RITZ6N8zA7f7N20l/alUuyWtm8XTpnU8GOAN6TUGApLG2dE0bRINErxuM9+ra4dUkGbIeladcAgpfvh80Kh+Atdc1AHDXyv8cXx0SE+OREofdz7+I688MhQQeLySrh1S6dolFXTweCA8zEbPrukYQWjWNBYjAIod3h27jkUrdiJRee3d5Xz26ki8XvPKNZWpPYcpnpjJ5ZIGWdE0bmTel99r3rOqCob0rweAEQRFjcXrhXYtEmtD4jPrhAPU5oEdSjg/1L7UBfXqRNGoQZSZkiHBHYruM47qT80xu2JjYGpPPEFz3AIGhGlhnF13kDlUOjSMqotXh1YxjWqjTQn9+Cl3Pt/vn4ym2mqDbXQ9SGp4Bnc1v4X+6T3AgKqAgRAKNkWjc2JrEGZ+nVc/9F65gwaZ4WlkNzoPdKgKGrWJ0g88/RN+fzUZKVGgn/BHzuIPxDJkFieFEGYuWEVVAJumHWmRQioYVVXHUvYwJ6aqqt+2f/Rnoyim0khNP2uUOoQQuD0S6ak5bhqHqqqa5F/w+o+8t49fHk4gAB73L+e/qaqC1w3nDm1O1w51DyUlhySdDlcJqbluZaWZjCw9gJTYgwpnDWxM62b/QmKmP3h95jeJw698tMyUopjGskbhRAktbxrGoWscfm5NX5SQMas5fjxqFFFq1E+OzgU8luyVgaQyYNQGawhAl5JK/yH1DalLVKFSHTRqIxINaRBht+HVPRR5i7BpNqQ0jVVQDxJmC6c6oNd+NGval5hGTSJRUI7woBSh4NUNpG56mzWqHooQ3HpVV268rDOpSZF4q0J5bBanFcuQWZw0pp6ePKTmHvLIVEWplSM6nrKHqgiCIbkJ7RjKHacSU4XE7KeolSM6pEwiBKihyc6o0eBDmBUAjpLGqjGEv4YuTYNWr04MArNmWo0XVdMfIUBIaSqbSGnmnAuBAfj8BmlJ4WRmmF6SEfKCfwvHMkSH3+Pxzv2tK2a/pLpyzPMRR0QcHu8YHKl9qAoVXxCGpp/BsMwzfvZlCgPcwWNf85c0FI/1NymhXp2okDya6Uladuz0Yxkyi5Pi15Q9VDWkUGHjmMoehi+kFCFMdYlg8PdpCP6R1Cp4+MBTae4n2e0CW7gw++8HbwUgICpGAXmYsocO7kqznd/lYcqQrqHLbF9WgR4ERYXw6JCyRwDQzWXNsOjDFEWcpq5SdTl4/SEvShzb2/kn4DUk0if5uSX7Y0V/ff6/jhCyhYllyCxOmBpljxULi5m3cBs+vyQizE5FlY86adGMHtmC4hI/b3+6hp17S+nRsS7nndWUbbvK+XbaRiLCnbRtkcay1TlIKTl/WCsS4pynXtlDmHt7n07YyNwle2jdLIVLRrYhPEJl564yJs3YzLadxTRtkMCVF3bA0CVvfbIGTVPo0CqdBcv3khgXxgVnt/zdpVnsdhg/aQs/LdhJ04aJjDm3LdHRNqqqdD56fy0bthbSoF48CbHhDOrdgPe+WE8gaNClXR0Wr8whItzOxee0PqUCvH9VBOKUfG5+a6K7xanDMmQWJ0yNssfadWXc+fhXZKRksD+/jJTEKCqqfKSnRvHgMzNYu2k/TRuk8uoHc1i14QzOHdqc+56aSmx0NO8+ew63PzqVpPgIhg9qgiKcp/QeDMOsPn31Xd8xdeZGzurfnCdencmUGVuYOv5i5i7Zwzc/bKBlk1TueeJ7iko93HVLN975bAWbd+zhygt78v64+VwyohsXDW9pxjX8BmUPw5BERAhufXg6n3y1knMGteCld+fz7Y+b+faTCxl900R+mL2J7p0a8OYnSwhzOVg7/Wa+mLSehSs2cOUFfXj/y0UMP6MNo0e04nfXhLGw+H+ElUdmccLUKHuMGJxNZHg8zz80hDqpsTx13xk0rBfPxxNWs3T1Pj566SJWrfwX11zUk2femE2zhok8+8BwXE6NzIw4YqPDeP+Fc6mfHYX3lCp7gMMu2LOvik++Wk1qUgyJ8eHUSY1nwbK97NteTfNGSaQmR1JZ5Scm2sWWHQdJiHew6ofrGDG4A598tYAn7hnOJ+8Ox3+4skeEwBES8D3WdW02QV6+l/fHrSI5McoszJkay9pN+Uz8Zis/zN7I0/efxYL5lzNv4rU8eEsfUpMimP/N5Vx6bk8+nriAe28cyLefn18bwm5h8U/F8sgsThpfqPRIba0w8z8iIkxlj4KiCrwlBgVFldg0jSq3nzGjWvHCu/M595r3adM8hUF96lFdfqqVPSQSgdOhoSiCMJdGl3Z1SE+OZH9+BaqmcNFN40mMd/Hhi+eycXt+bWDKvtwKSso81E2PZ9maA+TtcxMT4ULTYPf+Cl4ZO49uHepz4YhmeI6l7CHB4VDRVIHdptK5bQZ106LZn19B3YwYQFJwsBK9yIxEbJKdCEj251VTcLCKzPR41mzIY9/OKpLiI2qV+i0s/okoNVuj1sN6/J6HgVnPyuXUmDh1C1XVB/joq1VUVvl474uV7MstJye3nNEj2nPLf74ls+ULTPlpI0/eO5i4GAfJyU7GnNuGfbl53HpVN1Q7h6IeTxFCmDW0UpOdPHJHPzZuzePhF2fw7FtzWbhiHw6XoHmjJLbuPMh1902msMjN1Jlb+WHaLgZe9CFzl2xn1JkdmTR9MX1GfWAqe0TCD7O28cbHM4mJcnGsrSshIBCUxMbaeOyu/uzdX8TDL8zgmTfm8uPsbbRtkcwtV/bhpbFzyGz3Il3Ofp0Px6/C6w3SZ9QHTJ+3gfOHdWLa3NV0Pftdqt1+NBVL++8vwun+t/n/+XH4GB8+1pZHZnFC1OQFVbsDXHpBXRpl30ZCXAweTwC7XcPrCxIV4aBJg3guPbct+YXltGySRpvmCXh9Zg7ZXdf1pE/XbHp2zsRbfezCmX82imIWeLz3xm70657Nhq15pCZF075VGnGxDj555VxmL96DIgRNGyaQV1hN0wYJfPq/USAEaUmRDOpdH5umYdNUDC+M/249fbu148zB9aguO3aenKIIPG646fIOdO+QyepNuSTFR9KhVSoxUQ6e/7e5l7g7p5jsugm0b5WGlPDBiyNBQnpqFAN71kdRBHabLRSmb7lkFv9MLENmccIIIQgEDdIyw0iNbWgeq1FbEGZOU7XbYFCfTFBBBkxFCUUxy8dHRdgZ2j/LVPY4zc6E2y3p3DaZzp2SwQCfB/weiIp0cP7wxgAYAWjeNA6/B9LT0gGzQnB2/UiQptKFzwt1UqO59pKOGMHaoTgu1W5JmxaJtGubCNK8pplwLOnVJZ1e3dNrlT0AenUJXTcA2fUiATPx+nSPn4XF6cQyZBYnhRAgfVBW4TcVFTAnbjPoQRAZqeD3mYm7tXtoHFL2qKySf4nQ8Vr1ilDmsyLMYJZgUOIvl7VKGdJj5mn5Kw8pXXi98oh7++L1kQSC4Kn+DblGQuL1COw+U5IpKA1TYUMalFea1klKiaZqaIpAek1RW5+UeL3UJpVbWPyTsQyZxUlj5mGZOnRIc//MZhOUVXiZNmcfmRlxNM6OIxg8tMym6xKJ/Ispe5gPgTQTy4CQWUYaEinM5U+BuZ8nASl+LnZc7ZG1slK/dj2nqlAZ9LG5dCdp4WkkOWLM8VNV050LdSMYhFJ/NT8dXES8M55Wsa0wFIkmbH/gCFhY/D2xDJnFySNNsdmIWMX8RIXkgJavLmLENR9wxQXdeP+jYVAM7mpzfo6MEaAIAm5M5QzAU376lsikhMhoAS5xpLKHDWwRSq2yh6fCNNxh0aayh+4D1SlMGaQaZY/fsFdlSAOHKthRuYsRs89mZ9l2EpyJfNn3W6LtMTyx9mG80kelv5zOiV25pektlPgqGDFrKD1SezP77J/Mfgb4mSG1sPinYRkyi5NCSgkaVFb5ePez9ezPqyQiwk73DpmcMSCTnp2bsmtvMU8/uoCk+CguGt4KTYHPv9pMRaWX/j2z+W7GVgCuuKAdDruKYZzaUHIhzLIiX03eyryle2nVLJkLhrXE6VTYm1PB97O2sm1XMU0aJHLJyDYEg5IPx69H0xTaNE9l6aoc4mPDOGdQU35P4KVNFTyy9mEOuPezYPhirl94HTcsvZpv+kxhyoFJpIdncFHWaB5f8TAbyjYwZcg3nJM1is1lG3hx1Us4lAguzb4Cu9D4nYIiFhb/r7AMmcVJENpTssNdj//IxB82cO3oTnw8YR0eT5AzhmYSEWbjh9kbyS90s3VXLhmp0ZzRP5Nxk9Yy5af1ZGYkoesGFVU+BvbMpknDuNo9p1NBjbLHjQ/8wNc/rGNgj8Y89Ow0Jk/fwjefXsCM+Tv5ZOIqmjVK5Zb/TCa/sIpbb+jCC+8sZMee/VxzcS/e/XwuFwzrzMghTTF0aoWSlV8QDlaEgq7DwoPzOKvO2XTKaM/o+pdzz8pbiXXEMzBtEAfdhdSLzMJmt5HsTAbMsiYbizfwrnyfLcUbCNfCubzRxVT69GOK61pY/BOwlD0sThIz+zk1ORJNlWzaVkSfrvU5a0BjM0rR46dr+2zWz7qeuJgo5izeDS54+v5BaJqTi4a3ZsfiW9g061bq1Y3F7z91Yqw1yh57c6oY+8UKUhNjyKobS0ZqHNPmbGPv9iraNEslq04sgYBBdJST9VsLSEwwlT2GDWzLJxMX8Mgdwxg3duQRyh6RkQKnQ/ziup8EdCOIQ3GCDg7FjiIUKgJVGFKyqXQDY7e/S4wWgztYTTAAft1PVkx91gxfS5OEZswrmHNKxsrC4q+MZcgsToKQlmAQOrRK4+YretKsRQJf/7ieux7/AaGBoUsyM2KwhQvCXHZzD0yAL2CgKgo9OtXFYVdJiHWdhjwoM2DDblMRCMLCbLRtnsolI1tz+9U90DSFi28ez449Jdx1bTfqpEaHohqhpMyL2xMgOSGKTdsKKS701lZi3p9XyZ2PTOOrqVtwuI6d6G1goKnQOLo58wvmUO3zMjN/BtG2aLIikinzlzA082wWnjOfs+uN5Iutn1JUVYlTdZLiSsFhV4jQIpDC2iGzsLAMmcVJcGgSfe6tBbz6wULc7gB+v0rLJimsWFTAguVbmDFvB/f9Zzb783L5YtJa1i8v5vLbv8LnL2fUNZ/RcfBYKqsDtdWlTxU1yh5pKS4euLkX67cc4Jk35vLS2AXMXboHm0NQr04s23cXccdjP5BbUM2UGZv5cdpu+pz3PjMXbOH8YZ0Z/918eo54H39I2eP7Wdt48d0fcDltxy+6KM1aZA+2fIic6n3U/7we3+yewDPtXmZ50WoW5M7ji12fkPZJOu9tfptzG51Prnc/n+7+kCUFi/jP8sdYUbSMcbs/ZUvpblyqipTWTpnFPxNrj8ziJAjV7Q3CM/cPIv9gFQfyqhj73DkMP6MJldUBJr9/NU6njYTYcHp0rovTbiM1PopnHxxEMKjjDxi4nDacTu2UB3nAIWWP/9zWi37dG7Bu0wFSk6Pp3C6DhDgXn796HtPn7UAIQfPGSeQWVNI8O5l3nh2OQFAnLZq+3TKxaRpqSNnjq6kb6Nm5LWcPzaa6/DjKHkLBG4R+Kb1YfOZqFuTPo3lsS/qldie3uoTJA6chkfgMH1G2KLokdEeXOt/0+R6BQnpYBp0TuiEQJDiSCVrKHhb/YCxDZnFyCDP0vHfXLGxOzCQyYSYDx8U4GDakAUiQQWjbJgEM8HpgUL8sM0WrpoJv1Wm9C9xeSa8uafTqmQZGSGHDA3ExTsZc2AIkBP3QrlUifh/UqZsJQNAHjRtHm8oe1aayR3xMGNeP6YTUf1nZQwDuoEHb2Ga0S2gGBlQFDBKdcQyre8ahF0ozzF4IG2fVGQiYqQFt4k3FEW+QULSkZcgs/plYhsziD6HKHcARsBEWaeZT1SQXV5aZbpYQIKtNhQxVEVRWyEPriKFjpxNFCKqqZK3wrqIIhCIIBCW+MonToaBp4PdCIGhWCUaa3pbHK4+4h/Fvn4dhmDlzvxa4ogiF6qCBDJrXVYVKQEp8fuNn5wkpqPTrgOkLSw69xsLin4y1R2Zx8kgzYOJgSTUPPTWX/INV2O2H1C/gUMBDzWRf81NK83+6fvr3d0JdAY5cplNVwZpNhUyevo0NWw8eoTR/tCo3gM8nCQTkb14mVYSCKtRagyQQtc9rHqFF3NrnR7/GwuKfjGXILE4eA1wOhUDA4N0vVlBc6kZTTa3FqDiFyAhBVIJCZEzo4xaa+SNjFKJSFCJjFSKjT7c8lSQyUpj9CfWzxqiFRQo+/noVo677gPuemo7dBlExZr9djtA9Rh2yWmZlaGuZz8LiVGEtLVqcFFJKsEFuTjVzFu3i1iu7EhfjIgjkF1Yz/avtZNWJZdO2QhLjwhkxtBmKClKHCd9uYf2WQhrWiyfMZWNwn0anpzikAKddMGXaThYu30eLpkmMHNwczQZCCmbM2kO3jhnkHGjLweJqqjw6EyduQlUVWjZOZuX6XOKiXQzp2/B3KXtYWFj8MViGzOLkkBJUKCp189qHS1i7eTcNsuLJbtqYfbll3PTvSei6ICMtmn0HCpnovJxzzm7I6Gu/Ydzk5bRsWpdNWwvQDUnF5oexaeKUGgPDkIRFCO54eAbjJq+mZ8f6fDhhOVOmb+Xjt0fw4GOzef7tWaQkxFFYXMzgvi2oqPTxxCtz2LH3ANdd2pu3PpnNuUM6cWb/hhj6qeu7hYWFibW0aHFSCEUBLzRrkMjEdy/G6Yw0vSov9OqcTu8uDejYJp0Ns24kOiqSzTsK2bm9gnGTl/Kf24ewbtF1TPv0Cu74Vw9U9edK8n8mNcoe+3KqeeOjpSQnRNG8cTLpKTF8N3MLi+bv56X35nPt6O5sXHo9rZtnUlruJT0ljGVTr2Vov9Z88tVC/n3LmXw1dhT+gOWOWVicDiyPzOLkUTALaRpmmZNg0Kg9bhgGWXViiUzQiI50oihKbSRfMKhDELLrxTNUNDoNyvcSiUBVFaSURITbadogkehIB6XlXiIiHOhBP9GRDuLiXGiqYgapqOAPGOi6JCY6jD37y6isDGBTNfTTkAtnYfFPR7O+Q1r8XmTtw6zThRPufWAaH09cTnW1h6vunsCnXzfirut6MGvRZmKjo7nvoTnsO5DL6x8t5pqLO3DNxb148tXpTPhuA/mF5bRpkcH0zy7DOIXBi0II/AFJRqqLu67rwWsfLOC1jxaRV1BJbHQEd1zblasu7Mqzb83g82/XsT+/DDCYMGkLDzzzEzv25HHnv/rzwjuTWbMxj8WT/oWqitOS2G3x10By7EhWi5PnWGNaM9aWR2ZxwoiQYDBBGDm0OR1apxHmdOL1+4mJCiM7M44v3xyDy2EjKSGCDq1SsNtt2O0qrz0+lGEDm7B910Ea1EugV+csM9dMnlojoAiB1wuP392Xft2yWb1xP2nJ0fTomEl4mI2XHxnKgJ7ZlJZ7adk4ibzCKlo3S+XFh4cgENSvG0v3jhnYNA2Ecsr7b2FhYRkyi5NECAFB6No+g549M2qVPdDN5OHzRzQxvzIFoXOnZFOlospMKh42qD6o9U21j2qzCvLpMAJSmrlfA/vUZeCAuiAh4AG/z1wqvXBk01qDjQZBDzRqFAWYhTWbNY8FeaiwpoWFxanFMmQWJ4+AquoAquew5FwhUITAV2qEnoraJGJVVRACKssPrSMqinJaPRkhBJWVh9RGFMXMBTOMkDqJedKRah6AUATSYwpRqarlillYnA6sqEWLP4Sa9etaSSZpKlsoqvkRMwyzWKYaeq4b8ojzjVO5OXYcBD9X9hCixggf9sfDNA1rfjsZI2wYkmDQOELdRIbUToJBo3asAHTdPK/m77qVuGZhYXlkFn8MsVE2sIHuBdVhzuruSnOij4xRwAZ4oNptei+RUQKEwO8Ge4R5vqfi1JZxORxDSiIiBIQJ8IZEjKUZ0BIRHjoeMI/53WAPCxlkH6hOAbqprfi7r2uE2g8X4DukU+lwCLQwYf4L9UB1FSgKtaojtdf9CwguW1icbixDZnHySPhq6mb8AUnLJils3VmElJKzBjRG1yVffrOVfQfK6NQ6gx6dMgjq8N20XVRW++jVOYufJu0EYOSQZmiaclqMWZhTMH3uXhavzKF540TO6t8YCTg0wdwlB1i8ci9102Jwuey0b5XGstU5SAlNGySydnM+sdFO+nWr/7uSuSUQHiaYvSiH+cv20rBePGcPbIrdAdt2ljJv6R7yCivp3DaDAT3q4/boTJ25A92QNG+YxIathbhcGgN6NrB07y3+0ViGzOKEkVKay3EGPPX6PFat38H1l/bnzU/m07FVPXp1zmLMbROYuXA7aUmx5OQV8fDtg3jknp689uESps3dROPsVIpL3FS6/bRrmUbThnF4vceu4fVnUKPscf8Ts/j4qxV0bJ3Jm58sZNK0Jnz4+nCe/99i7nvqO+qmJ1FZ5aW0vIjpn9/MIy/OYuO2vdx4WV9e/2gmw8/owIAe9TF006MyDKN2n+14142IEDz+slmQtEvbTN7+bDFfTd3Al++M4p3PlrNo5W6S4qN47OWfmPLh5XTtmM7DL8xi0/Zd3HjZAF7/aC79ujVjQI9shGKF/Vv8c7H2yCxOmJoADqHC7PFXcsX5vfjsm4VccHYHFvx4JfOX7WH6vHW888wodq6/hQuGtePJV2dRfDDAy4+ciarYGdizAVsW3MTa6TeRlRFDIPDrpU/+KGqUPfbvr+blsYtISoiiU9sM0pJj+XLyelYsy+e5txZwZv8W7F52K3MmXM2VF/SkWcNE5n9zFQN7tuSTiQu59/rBTBx7HoGgRErQVIiMVnA5xTG9SynBZhMUHvTxwtsLiY0Op1ObOmSmJ/D1D+vYvLmUfj2yycyIJTYmDCEUVq49QHyCg3kTr2TE4I58MnEhN17Wix8/v7i2TcuIWfxTsTwyi5NChmZPu01FUxVcLjtl5W4CHr02sMPpULG5FOw2lUDQQEpwOjU0TeWcQU2JT3MR5XIR1E/1Hpmp7AECXTeVPbIyYhl9TmtKyjxERToJBHVURUXRoF6dWC4Z2Y6IMDtCkdjsKi6XjYMl7lDZFoGmQt7Baj7+aiUtm6Rx1hkN8HokyjGsjBkVKQl32cjMiOG8M5vTp2sWlW4/F9zwGeec0ZwrL2jH5OkbsdlUUEHTVDRVxeWyU1zqwec30FQNXbcMmcU/F8sjszhhJBIhARV6jnyPd7+YyeXn9WTa3FU06f46TbITGdizBZfcMo4mLV7jk6+X8ODN/VBVwYirPsPnL2PENZ/S84wPKa8M1CZEnypqlT3Sw7jlqi6s3XSADyes4N0vlvHjnO3UTY/ivht6MXnGGhp2epXGvV/k8jsmsj+vgraD3uT7meu5aHg33v9yBl2GjcUf0LFHwg+zt/Of57/G79fRVH4mSSAEBAKSxAQ7t1/Tja27Cvhw/ArGjlvOj3O247AJwpwOlq7Zz4vvLqKiys+7n69g27Yyep77HhOmLmX0OV0ZN3k+bQa+idsTQD2sRpqFxT8NyyOzOGFqlT10uOf6HgSC3WnZNIW2zVMI6gapSZGMf2s03/64iQP5ZbRvdRYDemRR7da55/qe6EZ3fP4g4S47Tod2WvZ4FCHweeGZBwbSt2t9Vq7fT3pKDH26ZmGzKdx1bTc6ts5g2Zp9JCdGcUbvBsRGuXj87v447BoNs+Lp2DoFu01DVRSkHyZ+v4GObVpy3vDGuKuOvd+nKAK3Gx66rRfd2tdlyeq9JCdE0btLFo2yY5n15dVMm7uF+NhIbru6K0XFbmJd4fzntr7oem+aNkikfatUFEWgqWpoadFyySz+mViGzOIP4bxhTc3wew+0bBEHwgynF8Dlo1uavn8AqqskdrvKRec3NV+oAAZ4yk+fPp2U4PdLhg3OZthZ2SAh6AafH0AyoHddBtQoflSbqiQXj2oGgO6HVm3iTcWSSvB5TAP/71v6gADdAPUXijj7fJJB/bIYNCjLbM8NXi+0bBJP6zbdzUHRARW8VTBqeCPzPC+0ah0P/HragjxsZMVR8Y01fzv6+J+NlLJ2X88ywBYni2XILP4QSsv8qKqGoggMj7nzpKoKhoTK0kOJvqbSPFSWGLXTa825pxMhBBVlBkbIImiaEtrXOlLxQwiBpgmCXtOg6brEcB+6XwlMem80imoatqPVPnTdOOJej1YUEYqpiOL2SKS7NjsbpERVFSpLzXE7epyPh0SiINAU0CUEDXO/ztwdFNgVgW5AUBooIa1IQ8qQgsmfp7bidAhUFQIB8Aex0gcsTgprj8zipKlVwwCkYU6uHKaMUXNOzTfvw89XQ8tuh6tanBYkhIcpxMSqxMSoRwRn1Ch+SEzDVFUdYNmaXPIKqlAU8x5rDHSN2obPZ6AfplZiGh8zoVk57F+dLnUQBooqQJFIDNPIKJjPFQPEIeMnFBCKqZoiFAnKL4+bUxUYSHKqcvHqPlyaGUlpUwQ2BfLcB/HLAGGh/D1Ng8hoQWSMgqad3J6lYUiCuvGz99YwDNZvKWLOohxycivRVEuxxOLksAyZxUkhJQgnxEbbiYxViIxWzJ8RZkQemKHoUYkKEeEC3ZDYbNSe67AL8zVHTfCnEsOQ2J0wf9l+brp/Cs+9sSwUPGH+LTxMEJWkEBWp4AyDZWv20/u8V/nfB4sJSxG4HAqGIU0jEKOY58crtSochiFBGpRX+nnlrRUUl3qRGKbqiV0l0q7iVIT5u0PFJgQ2RRDpUIlyaUTaVLNkDhBhU4i0q2ii5nztmN6MIQ2cGkw7MJOWkxrSanJjun/fgXWlm7HZoNhbxJkzh9B4Yibtp7RgfsFSnA4oKKrm9odmcMd/ppNbUIXddmLGrHbcEo8cByHAZlP493MzGHjxG7w8dhEOJ0RGmufVfh6iLB/N4rdjLS1anDBSSuw2hZ2bq1izdj/BILicNtweP0kJEfTpWgevDyb/sIOcvHLatkijW8dU9uW4Wbo6B6dTIzsznq07DyKA7h2ziIywndKaZDX3oTkFU37awtufreSrt0aHFDrMyXjJqjwWLt9H/cw4hvZtyMC+mTSuX5e9B0qZOW03YZqTrh1TOZDnYcnMHFITI9m2u4iIMDtD+jbCbhfY4wSevXDfM9M4c0Aj0ps4KdpfzfTcBQQMP01jmpNTvZeKQAVdE3sQNILMLZhJvjefjvGd6Z7UHQWYlb+IUl8JPZJ7s+DAXPy6jzMzhmMT2s/2GKUEu+LgP60fpW1CR9pMbMznuz/mubSneHr508w48CNfD5jEf9c8ztWLLmX9OZuJDLMRF+PiP89/x5C+TaiXGYHPL3/XPpaUkogwwfJ1BcxdsofM9BjO7N8Yh0Ng6LBoxX6uHt2OvIJKisvcSAFTpu1E1w2aZCeyfXcxmqbQu0s9K6XA4jdhGTKLE0JifsN2OTSm/XSAG//9HrHRiZSWe4iKsCMUhZnjruCJ/81l8vT1JMbFkF9Uyv8eG07bFmmcf/2HJMTF8fxDQ7jqrq+JCLOzdMp1xEbH4NN/38T5R6GpKi2bpDN8REMqCgwiIhVeeHspz789j5ZN0tiyI48vp9Tn83dGkhgfzuTp65m7aA/lVVU8dd8Q+vdowKW3jMfv10mIjaSguJhLRnbipUfO4PtJO8krrMTlsPHJxNU0XBlLvdY2/rXsUgorD/Juz494esPj7CzewdyzljIt93t+yPmOxLBE/r3qHr7pO5VhWYN4efPzTNnzDc3jWpDvzafYV8SyM9fTPq4F7qC5zwWgCAVPUDIgrQfl/o7cuORaEsOTGFHnfAjCT3k/MjB9MCMan81BTwnXLr6CXeU5NEvJ4soL2/PMGwvM5dXDrKMEDN2o3cc7FoYhCY8QvPHhSh59aSYtm6axfXcBn327lo/fGMEd/57Oe+OWkJIQS3FZMZ3a1cHvk9z35DQ279jHTZf347UP59C5TQN+/CwDh91WKzhtYXE8rKVFixNCYAYm+Pw6I4Y0IswVzbMPDCI1OZIn7jmD9JQo3v50Od/8uJ7/PTaCnetvZuSQ1tz93+9p0yyVu68biMup0bVdJpHhDl5+9CwaN47B4zt9k5aUEq8vSKBc4rArFB708tRrc4mJCqN/j/rUSYtn/JQl7NlRha4bNK6fwqpF/+L8s9py31PTycqIoV+3BjSol8Cu1bfwyB2D+fTr5SxansvYL1byzmfLqHb7+WTiWp5+cwFpMpuXO7+Goql0S+pJhBbBra3vpldGJ1rGtaZxTFNSw9IxpMHKkuVIIXmy7XM47U7axLdn3dnrWDdsO40iG+PTqTVite9RKC+vwFtAobcAKSV5nlwAPEEPkbZIjIBBuBqBIhTcejUYUFruIRjUjxwbQBHmMnG463iKJRKbJigrDfDEq3MJD3PSv0c2WRkJTJq2ls/HbeC9cUt4/K7BzPnmCiIjI/F6AzgcgrkTr2LUmR357JuFXHpuZ2aMuxS7TbPSCix+E5YhszgpDEyZJ5tNIzkxEqddIykhHJdTqw1QiItxEhZnIzrSgc8fpNrt58bLOlFVHeDimz4jOyueC89ujqfqUPDH6UKImlpkYOgQ1A0iwuwkxoUz6szm3HJFfxITHEgE0VFhZDWNITMjBikDVFX7TQUOJIGAjq5LwKBe3VjmzbqM2eOvwenUmPLBpWxYdAOpde0MSx1J4+jGXDr3fIp8RdzV/B5yKgq4at4l6FLnonqXEGmLwq44EIog0haJpmhcmHUJaTGpNItugF2xHTN1QRWCfdWFpLnSmH72D2iqxtjtb4EN6kU0YHXxShRDYXnxUlShUiesDtIA9ajNSiklmgpVVX6ee30Rk6bvwGY/zt5ZKOUgoBuEh9lJiAtj+BlNePDmgbhcNsBHo+wEGjeNJSLMiaaqoEFMtIPoSAeqIvD6giiKiqYe22BaWByNZcgsTojDlxYnTt1BecVe3vtyBYXFVbz16XK27yrmQH4Ffbo2YPQt42jV6k0+GL+I26/uRUyMncw6EYwc0oyV69dzy5VdcIYLgsG/QE0yAQKJz2+QnOLkpsu7snF7HhO+W88nE1ezcEUO0+fuYsGyHSxZtZvGDd/gmTdmMGJwa+rUDUdRBFt35tGs6xs8/sp0rrqwO43qx+DNM5DSoHnDZBRF4C+X+AJBIuwa1ze+lVW7V3BB1mgyohLwBP0oisLa0tWM3f4WFf5y3t/xDtuL93DFwtFUVVRxybxR9JjUmwJvGQiDoAyiS732ETD8OFSDR9Y+SP2v0mn/VUfyq/IYVmc4RgDuan43uyt30Wh8E17Z8Dy3Nr2LJFcUAR04SrfRMCQOF8xavIt7nphA4cEq7I6f15CrUUqJi7dx65Xd2L6nkAlT1vH5pHV8OWUD7Vun0q1DUy684TMadXydfQcKGDd5PZs2ltDn3A94b9xsLj+/FxO+W0DbM96koKgam2Ypllj8Opr1GbH4vRxefNLrC9KvVzxvPT2GjNRkLhjWEqdDw+0JkBgfTsfW6YybtJ79+aU8dvdAhvRtgKGDzwcP3tKH9i0zGDagCd7qQ0U4T999SQwpUJwCxWcmNz9ye286tUln0Yo9JMU34Mz+jbHZVN58agTpKdGsWHuAtJRuXDisJYqA0jIP/Xs048ar26MZNgb2NBOsdQMS4yOY+vEYHHaVYNDck/MGJaPrXYoyWHBW+nB8PklmeB1mDV7E9zlTiHclcEWDqznoLSJKi+fKBtdwcealeA0vTs1JmBaOS1Vw2Y4aO6mCgLua30ujqMbkunN5oOXDDKtzFh6vZFDaAGYNXsSPOVNp1ro5F2RdhDsgcYWJWpWVGgMiATT4cvJ6GtZvwJUXtcFTfez8NVUReD1w7w3daNs8lXlLdxEfG0G/bvVo2jCe8W9ewOffrkNVFLKzBlFwsJqYiDBuurwLV17YnvYt02jWMAEhBC6nHeNvuLQo5cmlLVgcm9oxlYe2bmvG2gr2sDhhFCHw+YM0bxtL80ZdQxspmD9D0lVeD1x/dVvzeRCqK81v+8EgpKdEcP2VbfBUYcpTnc6bMSA60snenHz+/eRcHrq1N8GgxB+A4UMaMPzsBgAEq82yNddd3Q4CMOzMbLPgpgqvvLWC2Yu34bDbaNcihWcf7k91pQRD1Ho4Tod6WB6dQJfg0lzc2PQafAEISnMcOsS3pGNyS3MsQ+PpC8AlDc4/YqACAZidv5ht5VuwqTYMaYTa1cmMqMegtN40j7+rtp3qgJkI7Q5K+qZ0pW96VzCg2i/RbIIDedXc/ugP6EYAu10FCZqqEKgGnz/I/Tf2QnOCxyN/luxdizQVS4YOqMfQIfVAgPRAtRsS48K4+9YuIZfeHDdfJVx0XlNQTGWYNu0SAPBWcMojWC3+nliGzOKkEEJguCVlxQFsWk3SkakcoQizHldFiVE799Ym9oaEc30+edpVPRRF4HPDZee1pV3LVMLD7EcEGVSWm7NpjaKGQOA5aNQaJ0OCy6XQtX0d3nt+FIYBKYmRVFcaIMVRy3RHLtsJTCWNSp8ZcVgjFVUdNJBBgxqrJZFoQqPSp5uekgiFudtsLCtazHd7J+GwOzGkjkAhoAfondqXfik9cfv12kAQVZh6WYoQVAV0ZCA0BsI0sOFhDq65uD23XtmFlk1S8PrMew4E4Ms3LkTTBO6KnyuWHI0QgsoKSY0IliKE2U5Q4i2WtZ8HM8lcwV9qVkVQVHGEUoqFxW/BMmQWJ40QoelX1rhisnbiAtPzqDFsNacZoRldUURI+UH86uT4Z/Y/GISEuDAG96kPgMd7KOqPmrprUHsPQjFD05WQVqTPK+nQKplOHZPNRoPgdvMzN/NYq2TSACkFhoCauVsRCrpRc12BIkJtSQUhzbE0pMQTkNzW9A5ua3bHzzxaKSFggO04meaKOFIE0jAgzKlx5sD6pv6l90iPSFXF7/KQzPfzyF6ZpW5+PgiHGy3lNH0OLP6+WIbM4qSQEoQDYqLsCBvmcpEiIAhV1abye2SUAJtAeqHKLXHYBPYwBQwI+kFzmBOX1336lpKklDgdAuEAQmLBUpr1xRxhAuwC/OCuMo1RZJRpyAJ+sDnM+66qOqSPKA4z5L+EYUjCwgSKy2y/uqq2R0RGCHCYx2sMS2SkACEI+MDmEGCEDOYftCdjSKiqNBs7uv/Wvo/FXxXLkFmcMFJKbDaFvTuqWb8hD71G2cMbIDEujC7t0wj4YfrsPezPr6B1s1Tat05k/wEPq+fl4rBrZNWJZeeeYgTQsU0G4WGnXtkDICJcsGRVPivX5dIoO54+XTMxDCir8LFs3n527iuhQWY8/XvUx+fTmbckB0UVZGXEsm13MVERdjq0SkfK36OAYV53xbpClq7eT/26sfTrXg8wjcjshTns2ldCRmoMYS4brZoks3D5AYK6QXZmHDv3lOB0anRsk3GM/cUa7/j3c6oqdFtY/FFYhszihKgJvw9zaEz5IYebH3qfmKh4Kip9hIVp2G0aM7+8kmden8eE79YQExVJaUUlbzwxgmaNkjn7irEkxsfzzAODuPbeb3E5bSydch3RkadW2aNGieK/ryzkrU8W0zAriS278jl3SCtee2Ew4z/bwJufLCIzPZ57Fn7P0/cN4eLzWnHFnV+TV1jMbVf35eWxMxjatw3fjL2otsq1Yfw2BYyXxy7nuTfn0Kh+Mlt3FTCkdxPefOFMbvv3dN74aAHpKfEcyC8lNTmGuROu5taHp7Jp+x5uu3ogL4+dTY+Ojfjx0zEIRRy1/2YZI4t/DtZuqsUJUavsEdAZMbgRLmckT913BkmJETx+10CSEyJ465NljJu8hucfOpsda2/hzH7Nuf3RqbRtnsKtV/XD6dDo2akeYWF2nn9oCE2anFplDynBbhMcyPXw3//NIS4mgjMHNCYlMYbXP1rInm3VdO+QSafWdchMj8XlsDFnyW5SUp3MnXAlPTs14rOvF3HjZf348q1RBIJmjS1VNRUwwpzHU8AATROUFPt57KXZhIc5ObNfY+qmxfH++BVM+GYLb3y0gFuv6s22VTfz/gvncUavBqQmRzLt8zGc0bsVn329iCvO78J3H19U2+bfLErdwuIPwzJkFieFYUC4S8Fht5ORGo3LoZGeGkV4mK02Ai8jNYqYDAcpSZF4vH6q3QFuvbILlVU+xtz2BfXqxnLJyFZ4qk71spZZLiUYNAgEdCIjHERFOjn/rBbcfV1fFEVw7f3fsnJDLmef0YS6GdE47BpokJEWTWJ8OIGgjqoKIiJsCAGaCsWlXl4du5zp8/bgcFJb4+xwFAFBXeIP6ESEO4iMdDBicDMevKUf4WF2QCc9JYqwOI0Rg5px8+Vd0FRBWnI4yQkRBII6iqIQGWFHsRQwLP7hWIbM4oSoVfZwakz8fidlFXt5f/xKCouqeOfT5WzbVUxuQQXdOtTj4ps+p2Pbd3n38/ncOKY7MTF26mVGMvyMpixeuZqbL++CK8JU9jiVZkwIgc8vqVsnnCsvaMfaTfuZPncbX01dz5zFuxGqxOsNkptfwYSp69m3v5KJ329k7ux9dDrrbb7+YRWXjOzO/96fStdh7xMI6Dii4Mc527jlP59RVOJGs/GzKAkhwB+QJCc5+NfoDmzekce0Odv4+oeNTJq2iQ6t0zhrQGvueWIyPXp8QKPez3Hnf3/E6w3S6cx3+WTiQsaM6sF742bSesBb+LyBUNkZy5pZ/DOx9sgsTghBKP/KH6Rn1xheeuRCMtNTGTagCS6njQuHtyI5IYIu7TL4+Ks17M8r5a5re3L2GU0wdPD74cFb+9C6WSrnDGp22pQ9BAKfD159/Cx6da7HsjX76NA6gzN6NSAlOZzxb17AuMnrMSR88r9R7M4pIykmipuv6IIiutKqaQpNsuOw220IRUEG4JsfN9GyaRMuGtkMd5VZafln1xUCjweevn8gndtmsGD5Htq3Smdgz2ySE8P45JVRjJ/SmC07Cxkzqg1nDmiCpqlcc3EHrqED7Vqk0bBeXEgXUvmZrJSFxT8JURqwvsZZ/D6klITbBGs2b2H6h5P590P3QDW1Sg1mCD4QNJU9nFGhF+rgrqxpA+w2sDlNtQ84/RNxWBRm/wHDDR4POJ2ghmFa7gBgM9U9tLDQeR5QwgAJnnLztAEXfcjNV3bhghFNqCz7BQUMzHEIr7luSAHD7QZFBVcktePpr4KgDmExx76uDOVO/1F7ZSfbTk1F7X9CAKSqQmWlmwvvGMGw88+lS7eeNGrS5G8nrfVXRzd04u0qLd9szc1d7+ZfbS6h2B9EVTTLI7M4OYQQGNWSsoMBbDZbbeKwDP1NEYKK4mMre/gDEt0QuJwQCJoT9en8p19ZepiCRygPzOOVGJ7DlCikmejr9oRyrUL3L4R5bxKY8uGluJwq7spfU8AwQOhUlEk0BYKhuluqKgjoEl/Joe+YqmqOZWmR2UdFERhVpsKHw6YghTl2NlUQlLLWEBmH6f4J8euGpeZ1NlUQ1GVtWuDh7SjiULK4cdTX4JocaIdmvs9+/bBcCqlQ+03BwuIPxDJkFieNoohDBgpACLTQjKnrpgqFPMZXfCklOQcqqajykZIUSXys87Rq64mQWsYRqiSKQIQEdA9XpQgJe5hq+eJIGSqXU/3l+xA6UldRI77HmfQYyEQqPV6inKFJXgJ2paZT5k/dVB4Otx113JDofj00/pLS6iCxLs0sp6JLVLtyyHoFJXrQFLVUQm0c3m9dl6iawNAlpR6d+HANhEAPGqgO9dC3jKCBHpRmyR17rRQJGBLDpyMl5FT6MSTUibQjUVDVCqS7H76DTyAUHcugWfyRWIbM4g/BjNwLKWD4oLpaoqmCsHCBHgTVLkCH6moAaUo7Ibj+gUksWrmF268eyBP396GyUp6WmmSGIQlzHVLYqKo2paFUFcLDDyl7VFeZslQRkT9X9nB7zLZ0/deX5aQEVfNSEjjAFd9uY96ucpolOfhsRD3CbApjlxThNSRuv44mBM2SXPStE8nnm0pwBw2q/TqqEGRE2bm5YzLTd5Zz+7Qc8qqCtEl18fHZWWTEOPlxeylLcqpx2hQGN4iidUo4QhF8tPogj8zNRdGgwmNwWet4nh+cyYp9FVw9ZS+5FQHqxzt458y6tEqN4JtNxazN9+DSFIY1jqZpUhjFVX4+WFGMO2BgGNAiycXIJrF4AzpnjN+MImDL9S1B1ZCBYnSl/E9/Hy3+mViGzOKkkCHF+4pKHwuWFbLvQBkN68XTvWMdysr9rFmSR1pKJLtzSomOcNK5XTrSEGgarN9SwK3XdCavsJL8g5Wn7Uu6xFTYWLXhIGs25tMwK45uHdIJBKGqOsC8pbnsySmlXp04enaui89nsGx1LkIRZKRGs3tfKZHhdlo2Tf5te0uhpT+bzcbj80qYvCXIRyOyeXDWfq6amsd7Z2Xyn3kHCbcpDMyOYVO+m9dWljH3kiieW1JCpU9nWONY9pR6Wbm7mCtbpqIbNm7qmE7DeCcD39vKhEZV3N49lu2lJTy9sBhficFP7bxMv7gRQlXYVqxT7lcYOzCLar9BozgHGBo3/piPLm2svK45bd/ZyO0zCph5eSKbinQen1eEUSpZ3j3AV+c3xK1LXl5WyoFSP+3Sw3n0p4Nc0dnN+2c34NzGyby9ppCfdnowDIXeWTasnQyLPwvrk2VxUkjDACd8/NVqPpqwkvSUWBau2Mm7z55H0wZJnHX5B4S5XACUV7qZ/vlV9OtTlxvu/oH3v1xCUnwMpeWlDOjZwAwSOcXUKGw89+ZSXv1gAXVS49idc5CLzmnHC08O4N3P1/HGRwtJS4ll4YrdPPvAUM47pzkX3jie/IOl3HltX154ezqDe7di0vsX/2ZlD0UAusHk7V5GNUtgTNtUCqp83Dd7P2mRNs5tEkOlz6BfViStEx0Ue3TaZ4RzTqNotpf46J8VgSfNRbuUMPyGwZCmMbjdAe6Ytp/keBsD60WBDHBtm3g+3VhE6zZhTNhawsbCalpmRCIElFYHeXl5PtnRTgbWTwcBA+pF8PmmEj5bX4xNg0H1owCdG9olMnFbKR3ahfH19jL2FLnJSgpndPM4Jm8vY+V1Lfjv7Bwemp7LYz3TaBRnp7JC55JJuygoC/D80BjubK+gG6BZST8WfzDWR8ri5BCADp3bZtClXV2aNExCUTR+mL2ddp0T6dQ2i/SUKFb+eB1hLjsr1x5g08YS3vlsFv++ZQAT3rkAIWwEg8YfpXv7m6lR9sjL9/DwCzOJjgzjvLNakJwQzYvvzGHv9mp6dMyka/tMmmYnYbdp/LRgJ6mpLmZ8fhld2tXjs28Wc83FPfn89ZE/V/Zw/UKicihYwhOEOKdG0NCJc2ooQlBSHURTBDN3VHDjV3so8ei8PLQeBuDXJUtzqrhhwl42FXl5Z3i2uW9mSLaX+FiWW40Aqvw6hlSYtK2MZTnVNI63U1alM3FbGSDonB7OVW0SGJwdzWcbirly6h4Qgs5p4ewr8/PMglzKfTpd0sMxpODLzaVszPfQKN5BcWmQKTvK0KWgwqfjDZqRIOc0ikUzBHvKfBhSYgjJnEsaM7x5PBO2lCENedojUy3+f2IZMosTRkqzlpj0wr/uncT6LfkM7lOflMRI7HYVEQUup0bblqlkt4smMS6SMJeN8govEKBnpyy69UojNjocm01FaKdaYd1U9vD5DHy+IFGRTmw2lZFDm3PXtX0RQnDTQ1NYvnY//XvWJzM9GqdDAxs0aRBP3bQYqqq9REU4iU10IjCVPUrLfbzzyWpmLdiH3XFsZQ8pzUCSOpGwusCDpghW5FdjVwUpsQ7cAYNzW8aw6PomnNMohqA/UJuPNqBBFEtubMJFTePQg0FUISirCtA6LZxVN7bELyVvrjyIomh8tbWUjAg7E7dVUC/GwdTtZRAMMqxRDGPPrc8DvevRLzuK9YVu0HXumrmfIQ2iKX2gM43inNw5cz+KUPh6WynpETa+3lpBRqyNr7aWoQqIcqjYQ0vCX2wqJqhKGsWbHnh8tEaT1EiyYuy1teksO2bxZ2AZMosTJxTyLXUoLnWTV1jND7O3k1tQxeQZm/nqg838NH87P87extOPLmHvgf28/vFSUpMjadqgIcOv/JC23d/lQH4+4yatY8/2SpwOccoUKmqUPTLrhDN6ZGvWbd7P4lV7+X7mFuYu2QOKpLjUQ/7BKmbM387eA5V8/cNG5s/LodNZ7zL+uxWMObcHL7wzmd5nf0RAN3BEwbQ527n23o85kF+BzX4MxQ1hempSwJ2dY1m+t5Iub6/lrSUHubdLCruKvUzeVsa4taWU+XR6N4hBAXYddPPttlKmbijnQGWA/o1jMQIGqia4Ydo+mry6nr7vb6KkIsjwxjFM2pDP+CWlxIarfHNeA8JdCivWu/nv/DyeWJBHm/+tp+8Ha5m2sZwLm8WDotIhNZw5OysZM3Er63LdjGwcwyercpmxooI6sXYmnpeNVGHe2krunbaLSdvL2Jbro/Fra3lyVj539EomPkzlf8sLOZgf5Ln5OUzeVs7inZJFeypw2Y5t2C0sTgbN+khZ/F4kNeWvBLohUZww7bPLGD9lA0KofPTyuezPqyAlIYYn7xtEmMtOvTqxPH3/cBwOO0nxEUz+4FLe/XwZDoed267uSv7BKuwO2ynXDBSYKiNvPTWcnh0zWbpmH2f0bsSQfo1ITQln/BsX8Ok3azAMGPvcOezaV0ZsWASXndeWKy5oR/uWaWTVicJhN7UlZRC+nbaJpg0bcvG5LfBUSdRjKHsoCvj9Oue3iMd+cTI/bC3mqrYJXNM2kdwKP8/0y8AIQqxDRQ8YKAjCNYXHeqUT8EsSwjT0gBFKGYDbOyXz5cZSitwBxp1fn5HN4liyt5IXhtUhzKWgGQbXtkkk0FTSLNVFtFMhp8SPD4P3R2ZxcYs4jKDB20OyaJdcyJp8Dy8PqsstnZKZu6+CF4fXITpSxSYld3RMQbSHjBg72TFOKlrqBKSkRT8XwxrF4gvqXN8+CXdzg2YJTu7tmkKFr4p4p4ZxmnMF/0zkUQ+LPxZ52M+jfxcllrKHxe/kcGWPnz6awoN33I2/GuwRmD5+ANBMlQrhwvykBQG7+bu7FGw2sIXVNGie7yuHYPD0KXyEHa6w4TYVNlwuUFwcui8b6FWghpv9ll4QNQobZWbf+4x6j5uv7Mro85pRWWYcUf0YqM0j06ImYku4G0VLAaEDEt2nm+kHtlBHDB3DH8r9Ovp44FB0jGJTQuWqMdvx6qEcstCxgB56LSHZDXnY+SD9wdAhceg8wPAFUWzqoVy0w9s5ouaZAAx0n24mTNu1Q9cSGlAKlYOoOvAyivr/K4+sRtnjgjtGcNb559LVUvb4U9ANnQS7SouQsse1bS6hyFL2sPjDEOD2BPD61JqnoaAHBdVv5lUZUiINU4lCUxUCATAqzakwEDBCeVXKaQ0GOJayh9sjMdw/V/bQPaYG0+EKG5qqICVM+XAMEeG2kLLHr6zeS4Hfo4MIAqAqZmRf0KObz4VAEWYbugG6R0cedRwg6JcYUjfHT5rtBP2gSx0BqIqofa0iTI1JKfXaoBNVUcy4HR30oF6r3KEpCkG/gR6qdXZEOxz2jTj0UBVzDAK1/QRD6kjFQAlawR4Wfw6WIbP4QzDFa0OzXyiRWDcMcnIriIxwEBPlxFBCE6Ywl9VyDlYihCAtOQpNFad9OUaEFEgOV/ZQFAEhZQ+OUvYgJNUklCODGKIibej6L1xIqggF9Oqh2AP9sUkVicRAJ2joGPKQp3W8jIRfy1QIHvX88O4c67XH6+7Rx3+tnaOve/idGNKJaXv//3hjFn8NLENm8YcRGSlAE7VLi7Nm72fENe9zxQVdefnFM9BLBdX/x955x0dRvA/4md3rd+khhdB771V6U1BRQIpdVOy9/uy9d+y9i4AVUbFRRFGk995ber9+tzu/P/YuCQqKgsGv7uPnTLLZ7M4uyb43M+/7jF8nMUnhi9lbmXjNVDLqJPP5m2fRonEKwZCs5fXIqtF0icshUGuaPRSBKsDlEWA1rsvni5k93EY7wxGw2QxpbyBoHOtQhkclEptwctqcy1iQ/wMJtgQ0Lcr9XR9hTKPh+MIxb+G/jX/jNZkcdcxAZnJYxDpgKEIw54fd5Bd6SUyw07RhKj17ZNOwXiabtxcz79sdOG1OOrXNxOeTDBvUkLuvG84ND8xCP8r1RVJCgkewZkMpazbk06RhCt06ZBKOQCAYZdHKfHbuKaNhvRR6dq5LMKizcl0BQgiyMzzs2leOx2WjZdP0Q7bGCwSalOj4mdTibDQk9664E4eqoAhpzJmJf2PPxYxkJkceM5CZHBZSGmaP+5+Zx/Nv/0L/no2Z9/NWJo7rzjOTj6NhvWS+mrueBYt2EQiF+XnGxbRrWQe3206nttmo8SHJo4SuS1wewdOvLeHJV+aTnppIbkEpZ4/tzgN3D+SV51by7Js/kpmexNLVu3ns9hM5+fhWjDr/PfKLKrjxkoE88sK3HNu/HTPfOHSzB4AmBe/2m4rNCR9s+oxsTw59M/sTjAoUEUvqMDEx+UPMOjKTwyDWHROwbVcpgWCIJvVTOW9Cd8ad2A49KPH6wjRtlMHiLy/CYlH5fPYGbE7QQjpefyiWQCePSm1R3OyRnx/k5oe+we12cs64zqSnJvLgs99VmT369WhMl3Y5KIrCrLmbqFvXyRdvnUm3DvWZ8ulCzhnXi7efHkW0ptkjUcHl+B2zB0aYCmpRtJDOMxueoFtqd5IdDiK6hlk6bGJy6Jg9MpPDIL7ECJw7vjPJiQ5Wb81n+cqd7M2rpP9xYxFC0LNzfZr3SCYj3WP8jAVUh4LHZcdiUXC77FhdglCo1iVVCEUQCEQJBqMkJdiJRnVGHduaIX2aIhBce8+XFBZXcttVg/luwUacditYoWuHTJo3TmPtpm1kZySSWc+Fv1hiUaGsMsT0mZtokJNCnx71CIfkAXudutRxqRZ2VeazuOAXnuv9ai1fv4nJvwOzR2byl5HIqnTveyfPY+5P2xg+uCnhsEpJqZ/1S0qY+9NGvpm/haceXMyO3Xt4/9OVFOYFueTKWVz4fx8QCvk46dzXufeRH2vV6gE1zB4NPIwb2Y7VG/axdlM+c3/eyo+Ld4Ii2b2vgqISP0tW7mHXXi+ffL2WnxbspefI13l/xmLOHtuPh577lGGj3iWq6dgT4Ot5WzjnmjfYtrMUq80YvjzY/bOo8ObWVwiGg/TPGGAsAWP2xkxM/hRmj8zkLyNq9MjOGN2RdZvyWbWiiIvO6MHVk3oTCuvcdtVgEjwu6mUncec1x+N0OFCw0LJpOokJ7fG4XVRUemnaMLXWrR7GNRhrir36yGhen9aAhct30qNzA0YObUlWlptpz4/nzQ+WEQhqPHvfiWzdWYrb4mDMiNaMPb4NPTvXp26mG4fdhsRYc23GN+tp0aQJZ4yNmT0OUkumCIWoDjmuetzX4xHqu+sR0tivPszExOSPMQOZyWEhhPHwvvCMbljcGIVGCoS9RpC4947BRjFRBMbaWoCEYDlcfVl347dPN/YnBL4Kaj3xQwiBrhlFzlde3I0rlW5GwwPg80Pn9hl07T7caGMUsBhmj45dewOGvaT/oJwqs0fQDzv3lHLL5QOxOwWVQR31IHn0AkFIgwtbTDSKyiO1dNEmJv8yzEBmckTw+iIoAbWqqFiNVQz783UERmGxphuGDItFobJYJyb6MCwRijgqK0MDhvFJQkWJXmUlUZSY2cMv0X1xs+SBzR6a1xhirTJ7vHEWSYkO/BV/bPYQgDeiI5Go/8p0exOTvx8zkJkcMYylOkAiqlR+VouCrsuqABBPRxfCKDaOB76jTTzYSl1WBTHY3+whYtcnhNjP7KEqYr9M+bRUB9FfKy7+6Ow66KK6IDyezRk/b3x7fL6tSqISb6OJyX8YM5CZHBFcLis2C4TCYLMa2wLB2ArMLoGwQjRIlb3D5TSCgT8IbpfxIPYHjl77NV3idAgsdoEeBn/AaKeuS+x2gdUhIGoEj1AYnI5qs4fdBroOwZBxrEjkwFmKBzuvI3Z8GQGf3/hZiwp2h2FK0Wrct/i9OtB5TUz+q5iBzOSIsHZDAZoG2RkJFJb4kECrpum4nIIVa4soKPbSonE6jRt4CARh/eZSAsEIbVtmsGhFPlJCh9aZRyXhI2722LS1gvWbC2hYP4WOrdMIBMHjEmzf42PDlgIy0jyoqkL9uols2FKOlJCR7mZffiVup5XGDVJiZo9DC2Lx827b6WXNhjzqZiXRpV0dIlGoqAyzbnkhxSU+WjWvQ4vGKQSCklXbitE0SWYdD3kFXmw2laYNU//mO2Ri8s/GDGQmfxlj2MtYWPOMKz9g/eZ93HTpMB55cT6tmtbhh48u4Pp7v+O1qb+gCCt2Ozx550lMPL0dl902k5+W7qRfj0b8smw3gVCUVd9cQctmKQSDtedcjJs9XnpnBY++OBePy0VxWSUXnN6LO/6vL+9PW8dlt31KICixWhT8gRBfvnsul978GVt3FnHz5YN58NlvGNavDZ+/eYZh9ogdV8TUXQc7r9stePejtdz1xLd43E6KSys5Y3RXHrp9EPfeN5dvf9iE22ln265iZr45kWZNUjnlwvfZurOAmy8fyoPPzqFXl0Z89/7EWO/x6C2BY2JyNDHzfE3+MkIYc0rCAtNemMCQvq15/zNDUzXj3VP5ZcUenn97DjddNog1Cy+lfau6XH3XTCrKotx7w1AiEQ2Xw8acDyfy+ZtnkZXhIRqtvTkfKcFqFRQUBLnu3lk47HYuOrMHKcke7nz8G1YuL+amB7+hScN0Ni64greeGkvndtk0bZDKBy9NoEPrbN7/dCGnndyN1x8/iagWmwtUDIHywcwexpI1gvKKCNfd+xVSCi48ozv1slN4+Pmv2LChnOEDW9C7SwN6d21IaXmA2T9uJTPTzrTnx9OzcyOmfLqQUce1ZcpzY6rmy8wgZvJfxQxkJoeHMBIV2ndJp1eX+uTml1AvO5FmbVMoLQ8ACn26N6RJp2S6tq9HeaWPQECnTYsMHHYbN1/Rnx4j6jJicGPcTiv6H61PckSRqAr4fFECgQhJCQ68/hAjh7bi+osGoOuSgmIf7VvVpUG7REaPbM47k08lM91D524ZtG+Vxb78Upo1SqNei4TY+l1Q6Q0zbcYGflqyD6uNAyazqAr4/Rpeb4jkRCdeX5ihfZtx9aShVHhDXH3XZ+QVVtKlfV2SE504HVawQNdumXRuW5fc/FIa10+lccskEL+vwjIx+bdjBjKTv4zESEHHCidPmMr9T8/kgtMH8+7H8+nV93Xat8qkZdNsJlzyHiOHTeWp12Zzxqhu2O0q51z1IcFQKede8yFnjf2UoqKIsUhjLT6Q42aPRg08nHRcK9ZuymXXvjIWrdjF3J+306RhChPHdeHN6T9ywoj36TXiVYae/jq79pbT//i3eO+TRZwzrj/3Tv6EE8a8j6bp2BPhm/lbOPXSV1i/pRCb/bdmD2M9Nkl2toOxJ7Zl/dY8du4pZcnqPSxYvJNIJMrm7YWUlodYv7mQsgof7368gp27Kjl23Hu8+O48zh0/gCdfncWA4W8RCUdRlNq9dyYm/yTMOTKTw0MAUejaoS6tmx/PiEEtSUlyEI5oZNXx8MVb5/Pcmz+zJ7eUJ+4czaRTuxHRdDq2yaJdq+H4/GGSE13YbEevhioShTefOIWX3lnEwuU7adk0g5OPbY3LqfLIrcfRtmUGPyzaRtNG9Xn8pA5kZXjo070Bw/o3o0/XBqSl2GNmD0CHz75dT5OGDTlrXHuCvgObPYQQhILw3P0n0aVdNt8v3E7DeilcMbE33TrVZcZr5/LBFysIRzSev38M+YU+1IiFvt0b0rNzPQb1bkJKssOYG5PCHFY0+U8jiiPm+ziTP4eUErdVsGL9Bma/NZNbr7vBMHRYQPpBuAABwVJjCM2agNFzkxCoMI7hTI1tU2LbS45ejyJe8+ZMNNqNCvgNs4eigDMh1k4VpM9Iv3ekYNSXBWLXCwRKjZWje570EpdP7M2ksztQWar/YVG0Kyl2fIUqo4jbDVhj2zTj3KFysMfaWPM+H817Z2KsdlBZ6WfCtaM5cfwp9DqmHy1atTqqyxP9G9F0jTo2lXYvdOSK3jdwUaczKQxHURWL2SMzOTKUFIVRFQtq3HSBYfDQNEmgMJbdiGG6EEBFvk782Rvf92ghhFGPdSCzh5RQUfrb7RX5xmTer80emoTPXj+LtBQngUMwe8CBz1tZYUT+qvgkQbUohIr0/Y0iHN17Z2LyT8AMZCaHjZRGmnlcMVXTdGFYKWJBrIYAI56ZGDd76HrtpdwfiLihQ5dGr6pmWxRRbSrZz/hBzFCi7J8xmJ3pIhKBQ+0kHei8qiqqEl9E7H8i1hZE9XlNUb6JiRnITA4TKUFYweW0YrVUp4FrGgTDRjKIyylQLBAJGYYKq1XgjKWmR6JgtRhP41D46A2RVRk27KCFIRCrZRPCMI8IC8hotfHD5TTaHIkai3PqutF+MBI5/ozZw24T2BygR4zji5gqy+kQqFbQaxhFak93ssAAAOurSURBVJ7XahXIGuc1MfmvYgYyk7+MBCyqoKwowvZtZSAFNqtCKKKT6LHTqH4CioANW0opKvXTuEEq9XOcFBVF2LC1AouqkJ7qoqDIiyIEDXKSsVqVWg9mccPGjl0+Nm0rol7dJFo3TyYYAE2TrFxfwt7cCnKyEmnbMo1gULJ9VxkAqclOCor9OB0W6mUn/iWzx+69fjZsKSQrI4F2LVMJhsDpEmzaXkFuQQXpqW4sqkJOViIbt5ajaTrpqS4KS/zYrCr16yb9jXfHxOSfjxnITP4SEtA1HbfTyjvvb+HGB6bgsHtigmBJaoqLOdPO5cW3F/PsWwvQNZWEBJXXHxtLgsfBsNNeom5WGrdcMZCbHvgaRRHM//ACWjZLIXSQFZX/DnRd4nIL3py2mgefm4NFteH1+7n07D783/W9eO6F5Ux+7QeSEtxs3l7A5LtPYujApgw59Q2KSn3cdNkA7pv8LcP6tWLmm2eg1TB7KOLgQS1+3ukzN3DHY99gUa1UeP2cN6E7d/5ffx588mfue/pbVMVGKBKmWaM6fPLKGYy54D02bC3gtiuHcN/Tc+nVpQHfvj/RGJ40zR4m/1HMWWKTv4QAhCIIR3SGD2qKpqnccHE/rFaVay7og6oInntzEY++9D1XTOzL8h8vpmnDOpx73cd0bpvNuBO7ADB8QAs0TXL1pGNo1crQU9VWEJPSGNYsKg5x5Z1fYFGtXHV+b5IT3dz04Ex2b/XTu0sDBvZuwuBjmhDVJB/PWkt2PQfvPj2WFo3Tef/TRYwZ0YEXHzoBTZNVc4EJnurh0wOdV1UFlZVRrrrjS8JhyRXn9iY7I4m7n/yGGZ9v4ZZHvmLksHas+ukS/u+SAWSme8iq4+Gtp06hc7sc3p+xiOMHt+DNJ09GMc0eJv9xzEBmclhouiQ7w4bH7aJrhxySEhx0bpdNeqqLcm8QUBjarxmte6TRt3sjikvLCYY1brliAKXlQa6953OyMxO48txeRMO1/TCWqCpUVITx+sIkJTooKvEzfGALLp/YH6nBXU/OZsHinTRpmEqDnEScTiuKTTBkcAO6dcxhx+5COrWpS5P2yUaAEuANRJjx1RYWrcg7uNlDBa83SnllkOQkJ0WlPgYd04TrLhpEIBgFGWZw76Y06pDEXdcO4MUHT8JmU+jRL4tjujZkx55C2rbIpGWnVNPsYfKfxwxkJn8JCUhd4rCrfPHdbkrLd/PeJyvIL6zk7Q9XsGlbMWXlQZo2TOP0K6YwfuSHPP7ybMYM70xigoV2LVMZfExjPp41h4vP7E5SqoVwSK/V2psqs0fDBEYMbs76LXmUVQRYszGPpav3IYVk2epcKrxhSsp87MvzM/PbDSxZlMeQMe/y9oe/MHF8f+54/CPGjP8AXddxJMC387cwatKLrFyXZyRxHMTsUTfbwcnHtmLTtnxKSo15srkLttGzcw7dOzbhijs+4eyxM+g47Fku/L8ZhMJRThwzlefemsu54/vz6ItfMuzE94hGTLOHyX8bc47M5C8jhCCq6dTJVLl84kBaNq1HkwapuF022rbMpEHdJB66+Vgef/lH9uSW8cBNJ3LRGT0QKESicPvVg6lfN5lTT+5AKHD0FojUovDO5HE88/rPLFy2k7pZSVxyVk+ys11MeWYsL09ZzKr1Bdxz/WA27yhBhhS6dahLj045DOzdBLdLxeWwG+nyEmZ+t4EG9eoZZg+vRFEOYvYIwUsPj6LjW1l8/8s2MtMSOWtsZ+rnJPDRy2fwzBs/sX5LAcMHteLMMZ0RQqFNizq0bj6MYf2b4XZaUVQFTQObrfbvm4nJPwXT7GHyp6lp9vjuzc+47Y4bwcd+pg4EoEEkCFYPhvkDCFYaqflgLAxpsUPAC/pRnOMx5qzAkUC12SMAPh+4XYAttk0DLKB5QXUD8sBmj24nvMil5/TkkvM7U1nyO2YPCeLXRpEg+LxgtYAtIbafYpwzHAFnSuxHj5LZQyIRh1C8Fi/lPpR9/9cxzR61g2n2MPnbEEKgeyWlhWFsFmtV0kH8o6IIAkWGgUICqqJUBaxgSCLCsToy/egNjcXr3g5k2PD6JNJrNCwuNbaoAs1nbDMMGzoCYZhMJHz66hlk1vH8sdlDGMOOpcVRVKGg6TqqomJRBcGIhi9uRJHGcVRFoTQ/Wn3eSuO+2qwWdPnbZQMUoRzydlUYrktNar/ZXxUqEokudVShokkNgUARxrXpUq/pIEERKqowQphmvk02qQXMQGZy2CiKwGpREaJaXquqxie6LlFjqidBda9LYpgygiGNkrIIHrcNh109qsGsqp1K9YKY8QUrIWbWiF2XomL0qITYLzgDNKyfQPgQiruNwC5IsVnRNFBVlZARp3DZa/xpCkCHsAZul7V6G8b2kAZ2q3po2yWEo2CzqLF/EGNfX1SiCoHrAMfxR8EqBDar0T6XVSWqQUgHpMRjVap74tI4b2XUj6ZreKwepJRVQc/E5O/ADGQmRwRBtcFDixi9rbgBIxoFqxU0HUKh2JCTgHBE49RLp7Fm43auOHcIN13RG69XVqmuapMqw4YNojXaD1QZNrQoVatXO237mz00HSIR41iHUgcnMerMwnqIGxbezNe7Z9ElvStP9HgWRah8t+MrQnqIgBZERaVRQiM6pnRi3s65BLQAAS2AgkJdV1161+nD3N1z8Ed9BKJ+BIIsZza9M/ry0575VEQq8Ef9AKTZ0+mfOYiFRQsoD5ejIGiU0IQ+dXpSEvby4c5ZhPUQgahx/CxXNsfVHU5eoJgrF13MquKVtE1px0Pdn6BZQhNUIZiT9xPf7P2SDGcWafY0+mYM4LT5o1GFhbnHLsBhFfiihzYkaWLyVzADmcnhI0CXkvVbSskv9JKTlUjThkn4/Brbd1WQmuKisMiHw2GhUb1EIhFwOaGwOMSlE7tx3d2FbN5ehDhKv41xw8be3ADbdpaSnZlAs0YJBAJGJ2PTtjJyCyrJykigReNkw+yRWwlAUqKD4rIATruFjHT3IZs9dKnjtqo8tPwxnl37FDd3vo1n1k1GX6xzV8d7OevHCVhVK13SOrOrYjdhInw44HMuXngulZFKemb0IN9fwA7vDpacuIYrF11MoT+fHhndKQ6WstW7hdnDfuTmZdezuWQT3bK64Y8GWVewhq9PmMety29kQ9E6shPrkluxj+s63cSFzS/hvJ/OIKJH6JHenTx/Abv8OykYX8mNy65hbt5sPhj0Mef+cDaX/3Ihc4//jidXPcu1C6+gY3ondvi2Ux4oZ+PY3fSq04c3t77KpspNKEiaJLZEyEP3T5qY/BnMQGZyWGiaDg545b0lvDzlFzwuJ7tzS3jzyQnUSXEz9PRXqZOaSH6RF6tFMOudifTsmcV9j//Ek698T0Z6IqUVXjwuW1VCSG0SN2xM+WQ99z/9HVFNIRIJceX5/bj6iu48/+IyJr/6Ay6Xk917i5l8z8kM7NuYAWNfpbQiwP9dOoC7nviWY/u14LOY2QOMHt7vmT0UoaDrMHXHu4xoeCIP9L8Xi7Dx4Op7eavPu4ysPwohBGc3P5vVxWtZVbKcPhk9Oan+GPYF9nJ568vYXrGbL/bOoH1yW05tdAY/F/7IHR3vZlXJGhYU/kC7lA6c3vgcpitTuKPjPezy7uFDxzTaJLVhYtMLeDL8MFtH7+K+1ffwwNJ7OL/ZxZzVZCLbKrdzdburWFW8hiVFi7AqVnJcOaTYUwhqAZw2Fy0TW+ENhLlp2fWMaTKej46dxrLcdZyz4DSSrAm0S+5IKBxm6Lf9KfYX8mKfN5jU4my84Sjq0XrHYvKvxRy4NjksRCyLo0v7ugzs3ZThg1pS6YsydcZqOnWtQ4smGYQjGl+8dSaVvjDf/7ydzZvKuf3Rzxgzoj23XDGASm+YWOZ6rRI3exSXhLn0ls+QUuGGi/vicbu45q5P2bPNT89O9Rl4TFOOH9SCYFhn+sw1ZOc4ePmRUdTLTuL9GYs4cUhrnrpneJXZQ/yB2QOMbD5dQnm4jLrOHCKhCHVd9UBI8gJFuC0evtj5GWO/GE1RsICPh36IRTEO9mPe95zyxWhWlS1nznHfYVWNYbvlBUs58csR/FAwj8+HzCDDmUBYD7G5dCMnfXk803a8x5xjv6Oepw4VkTKiehRFqJzX7CIsWFhRsowEaxI/7JvLqM9HsrF8PTOGfozHYmd0g3Hs9e/l5G9OZGvZZiY2ncRW707C0RAj651MJByhRWIr5g9fTKY7ibJwCWEtxFvHvEe/7IG8seUVOMSMRxOTP4sZyEz+MlLGEjlCcPdTc1i0Yjf16nrIruPBZlWxZSmkpbgY2LsxA0bXp15WMm6Xjbx8LxBk0mndOevSduRkpmG1KAhrbWcuGmaPsvIQFd4QyYlO9uZVMKxfMy45qy9aFB56fj4/LtpBZh0P9esm4HRaUOyCE05sQp/uDdm4NZdjujWkdY+0KrNHIBjlq7nbWba6AKv1wGYPiURVIN2RwZbKzVhtVjZXbkRBoYEnk6AWZGSj0bwzbDoDMocSjkqEKhBCMLDuEKYc9yHHZp9AVIttR9A1szsfHfs5oxuMI6JJUMCiWGmV2oaPjvucUxufSTSWdeOxJmBTbNit8GPB90RllJaJrQhpQQbmDGbqcR9zXM6JRDWJRYFbl99Iu5T2+M+L0DdrADcsvYpUWwoIWFG6HKvDiseiUBwqNHq5Fhd1PHUY0WwIHVI7oWNkOiLiWSEmJkcOM5CZHBZCUZAhmL9wB4GgTiSik1fo59sftjD7w+18//N25v28jdeeXMXOvbm88/EKMjM8ZKTX5bTLpnDSiGns3LuHL2ZvZN8OH/aDKJ3+lrbHzR4NEhjatwkbt+ejaTrbdxezakM+Uuj8uGgnPn8EXdfJKwjy5ZxNLF+az/Hj3ufN6YbZ45aHP+K00z6uMnt898NWRpz1PItX7sXm/K3ZA4w5MiFgUvOL+X73HE798kwmr36Ms5ueT24gl29zv2LO3m9p4G7IuMYj0TTJroq9fJf7FfP2ziHdXoczmp5CWJfk+4r4Yu9nLMpfiIbOBS3PIaxJSgIVzNzzCWsKVuGNerm01STCuqQoUMZHO6eRW7GPoV8fy8TvT2d4kxNIs6fxya4P+DF3PknWFM5qNg5vJAIC0u3pbC7dyFOrH2d96VrS7RnUT0zn7KbnMXnVY5w/5yJGzD6RjjNb8EPeIr7Y8xmFpYW8uvptZud+w+L8X1hatBaHKtDN0lWTI4w5WG3ylxFCoGk6igs+e+NM3pi2jPkLd3H3dYPZta8cv09yxuiOJHjsaLrk/FN743Y5yKqTwIzXzubRF+fhsNu54+qR5OZXEo7E095r90Gn6/Des+N54qUf+WHRdrIzE7l6Uieys928M3ksL767kO8X7uTmy/uxaXsJIa+keeM0WjYZwNB+zbBawOW0o8Xm+D6fvYGc7GzD7OE7sLFEFSr+CFzS4lKiepQvds7g6nY3cFen+9jj28OERmegRaOUhkqI6hJVKAQ1yaj6pxAKhykNlxDRjLT2sCY4tu4I+qcNxBupqN4ehYGZQ+ia2B1/1EdE01GFQkQT9KnTn07JXQnqAe7v9giXtbqasnAJI+uPQYtEKAuXEtGM84ai8HSPF3nQcQ8zdn7GmIbjub3jXYSj8EzPl2iV1IZv9s4i3ZnOG8e8S5vkdrRNbk+9Ng2QUjKi7gn0SjmGqB6tyvg3MTmSmGYPkz9NTbPH7Ldmcuu1N6AFQXVg9PF1quwYODHiUhSIlUAFSg2rh2KPHVAxXuFyI529toUI+5k9iLU9BH4vuFyxdqsY13UIZo8uI57n4rN6csVFXX/f7BHDZaPKhhIIg0UBa1w5FQVfxPieVQGb1ficKPiiMSGIMO5n3Kbii8mXFQGOmtsj8VWma2zHuK5A2Nhut+9/XsWoVccqYufWMf6tIhDRje874+2P/dsHo/ufl9hK1loEgtq/L5CZZo/a4XfNHmYUM/mzyBovAARUeCNY/GrV94nZMfDFhwqNISUBWCyKsRJy0PhhLdaVUVXlqGiq9jN7CGN1ZqEI1LjZQ/6R2cMwcFhUw+zx4Uunk5Od+MdmD4y5srJguMqYYRFWdF3g9YWM4wsVRSgIKYjognBQVmmi4kXGUSkJBTRj3k0oKDFLhy6hIhCN1awpVfaOmtuN6xeoQkWXEPJHY0vRGOeN28YiUhIKaSio6OhGm4RAR1IR0lBQ0DEMJ6pQqQhGqwqhJcY9tCiWf22yR4168/0+mhw5JNWJzfJXL3No0eSIoCqi6h1ofK0yRQGvL4LVqmC1iNjD19hHVQX+QBRd13G7jr7xtqbZQ1Grr0VRjOxC4sqtqvZX/SSqun8vo2XTZEKHYPYAUBAk2+2x+jNLldnD7XDsv6M0ejN+LYhAYFNt6DIWUBBYlAP/Kf/57dYDbjcClPEzKup+2y2x7UqNKXeLsOx/U/6d8cvkH4IZyEyOCFJKnE7joR6NgsUG3y/Yy3nXT+H00T2499YBhCohFNJJSFSYMWsLl932MfWy03hn8liaNEgiFK69RTV/jaZLbFaB3WYYOkLharOHwyawWDC0TDFrhz1m9ohqYLEYGqtoLAj5A0aP7veuRCJRAI0INyy+i692fUHXOt14uNtTCCGYv3suIT1ESAshgGaJzfFYEzh13mj6ZvbntX4vE45CRDdT2k1MzEBmckSw2yxs2VFOaXkAj9tOeqqTtq1T0aWVNRvy2bGtDHQr2RlugkFJ9y5ZjB/ZmadeXUAorO0nGq5t4maP/MIwu/aWkZnuoUGOi0DAyBbfuddLQVElddI8NKqXQDAk2ZfvR0rwuG2UV4Zw2FRSkp1VwuE/Qpc6bpvKfSuf5LGVD3J1h2t5acOLRIhyS/vbGPf9SaiKSofU9uz15hLSQ6w6aTNpzjosL13G7srdhDSFBu4couY4lsl/HDOQmRwWui7BAS8+v4hHnp9PkwZprFi3l0mn9uKpycNo3yqb737YSIch23C7LMz78AIa1k0ip76H0ce14dk3Fx61dcji7Xe5BR99sYl7nvoWn19HCI1rLxzAJRd15sWXlvPUq/Ox2ezkF5XzzL2j6NOjAX1GvUKFL8gNF/fn7ie/Y8gxzZjxxulVZg9dN+bNfs/sIXV4d/tbHNtwBE8Oehy3NZFH1tzPa8e8zgn1TsKiWDi35bksK1zBkqJfyHSk0yW1K29seoVOMzsb2Y5DvqN3ZjcCEd0U85r8ZzF/800Og1hXQIGv522hqMTL8YNacP6pPTh+SAt0v8TrC5GU6ObT10+nqMTPJ7PW4XBB1K9TUhZASomuywPWWv3trZfGsGBpaZgLbvyUcFhyyxUDcNjtXHrLR+zdEaBbhxwG9G7KqGPb4PVFeO+TlWTVc/DU3ceTmuxi6ozFDOrdhIdvHYpew+zhcQsc9t83e2gSykIl1Hc1IBKOUN/VAIkk119MgjWRz3d+xqiZIykKFvLF0JnYVElJuASLamHagI+xqTam7XgPVZHIo+H3MjH5h2D2yEwOg1hvQ4erJ/XG7bLw7oxVlJSUo+lw7EkNAcHgPs0YfEoD6mUnE45oYAWLRyElyYlFNT5aEwSh4toNZhKJRRUUlwYpqwjSsmk623aVMuiYpvTu2oBoWOep135i+Zo9nDOuG/XqJuB0WFFtglPGt+DLuZt4fepczhnbi479M/DtMmwdgZDGz8v2kZrkpHWLdKKR3879GWYPQZq9Dtu9W7HarGz1bkEgqO/OIKQFOaHhSYysdzJuSwIR3dBpWYWVjmldGNq8P81XtCQijRx5ac6TmfyHMXtkJoeBMXyGDk+9+hMFRX6uu7w3/iD8uGgHO9ZWsHDZdhYs2cmUF9axY08eX87eSGlxiPvvX8Ctj8wiFPZz0f99xEuvrcBuE7Vm9QAjAzEUkTRumEj/ng3ZsrMAl8NCYXElG7cWI5F8M38LgZBGUoKNwqIQX3+/idUrCxl96ge8PvUXzj6lPzc+8CETz/7MMHt4YM6CrQyZ8CwLFu/C/gdmj4nNJjFn13ec+/UFPLX6UU5vfDYFoXzm5H3Lj3nf0ya5Pac1Hk1U09lTmct3uV+zpOgXPlj7CcuKl/DVvi/IrSzErii1eu9MTP5JmD0yk8NHh67tc1iyajfTP1jH0L7NuPOaQVRWapx8bCuSkxIoKw9y+qguJHhcRIKCktIAddJcnDOuN6VlFfh84aOS6IEEqcPU5yfw0HPf8/l368nMSOTCM7qSXdfNW0+cwnNv/cynX2/k6km92bitmIqSKBlpbi46ozcjBrVElxoOu8Uwewj4fPZGsjLSOXNsB0K/Y/YIRCWXt7yCoBbky52fcWGrS3mgy6Ps8e3l+JyT0DSNXP9eorITqqLgjUQYlD0UIQWloXLGNToVgSAQ1VDstW9EMTH5pyCKTLOHyZ+kptljzlszufW6Gwh7webGMHzYQAsZ6idrIkYVo4ZhyJAQLAdHIsbbKI0qk4av4uhlLVosYPfE2mplf7OHJdZGaXzUfKC6jK9l8Ldmj47HPceFZ/Tg2su7U1n8+2YPQQ0zhoBgxDB1/K7ZA6oMGwDhMESkWap1tFBV8Fb6GX/taE4Yfwq9j+lHc9PsccTRdI10m0qHFzpy+a/NHke7cSb/DvzBCKGQahQQ+405ISEE/gK9qkBa16vNHpXFOnrs4Ssxei1HY2VoMIJnNCoJlUgUETOQCKM9lT5ZVdkcN5aoqkDzyyp7ya/NHtOeP5VG9ZIJlB+K2QMqQ4YZPm7g0CQEfmXYAKNmLBgwitUUoaDLmBHlX2zMMDE5FMxAZnJEiAcrqB5KEwKsFmPuRmI86ONvUhVFQcEIGP+EuZ144IovTRN/Nx23fUhp9Laq9636QSwCavaHOrROIxg69CVpFNSYzklUBSSLYq26bzIWWGvaNRACNdYlM4OYyX8dM5CZHBGsVhWrRRCNVuubolEj0cFuM4wf4YjR81EUgdViBIRwRGKzGY/iUPjoDC2CYfawWgQ2q3EN4YjRTl2XWCwCm5WqGrG4zUPEP7cKpG58DuCr6pH+8Xmrjy+IahCuYRT59X0TQmC11jivxQiy8fOamPxXMQOZyRGhtCyA1AUetw1/0FiuIznJgccjyM0LUuENkVUngaREBX8ASitChMMa9bJd7M0LICVkpDuJHgU7upSQ4BaUlEXZvL2C9FQ32Zl2fF5wuwQVlTo7dleQ6HGAgAS3jbKKMFIHl9NKcWkYm1UlwWM7ZLNH/Lwet6CsQmPz9nJSk13kZDkIBI3v79zrpcIbJCcrkZQkG+EwlJQG0XSJ22mjJBDGoiokeOy/fyITk385ZiAzOQyMuSEZhePPfputO0q45YrBPPXqArIzEpj/0SSefn0xj700j4oKjcYNEnjq7pMYPqQRJ5/3Aas35HPcwOZ89s16IlGdJV9cQrNGyQRDstZsH7oucboFM7/bxl1PfENJaRi7Hf7vkkGce3Z7Zs/exeW3z2DL9jJSk51YLIK3J4/nittmUlDk5bqL+3PvU98xoGcTPn390M0eui5xugTf/biLWx6aRVFJCNUiufr8flx2QRduvGM2M75dCyggdT54+Qwy0twMnvA6+wrK+b9LBvLQc9/TvnUWX71zDqp68OJrE5N/O2YdmclhIXWJsMKDNx9Lo/qpTJu5mMw6Hp66fzgr1uVx04OfMOq4dnzzyVkgVCZd/zF+r8alZ/ckv6ic9ZsLefHhE3n4luNISnSg6bU3vBhfkqW8PMJ5132E1xfljmsGYVEtnHf9h2zcUM4Vd3xOIBjl+0/O5ebLBxCORMjOSOCBm4bhcFiYOmMx3TvW5+7rB6Hr1WYPt+vgZg8ZSxgJBjQm3fAJeYV+br9qEKlJbi6/bTrbtlRyTPeGDOzdhNHD27JpewEzv9lAnSw79904lLRkF1M/W0LrFhk8dPNQVOXQ5+NMTP6NmIHM5DAQscW84PhxTTlzTCdWrd9Ovx4NGTSmITt2lwIKE8d1ZcCJDThlRDv25hdTXhllSL+mOOx2nrzreCZc3JbLzu9CapIDTTt4L+ZII5FYLFBYFKCkNEBKkpONWwvp17MxF53Rk/KyIFt3lHDCkDYcM7IeV1/VnYUzL6dhThKjTm/OiEEtWbV+Oycf24Yex2aja8YfVDis8dOSXNZtLsFi4YDJLKoKJaVhCop8pKe42bC1kG4d6nHu+D4UlwaY/PqPbNxagNttIynBhc1mQbUJxpzWglHHtWXV+u0MH9CcvsfXQ0eYFWQm/2nMQGZyWEgJ2OCyi2dx80Ofc+74QbzwzjwmjPyIDm2yqJOawPnXf8C1F33Lg8/NZkif1ricFm687yuCoQpuf/Rbbr/6e4oKItS2btEwe0Djhon06lKfHXuKqZPmxh8IsW5LIc0ap3HCkJY8/9Z8rjrvG06d+BEnnP02e3IrOOP0T3n1/V84Y3R/rrv3Qy4+/0skOo4EmPPTdvqPfZp5P2/H7vqt2UMIiEQkOXWd9O/ZiG27C0lPcREKR9i+uxR/IMK8n9bhcbnISHVTXunn8+82kJfv57zzZ/LEK/M465T+3P3kF5x52gykrqEIM5SZ/Hcx58hMDoOYoioKwWCYMSM6cvJxbQkEo4SjOlnpHma+dT4PPD2XHxZu49JzenPrFYOIRnUqvCFOOb4rXn+YHbtKsViM91S1vpSLlCAF016cwH1PzWXKJ8vJqJPAxLGdSfBYeP6Bk2hUP5kfF20nPdXDndcMIjnRQTSqMXFcd04c2opgMEQwFCUaNdr+xZwNpKYkc+Yp7Qn5D5b8IYhE4K2nTuGBZ+YydeYK0lI8TBjZnq4ds3juvlN5/7NlfDl3EzdcPJCCIj/+Uh0EnHpSV0Yd1xZ/IIKmaYTCEo9LEK3FYVkTk38SptnD5E9zILMHGmAB3Q+KE1AgWGaYKBQHEDW+H/Iaxg9nCoadImbMCJQevXkeKcFqAZsn1k4bEAFfJVjUmPFDi20PQygA9mSj/TIIwmkcJ1AGqgLthj7LpNO6cePVvX7X7GHM0YE9IXZeq/Ex4AOnG6NaOmZDQUC4EmwJsZ+Nn1cc3XtnYpo9agvT7GHyt1NSHMaiWIzaK5/xVLVYFPwBiYzVVek1io0rCvVqNWDMinG0EAIiUUnwAGaPqCYJlf52e7z9iiLQvbLqGqIavPfMeJo1SiX4B2YPITCOX/O8CFRVUFmuVxWLx2+TqigEiw98XhOT/zIW842cyZ9FYnSmav7uqIrxAAZiH6stH3EzhqpUmz3UKvtH7GEtf7vUSW1yMLNH3OJhtL+m8UMBahY+V7e9e8cMAkHQDsF/WHVeJKqocXxV+dU9Mc7ze+c1+WcgMfXNfwc176v81cvskZkcPgKsFrXKNCGEMXyoacYwpNVqGCoiEdA0iaqKqn113UiBh6NrqNB1Y20ya8ywEYmZPYxhR6P9mm5sF0JgsRgXrusxw4ZufB/A6/tzZg9VrTZ7RGoYReL3TdeMP1ZNM+TGAoEWu2/x7SYm/2XMQGZyWAghiIQlpRVBFKGgKgqaruOwW/C4LFitgqKSCF5fiPRUNx63oNKrU14ZQQiBy2mlojKMUAQel+2PT/g3EDdsVFTq7M71kpLkJD3Vit9vzPEVl4UpKfOTkuQkI81OMASV3ghSSuw2CxWVEaxWFafdUiVAPtTzul0Cn1+yLbeSpEQHGWk2/H6jPSVlUcorg3jcdqSUJLhtVHoj6LrEYbdQGYpiUQUOh/WPT2Zi8i/GDGQmfxlN0/G4rLz65ibuf+YTpLRhs1oIBMPkZCfx5VtnMn3mWh58fg6lpRGaNUnmtUfH4A9ojL3obepmpnLZxF489Nx8pC754q2zadkshVCo9oYZ44aNr7/fyZ2Pf01eQQCPR+XmywZzxhltePW1lTz5ynx0XSEQDPHsfaPo1D6bAWNeJRiKcPWkPtz/9Bz6dGvMx6+e+ufMHk7BD4v2cvNDs9ib58PpEFx34QAmTezI21PWcvsjX1FcGsbjsdCqaSavPDKacRdPYV9+OTdcNICHX5hP2xaZfPHWWabZw+Q/jTlLbPLXERCN6vTumsPePC/jTmxHUamfMSPaklfg5YV3lnDlnZ8zuHdzPn3vNPz+KKde9gFtW2TQoXU9ysoDDOvbjIJCLyMGt6Bp06RaDWKGkV9QURnh7Ks/pKQsxF3XDQapcOaV75O3O0jbFpn06d6Y00d1JL/Yz2tTl5JVz87Nl/dH0yRTZyyhdbMMbrq8z35mD5dLYD+I2QOMXlsopHHudR+za28Fd10zGI/LwQU3fsDsubu48P8+plH9NGZ9dCbD+jYnv8hLWoqTW68ciN1mYepnS2iQk8ztV/c3zR4m/3nMQGbylxFCENV0WjT2kJKUyAmDW1Enzc3wgc2pl53Ajj2lCCG46MyeHDe2CaeP6sz2XXmA4MH/O46yihBPvraA9DQ3d187GItQanWSXEqJxQoFhQGKin2kJrtYsyGf3l0bcuaYboT8Gu98tJwFS3YQimjUy/Jgt1uw2BUmXdyRk45tzbI1Wzj15I70G1kfLWb2iER0lq4qYPP2MsPs8ZvzGun+xSVhcvMrSU/1sHpjPp3b5TDptN7s3lNBKOTn/FN70G9Efd55ZhSfvX4mLqeFcRNbMmFkR5at2cLo4W0YekojdDPhw+Q/jhnITP4yUkpsNpV5C/MpLc9j5ncbKC7xMeObDezYXUY4opOc5OSSWz7m1qvm8dDzc+jbvQVOp0L3jpl07VCXZ9+YwTnjOpORZScQMNLQawtFCMJhaNQgkS4d6rJrXwmNGhgFbnmFXnQkU2asJhqVdGydQVlFlHk/b2Pj+hImnjeTV6Ys4rST+3H1XR9z9SXfABKHB+b9vJ2+Y57m2/lbDbNHPAskhhDGMjF1s5307lqfnXuKaJiThNWisHl7Mb261qdxg0xuuH8m9924gBPOfper7/yCSETj0gtm8fjL33P6qP7c8dgXXHDOF0hdQ5hmD5P/MGYgM/nLxBd0DIYDjBjUEo/bxpgRbfG4bRw3sDmtm6XzxZtnUTcziZlfr+WccV159+lxWC0qUsBtVw7kxKF9OXd8F8JBEEfht9FIcYcPXjyVY/s158V3FrJ1Zwmjh7cmq66Llx86iYw0N0+9tpAzx3SgS/u65O7xEwiGGX9ie04+ti0jBrUhv9BLJCoRKnw5dyNul5vTR7cj/Dtmj6gG70wey7gTOvDylEWs2ZjPSce2pHHDRD555Sz6dm/E9JkrsVktXH5uL3Qdikr8jDquPScf24bjB7ensMRHKKyjCHOOzOS/iygMm7/+Jn8OKSUum2Dlug3Meeszbrv9RqiMfbO6hAw00CKg2qkyV4T9Rho+gN1umDBCYWKy4Fq/FCA21GcFmwuIYBg8NPB7weWK7aRivO0ToPlBdQES9GDMZAIEyo3raTvkGSaO78qt1x/zx2YPC9jdNc6rg78CbDawOGPb7UAIAkFwJv3qvMIwiph/xUeP/cwe406hl2n2+FvQdI10u0rHFzpyWa8buKjzmRSGTLOHyRFACMPkUVYSwapakcj9ZmyEIpABozZK0/cvNg4GZdUxjubffFziGyqVNYwZRqFypbf6evRYtFAVgR4wEjuU2PULYRQxRzV484mxtGqWTrDiEMweUYm/JIoiBMZ/Cqoq8Ic0tICGqqholTpWxYJQoKLYaEP8vKbZw8TETL83OQIoisCiKjWG0IyPVitEo4D6W2OGUTgtjF3lUZAF/wohRKz9EuVXBpL4MiyqqN6uVJlJfpti36dHNsHAofUyVUWQYreChFDUsIFIwGNVUSyqoVBBxR8BVYBqEejSWIJGVUTV8K6JyX8Z862cyRFBSmNtL5vNsFG4XbB4RS4Dxz3PM2/8jDtBxHRUxv6qaghzpW78nLFu19Frv65LFKW6/fGlV+KLb9pths2jqlemGi8w2h7/HMDrlX+4QKhEogioiHh5Ys0znPLtBObmzcWugkXAsuLVnDbnLAZ+OYSHVj2BTYWtldsZNKsPty6/AbdVoGCorUxM/uuYgczkiOCwWymvCLN7n5eSshCVPo2G9RPYudfLohV78XrDBEPRmNoJQmEdrz+CxyPw+aP4/FGsRymYSQkel6Gbys33EQzpeNwCJNht4PVH2bW3kkpvBKfdiE6hkEYgGEXXJT5/lHC4OgleUf54qFQisQgoDBYwO/c7Pt4xnbXla6oC4lWLL2Vt6RrSnXW4eeF1fLJrBnUT61AcKeaHgu/xR/x4oz6sh2gRMTH5N2MOLZocFrouwQHT3lvFvZPnkpzoYuvOQs4/rRePPjaYnp0b8f3CzTTqOZk6aS5mvT2RBvXcjD1nGhu3FnLi0FZMn7maSFTnp08vonGDREIheciapyPRfqdLMPfnPdzx+Nfs2lNJarKNW64cwrixLXnjrdU8+cp8QmHQ9QjP3jeKtq0yGTLudcLRKFecewwPPTePXp0b8MFLEw7Z7KGgENIlzROb8PHAGTQtq181TKhJyf2dH6Vnna6Uhr18tH0ae317SXZ5GJg1mOnb3qfZJ82xCiufDPqSDqltCEZ1lKOR9mli8g/A/M03OQxi3ScF3vxgOTv3lnDmmI5MOKkTfbs1QPdJ/P4QoPD0PSewYUshH325BuGGsSe0ZduuQmb/uI07rh3A1ecfg8tpRa/FxSElhqnf641yxpXTySvwcff1QwlHJOMvfo/8vUFaNE6nZ+cGnH1KJ/bkVvLSu4vJzLFzxbm9qKgMMfWzpdTLSuLK83vutxK0y2kMR/5RDzOq63gjAaJ6FE1qaFIjokcZmN0Li2JhwrxR1HXlMK7ReGRY4o16CeshHu76JKXhUt7d9hYWVaJL/fdPZGLyL8bskZkcBrGIo8N1F/VBVeGxl39CVSJkpCdw8vhm6BKGD2zF6Ze24ZaHUyivDCGcMGJQSxwOJ889MJIBp+RAPoR8hgG/1hRVUmK1CXbt8ZNf4KVbxxxWrM2lR6cGtG+dTcCn8eGXa/h52U6Sk9zUzfJgs1mwOhQuv6Yrqzfm8/J73/DMPWczdGwjvFslqgJRTWf1hlJcTiv1cxKNpI8DnR9wWRRcVicWxUKCNRHVpmKNgC8S4vT5p5Pvy2PGsK9JsScb1n1hoUud7pzVYTzPb3waX7QynnFSK/fMxOSfiNkjMzkMjOEzdHj7wxW4XQ4eumsIZRUaU2esInebj1Xr97JyXS5fTdnOzj1FLFy2m/wdfp58ZQHBYCVPvfIjT9z5C0X5EaM3Voutj5s9GjZIoH3rTPbll9G2RQZup4XyihASyWtTl6Jrgv49GuD16fy4aAdbN5dy8cWzeOW9xYw/sS9X3PExN101BxEze8z/ZQd9Rk/myzmbcBzA7GHcOR2bIlhVspHbl9zDPt9epm17l483z0QVkpPmjOSz9R/TLbMH1/1yBY+seYSySCU/FfzA+rI1fLd5HuvL1vJT4Y8U+0uxCTPxw+S/ixnITA4fCanJTnbsKuLFV5bSvmUWrzwyitx9Adq1rEPzJmksX5PHoGMak5RopyQ3zObtRQzu04rcggq+/2lHVb1VbSd7xMsCPnzpNPp0a8hjL33PsrX7GNa/KZnZTp6/fyQet417nprHmBGtadE0nZ3bvOQWVnDi0FacdGxbBvVuysatRYSjumH2mLMJVbVz6qiDmz2klFgU2OXbyZd7ZjI0+zhC0TA/5P9AUNPxWBMY1nw4u7y7CIYDtE1qS6nfT31PQzqndmNFySq6pfcg21mX4qAPi2Kag03+u5hmD5M/TU2zx9y3Z3LrdTfgL9NxORUqvTpulxGUohrY3Bi1UDqGHQPD7mGLGzOMBY8JVBy957CUxrpjVidoIVAdRnvjZg9dB0WNtV+AFgDVaeyjhWPmEmFcg6pAm8HPcOYpnbnr5r5UFv2O2QNwqKBaYl/EereBCDhrLs0mQItCVAd7fOkxnaq3oaEIRA9hNWqTvwfT7FE7mGYPk7+dSFTH6xNYLAr+QLWxI1hipKULIdClYclQFIVQqV41ECb4fQPG301c4hsMGcXQekA/oNkjXhitxMwexs8KdL+suoaoBi8/PIr2rTIJlv+B2QMIahItqsXrwlEQKEKlMqRVWVKM7QqKUKgIRWMWMAVpVEujCNUsjDb5T2Mxu2MmfxZZ41UTIUQs69AwdggMfVK8p2WpMcSmxrYLYfSI/glmDzVmIPmt2QOM+cCDmD3k/nVjg/vVP2Szh8BI4Ijfo6rzCpXYaeM7xrYb68IY900xczz+YRzsb8Pk8Pn1fa15r805MpMjgqIYRgwhQFEgHrN03cjks1qqvwZibsLY92OWjKNt9gCwWgSKUtPsEWu/NWb8qOqVGS+g6rrjVFbKQ5YgV5+X/c6r64b5w2oxhivVeAAV1RaRX5/XxOS/ihnITA4fYTzww2FjqCuqSTTNyGj0eIzlSiq8ESwWo74KjHmnUFjDkyCIRCThiH5UzR5ulxHASspDaDqG2UMHh10QjkoKigIEQ3qV2UPXJdGocb3hsL5fu9VDMHvEz+tyCiyqcd5oVOJxC2Ts/FJChTdMVJOEInpVoAtHYueN6Ohm+ZiJiTlHZnI4GMFKRuC4M95kb14l117Yjxff+YXkBCffvj+RN6at44FnZ5OfH6Bj2zo8etuJ9OyWyUnnTGPL9mJOOrYVUz5dSVST/PDRJBrmJBKOyFqbKNd1icMp+GlpLnc89jWbt5eRWcfJ7VcN5aSTmvL2u2t48pUf8Ps1VFXyzH0n07JpHYaf/iZRXefSs3vxyAvf071Dfaa+MK7a7BGbDzzYdei6xOEQLF9bwC0Pf82GLcWkJtu5+bJBjB/bik9nbOHWR2exd5+f9DQHrZplMvmuEzjjyukUFnu56vy+PPnKApo1TuOTV06PDYvWyi0zMfnHYfbITA4LXZcIK1xwRneiUZ1pny3F549w1YU9Wbe5kPOum0Lb5lm8/NRItuwo5ZyrPyAc1Bl1XGs2bN3HjK/Xc80FvTlvfBfsNkutP4xVVeAPRDntsmns3FPBPdcNweeLcvJ571CQG6JRvRS6ts/hnHFd2LarjOffWkRGPRvnjO9Cbn4lUz9bSlKig0mnd0bq1aP4TrvAZhMHnSxRFEE0qnPWVR+yen0+d10zBEVRmHDpFH5csJezrp6Ow27jnVfG0LpZBqs35JOU6OD8U7tRVhFk6mdLsdpULj6r21EfljUxOdqYPTKTwyC2jIgG513RkZLSEDfc9y5XnT+S0y5py+uPrwIkN102kF4nZbJ+XQn3PDWL4tIIE0a257JbZ/LCQyczaFy9KrNHpBbNHrqUOGyCnXv87M2toFvHuixdvY+u7evRunkG/oooX87ZxC8rduN2Oaib5cZqVbDZVW64uSdbd5bw0rtf8dx9EznhzGZ4txg1aZou2bStHLvdQt1Mj2HCr3FeKSU2qyA3P8SO3WW0bJLGsjX7aNM8k1ZNM9m4uRivr5JrJo1m5KnNGdm3ORu2lONxW7ngmo5s3l7Moy/O4IGbTuWU81ri2ybNnEWT/zRmj8zksJAANrj3lh+46YGvmHDSACa/9j3XTPqWDq2ycTntXHfvTJ64exGPv/w9Xds3we2y8MiLPxAKe3n53UW88OAyivMjv3ng/91UmT3qJ9C6eR3yiiro1jGH9DSnMe8lJM+99QtSF5wwpDmBACxctpsd28u5+spvee39JZxyfF8uu+0T7r7xB4SQONzww6Kd9B41mc++3YDD/VuzhxCCcERSN9tBxzZZ7M0vo0u7bOpmJlBc6qdn1/pkZaRx+2Nf8cJDyzjryo+57ZFviUY1brlmHo+//CPjTujLLQ99xY2XzwGpY+bJmfyXMQOZyWEQU1RpsHjFHrp1rMtJw9rSr2dzFq/aS1aGhw9fnkgkovPMqws4bkBzpj43nkhU5+cluzimWzPWb8lnxtcbUFSjEqq2h8h0KbFYBB+8dBqd29Tl7ie+5YdfdnBMt/pkZjmZfNfxqKrghvu+YfigZuRkJbJlYzkbthYy6JgmjBzahl5d6vPL8j2EIzrCCrPmbiQaVRg/si2RwEHMHoAuBe89M45BvZtw7+TZfDN/Cz0659CscTIfvXwGTeqn8Ojz89mdW864ke2IarB09V769WgUO29DlqzaQyCo1ygTMDH57yEKTLOHyZ+kptljXszsQRhQIRoEix1QIOg11vMSCoRCYHdCJGgYP5we9isACVQeXbOH3Wa0OxwAmzPWJh84nRCJxMoHrEabo0GwOGKfh2PXCwS8Rkp864HPcOrJHbj/jgG/b/aQxiraNgeEg2CL3Td/JThsoFghHIpZUKIQCFTft2gYLDZj/6N570z2N3scb5o9/jbiZo9OMbPHhabZw+RIU1oewaKoCEUgg4ZvSVUFPn+1DaOyXI8tOimoLJfUrAJWj+ICkUJAMCyRQSNbMhg2PsbNHoqAcLi6xktRBIEQRmGyAjIgq64hGoXn7h9J9445hCoMi0kcXUqQ+xdTRyKSUEiiqgrhsETKWAJKUELQ2DdUpiMQsXto3DehiP3Oa2LyX8YMZCZHBFUR1T0PtfrBqsSGvKSU+/VMjIfvP+cBrAiBahVYrQCCYMjYXnPITq1xXWqNhESh7i+IGj6oEUXFESIRI/lDYgQtt8M4VihcM4bHjCLsPwRZ83NV+e19kxIU9QBDlkfZkGJicjQw58hMjgjxJbFqLo0lZcxQoVBV51TT7BHf72gvpyWlYdUorwyxZGUuK9YVVbVHj6XUq2rM6VvDvKEqVL2EAE2XuFzw7fxdND7mMfbmlWOzARhFzAuX5bF8TQHBkPab6z3Uy4+fP273qGkgEQIsFqq+rjp2LOiaAc7k34oZyEwOHwG6bngWjWBlPNwtFsNQIYRh8bDbwek0vtal8TI0VcZhjtYIma7rONzwytQlDBz/IlNnrKqyaDidAofdqDWDmPEjZgIJhjS8PqPnpUuj/boO9bISufjMniQlOIhEjV5UIBjmiZd/5JhRLzL3p204XaAdYJ2y3yNuILGo4A9EUVXjayQ4Hcb9r6gMA2C3GTdTVar/PaSsDromJv8mzKFFk7+Mput4XDZef3MzT702i0hExeW0UekL0qheKtNfGM8ns7Zw39Oz2Zvrp0vHDF64/2TyCv1Mun46mRkpTBzfhefeXIiuSaY8O4EWTZMJhWrP7FGFAmVlQRrkZPLIrYOp9BnmjbWbirntkW9Yua6AzHQHN18+hNEnNePJ5xfz4juLSHDb2LWviPv/73guuKgjP3y7jyvvmInbZSGvqAMZ6Q58fp30VAeT7zmRb+ZvIRCM/OYtZLwH9XsmEKdL8P3CPdw7+Ts2by+jacMk7rthOH36ZPPyGyt48d2f8fk1khKsPHf/aNq1ymDcxdNYu2kvV57Xn2kzVxMOR5n55lmkpTiIRMygZvLvwOyRmfxl4kNtrZqms3pDLj061WPtpgK6ts9h+dpcXnl/GWdd/SE5Wck8cf9xrFybz/hLptOsYSoet5Ptu0ro07UB6zYV0rxJOg3qewiHj0IQi1+PEFgsRs9GERAJa0y8+mMWr9zHHVcPQkrBmAteY88eP0+/9hPllT4uOL0rw/q3pHmjNCI+aNwgiROHtmLBkq0UFPpAGOs2x4dVVfXAHkabNWYCOQBGdqOgoCjAhEumUlwa5K5rh7BxazHHnvEGoYBO3cwEOrXN4ZyxXVi8ch+vT1uK3Q1jT2yLLxBh2sxl7Mkt5+xTOuNxWYkeotTYxOR/ATOQmfxlhBBEohqd2qWQkpTCmWM6UzcrkdNO7kCTBsmsWp+LruvcefVQzr2iI5efcwwr1+3Abrfy+B0nUukNM/3ztaSmOHn89hG4nJajLsGVsSFPm1WQXxhk49ZC6mYksmz1Ppo3rsNxA9qghSX33jCM+tkJ3PH4XFat20N+kRclDPWaurl8Ym9sNhcpyU6URPGb4x+IPXk+du+rPGBw0aXEbodtO8soKK4kJcnN0lV76dO9EUP7NcVXofPN91tYsXYveYUVZNVxowiBApx9cTvuuOpYfl66lhGDWnDlrd2wWlWjhtrE5F+CGchM/jJGT0Fl8cpSSsuLmLdwG2XlAeb8tJ29eRWoqoLVqnLzw7N44ZFlPPXaD7Rv1QiLFfp2z6FVszrc+fg0Tj2pPQ0auvB55QGLh2v1mmIXFo5IMjNddGiTxb78Mnp2rkeLxmlomrF46AdfrKFXl6Y8fuexrNlYyFsfLEe1wxczt3H/M7MJh4O8MmURH03bZGQd1kh0iWOIg2HLjhKOGfUsz735C07Xb/dTBISCkhaNU6iXnUJpuZd+PRpSLysBu81CMKLxzJvzcTkcjD2hLT6/xi/Ld1NcFuSVySu4/r4vGHXcMbw+bRkXn/slgWAYVZVm7ZnJvwYzkJkcBkbg2bWvmM7t6lBaFqB31/oUl/pp3yqLtGQXH750OqUVQe5/Yg59ejRkyjPjcNotqBbBTZf1p3vHtlx4enciYYk4yr+NQoDNasHiEei6xKIK3nziFHp0qsetj3zN9C/W0KV9XRITrfj8Yb6cs47n31jMMd2acPPlA9AlfD57I9/M30jPzk34YdFWPvxiLYpi1JslJtixWKoXw5SAYoP5v2wnr6CcM0Z3RNcO1C5BJAqpqQ4+ePFUkhMd3HD/LOb+vJ1u7XNIS7Xx8C0jKSqt5PLbvuDEoS1RVYV9e/wsWLyL5o2TOWlYG/p2b8CPi3ZQVBLEYhFIU2tl8i/BTPYw+csoikKlN8xVVzbj9FE3oCrE8ryN78drmk4YdAn+ILjdEI0YdVSRCJw4tDkjBjUHDLPF0a7r1TTJ1p35zJm9k2O6NiQckjRpmMSMN0/D7wOXE7BA0AefvX6msY5YWZC0VAeKgGAlvPDACFBHgAaogG4YOQIBjY9nraOopIJItIZUUofpM1cz7oRudOlWh8piuV+9WhxFEQQD0KNTFvM+PBefz7ifKOD3wo2X9uLK83phsxpGEHTDpvLmUyeBgEgYzp3QHlQI+o3vKeYkmcm/BDOQmRwWQoAMQaU3gkU9+K+TEMbKyUKIquHDUCheFWx49I8WQgi0EBw7oBm5BcXM/2UXfbo3RJEQDktCIaMOzuuPmTdi7Y9qkJ7mIBQy+jaKEHh9+/dyJMZ8my8QZcnKvZw7vjsdWmUZmitVIRyE/7tsAM0ap+CrjKIo6u+0E/yBeB2ZwOutYU3xyliav0T3x2vzjEVL4z8bihV5K4e48KeJyf8KZiAzOWyEMB6OB5vfEsJwFkYjAl1C1CjJwqIKHA7j65rbaxtFEYSCMOiYhgzr1xCAQBBAVBVr67oRGGpeopSS8oooToe1Kgwf6B5oGiQn2Hn+weEgIRwxHIqKIohG4IShjY0enAYB5fe9ifHj6/qv7R9x7ZWoKpaOf139+Z+5KyYm/zso8aUAzZf5+iuvOPE6KEVUf21skfj8EcZe+BEjJ77Fx7M2YHcaxcC+QITzrvuc489+nakz1uBwxHyERwFdN5yHgSD4/LLa4BFrj6pUX5umSVwemPfzDpr1e5LS8gAWC/vZNH5zfAler8Trk0QiVA0t6uhE/fD8mte4e8X9RPVozMTx+/fBDEr/XI723+R/8WUme5gcEZwOK6oKwbCGqsbMEjq43AKX00qXdlnMX7SDn5fuQrWBy6ngclrp3CGDxSv3Mu/n7Sg2jkomnZSGccTpNBbFtNsEbpdA6uByCBTFuK74nF+8h1a/bhITx3bG6bAaZQN/EFzivdYq/ZXUcVgE6ys2cdnPk3hkzQNURirNP0oTkz+JObRocljougQHvPfOSl565xfKKsKkpTh4/I6R9OqRyYczNjH5tR/IzkgiLSUBm1UFJ3zx+VYef/l7MuokkJrswWm37t/Fq632S4ndLli9vog7n/iWVesKaVg/gTuuHsaggfWY9dV27n7yO7QoFJZWMGZEB558chizP9/D9fd9Rv3sNPblV9C6WSrRUE3PpCQ+NHkwhAAVwa3Lb6J/9iAKgnm1cs0mJv82zDd/JoeJEX2SEx20bp7BOeO78vOy3bz78Qq2ba9k3CXvIKXA4bCye18eHpeV3G1BTrtsCl5fhES3k2278rBYlaNSpKsKQTisMe7iqaxan89tVw0kN9/Lsae/gd+r8cr7S1i0YhsTJ3RiSJ9mtGmegRaApo2S6NejCTO/W01xqR8h5H6B2GYVxhpmB0GTGi6rwttbp1IeKeOOjvdSEi4mokePRjw3MfmfxgxkJodBTCcVhR8W7WDl+lx27i0hI92F3a6ydOU+kFFeengMb087mURPKm63nc2bi/EHS3jp4TG8NvVEGtbLMezttTy0qEuJ1Qa793rZtrOE9BQPS1bupUOrbIb0bUJJYYgrz+1Fr86NuW/yfH5aup2KyiDRSmjUNoGrzuuLzeogLcWFkrB/12tfvp/CkgCxWujfoAjjG69ueZG1Jau4Z9XtlPhLuODns4x78Q9a4sbE5J+OGchM/jJSGinkug+efGUOdpuN88Z3JhSGRSv2kJbiBAT3Pz2HB2/7iQpvMYtX7iU5yYGiuHngmTk8dtsv7NyTy7rNhVQUhbGotRfMFCGIRKB+TgKNGqRQVuFjSN8mtGqWjsNmJS3VxRdzNtG4QRqTHx6OP6DzyEs/ENV0vv5sO5Nf/5FwJMQb05bwzZc7EAIcbvh56W6OGTWZDz5fi8Nl2PV/jUAQikoe6/Yk93R+CIfqICqj9MschFUxi5VNTP4MZiAz+csIIYhqOooL7rn+BAqKKzn76k8YfEwTyiqCZKR7eO6+ccz/ZQtvf7iCYf07smVHMVkZCbz88HgWr9zFq1OXMrRfG4pL/OzLC2CzCmpzskzTJXa7wvQXTqVedhJX3vEZH3yxhpZN07C6obwiyPxfNjH5+V9I9Lh44MZhuJIUXpmylM9nr6Vjm/p88tVqpny6ykjmUGHW3I0UlgQZNbwVkd8pPI5InZ5ZnUl1pJLnzaVtSnt2eLfV2rWbmPxbEPlh07hm8ueQUuKyCVau28D3b8/k1utuQAtAICANi7sDdM2wSdgd4POD1QI2q9HbCobA6QB/wFjQ0hHbPxzhqEiDpQSH3WhLhVfD41JRbYYBIxLRsVoUissCJHocJLgFviC4HNXZi0qs9isQNK6z1aBnGHVcGx6/fwiVRfp+K2P/Gk3qWISCXY1/DRFT6Ps/haqCt9LP+GtHc/y4U+h5TD+at2p11FZx+Lei6RrpdpVOL3Tksl43cGHnMykMRVEVi5m1aHJkqKgMY7NaCUckobDxcAdBxGsol6JRYku0GD05r8/wNOq6UV8V3340EAICQQkCbFaVYEgig0a6vMWioEuok+pE08HrN9odN2zsfxzDifjAjcPo070hoUpD4/V7qEJBlxJfzMChKOKg82NSGvVlgj9/r+KlA7WJJjWM3rVAFUakluyfFFPT6qJJLXZ91fsDf7hWm4mJGchMDh8JDocVp1OgR42elaZVa5KqVoCuYaJQFFE1F3a0jfc12xA3eFSn0RuvSNR4ICs1DBoHY8KYVoT8hlfyUJ69iiKwW43HeSh84H2kNHq0VmvsTUHkT1wcxmrd2gGExH8XEkmCTa3yTfrDxv2zKfuHaYnRA91vfw18ESOgCcBuF7F/g6NTZ2jyz8ecIzM5LHRdgh3WbMhn1LnTOP3yD9m2sxS7w7BZGIYMGRuGk1WmjLg5QwjjHffvWTFqg3jb4u2Jt89oV3yxz+p2Gm2u+bH6WJVlOtGo/MMgJmVsiZawxuZtpWzaVrZfe+Lnimo6NrtkzcZixl30Pq++vxybVaJpNdtpZGHK+Oe/WgqmrCK83zZ5sP+kTrWTRf7mc/1X3z8YViF4d+sHnD/3Il7e8BaqEEips8u3jy2VO9lUsZ1NFdvY489DADbF2P/ieZfzzpbpWGM3T9MlG7aUsmVHGeGIbhpNTA6IGchMDgshAB3cTiuqqjBt5iL2FVRisRoPU7dL4HQIVAU8boHDJkAan9tsxjGcDoHNKo7au20pjTZ4nEY7nQ6BK2b2cDoEDrvx9LRZBXab0VtzOQUOu9FDstuNOb84qqoc0jCYrus43DD1s1X0OukZnnrtJ4xgaRy/6r65FKwWgSdB5ct5W/jq+y1YkkXVvVUUY47P7RQ4bGC3g8dlLEWjKpJKb4hjT3+D9ZsLsduNoT2navSO7PGXKrAqAqdFwR6z7zti+9T83GNVcKkCm2oEn1//k2kyitMKr295nbPmjyc3tI/Lfp7E8xufY49/D90+b0fXz9sw9Ns+DPiqJ8fM6oJE59XNr3HW3PEsKV3E2d9P4OkNT+Oygy8Y4t7Jc+kx8jlmzd2Iw23ozUxMamIGMpPDQggBIWjTMo3Hbh+BqiYYw28xvdOcn3Yz/My3aT3oaU699EO2767AkQhPvrKIfqNfocuIZxl1/lR27avEaq1916KUEpsdNmwtZfyl02kz+BmGn/U2Py3ZhzsVPv5qE4MmvE7X459n0ITXWL42n5KyIP1PeZNB49/knY9W0+PEl5h4zQxq5nTEe2p/iAKFxX48rgSeuGM4UhqB6Kcl+zjhnHdpPehpxl0yjdXrS2jeMZkhfVqwZsNeBp/wNqdc+D4bt5aybVcZA8a9wYRLPqL9sBfofNxzfPL1Fjxugd0psFpV9uSWE45GUT2CvOA+hn83gj5f9uaNrW9xzoKz6fZpF+blzef97R/S9/Nj6Pp5G0Z+N5KtlTtx2uCaxdfS58tePLHuWfp+1Z/mHzdlfdkm7Irhi6y6boy112bu+ZSWya35ctRMTmx4Mi9seoamyTl0TutC1/QevNnvbS5vfQ0RPYI36ufJdY9ybMMRLBm/iJGNR/P0+scJhHRSEh08eefxKMJKWUXoqK9ZZ/LPxPy1MDl8BASDOrkFlWiaTjSqo1slu/ZVMHLiW0QiOjdc3I9PvlrPhEumAoabsX3rLMad0J6Z363goy/XYvOArtVuIBPCyEwce9H7LFq+l5su68+O3WUce/oblJaESXDbaZiTwtmndGbR8r08/vICUrOtdO9YjwVLdvH+jGXk5nsZ3Kdx1YAbgNUisBziDLSiCBwOFYtFwWKBgiI/J058m9LyIDde2p9vv9/K2AvfJ1opCUc0tu0qomnTVBYu28PJ579DosdOIBDhgy+WM2FkW9wuO2dfPZ2flu6j5wmv0/HYyVR6w5xy4fs07vgke7fq1EvKYvG+hbRL7sB273byw3m0TGqGEILWKW05rfFZzNr9Oe9tewuhSNqndGRx8S/ct+pOeqb3oG9G/9gNrLpkA2n0uPtk9GNj0XpGzjiZ7/fNwSosKLpKPVdDVhYtZ/S3o8gN7GPpiUuxKBb2+HfRNbU7mq7RPbUn5ZFyikKlWARYrAoOm/qPmEs1+WdiJnuYHBEcHoXUZBeKIvC47SipgpXrCggEA9hsNpav3cfgPk1ISnBSnB9h5fo81mzMIxKFBI/bSAhR+EPx7pFElxKHXbBlewWbthXRpV02S1btpU2LLOpnp1BWFGbNhjzWbcpHVSxkZriM4UaXyhOTh+IPRnjp3Vm89ND5TLy6A97N0qgZE1BUGkRRBEkJ9kPqmem6RNPA5RKs21xMeaUXl7Mey9fso1/PxiiKggwbN6dnpya88vaJvPZoQybdOAVfIEyntnWJanDn4/3p+W4DRpz1AkXFAR66ZSibtxVz80Pfcvk5vWjbKp22jepyv+NxPtn6KfML5lEQzOPxHs/QMKkuD62ex/qyNSiKINmRQpQoIDiryTncsux67uv8CBd1Oxe8RvJFSItZSmJYFJVgRHJ5q6sI62HWl6/HolpJd2SgOCCkB2me1IK2Se1p5GlMw+QGVPo17KqD0kgpqk2lJFyMRVFxqS50CbLG3KqJyYEwe2Qmh4WUElT4/ofdvP/pCnQ9wsdfrmbeZ7vp0DoDi2pFUSUnDWtNs0ap5GQnsi+/ghffmUPThhlMHNeZSq/G8rX7CHq1qnW1aoO42aNe3QTqZSdR4Q0wYlALOrfJok66BxTB7Y/NRtcFV5zbA0VYWLMpn/w8Hw/f9zPTPlvF8YN7cN29X/Lyo8tRhMThNqwmfUY9zdTPVuN0g3bIxXGSSBhaNknFbrMjZZQTh7akVbM0sjM8lFUG2bmnlF9W7OHNZ1fx+vRFWK1OUpIc6LrOmg07ueHi77j5wa9ITkyhU9tMBg1rwGkndyQSiTJ8UAtGj2uJ1SPJdqYyofEZ3DT/WhKsiYxrOJrtpfm8uOJZ6nrqcUHzS/BpPlaXrqIi7OWjnR9SFChiQcEPfLjmU/J8FURiiTy//k+XIFC5vOVlDMkcSmmohCtaXU1FyMvG8vV4I5Xc3ukeLm91BZX+CB6ryrDs4byz+XXeWz2NNza/Qp86/UlzOInohzhEa/KfxgxkJodB7AljgdemLuG1qQtp3SybaTOX88QLP9O0WSJTnj2NnbtLmHTjR8xZsJX6WUk0aZrEpWcPYd7Pm7nqzi8Y2q8pm7YVUlwYxmqp3aQPTZc4HArTXphAeoqLi2/6mLc/Xk52hof0DDt3XTuYknIfEy6dTruWmUQiGssWF/DRl2tpkJPMCYPbkpZi543pywmGdRQbzJq7iV37vIwc2oLo75g94ggBVouKyyMIhSU5WW4+eOl0ikt8XHDDx3z+3Qbat8xky9YywuEw/Xs25MY7v2FvXgVvPj6OjCZ2dB0a1Etn5cY8HA4LU58/jXrZHirzdDRNZ/I9I8lMdxMo0EGHqC65otU1tKzTiuvb3oxVVUh3pHB11+tZVPAL5/90NkOyhrLXv5vdFQVM2f42TT3NmZc3mzuW3UZIC2FVBAr7v5DgtApm7P6YgV/2577Vd/Fcr5cZ2/gkthTvIqKHCYVDfLHnMzxWGxJBRIeHuz5O9/SeXPbDxXRK7cwT3Z8lFDWGXRM8diyWQ0ugMflvYpo9TP40BzJ7BCskFotRM6YIQEAoBG6XURtV6Y2QkmRFtUAwaCQ0lJZFcbss2KwQ1YwVoo/aemQO42NpeYQEjxW70zB7OGxQVqlhtai4XcZwmq6DRTXKCzTNMDsowqjtsqjQetAzHD+kFU8/POx3zR6appOQonDPowt48Nk5fP3euXTvUA9dSlxOo7dY4Y2QnGTFYjHupyKMc5R7NSyqiicZVq0u5JQL3kfTBS8+cgJDezdBCMOcEl8/zemCUACievXorUVAUEaxYSG+nJrTAqWhIE6LA4dq1Hhp0thXxvYRAsIa6LF0/JqVYRKJRShURLxURipo6MnBqoIvoqMKpeo4UkIkJkeWgE0xjlsYKKeOMwkpIawDUmf2gu2cfN47PH//yVwyqTOVJb9vS6ltTLNH7WCaPUz+dkJhDU23VD/tYiaJuMHD47ZWGzOEwOeTuJwWNA180Vjx61H6uzce+kbdl8dtRdPAW2G02+uX2G2GZcLrk1XF0lFj6sgIYOHq40SicMfVgxnYuxHhyt8v9hZCoIWhd9d6DOvXiI+/Wk+3DjmG+cQvUWP3LRSCYNBoTxQIRyQOu0okKtE1WLw8F4/LgpQK70xbzTGdGlGzeFtKqKw05u9q3uOIlFixoFEdULwRHafFYaxoHdGN60UQqvEOQ5c6bqvKU+ue4/0t72C3OdCkhoJCVAvTM6MPT3Z/nFR7AhEdgpoeM5hQdRzjvY6o+jysGWaVNHsSIc2oobOqCpU+jZnfbmDUca3o0CYztuabGSBM9scMZCZHhFiOQ/Xb/djH+MPUMH1UP0gVIarsH3809FYb7N/O6q/jGq2a+0B1T0fKatdinLNPa0vYB5HI7z90FUUQCsKAXg0Z1PssEMbPSEnVXGFNQwrE77Fx7xRFEPTBmWM6cNqoDoDRO9D13/ZsDzT3KBDo7L9kjCIUtFhPqWYSx6/3iWrQP3MQ2Y66WFVrVc9MkxpZzqyqHpuhmzrwcfZrS+z64r00IQSaDm6XlRcfPMG4FzqEA/8ME4zJPwszkJkcEfSYDUMIUeUDhBodtNiD1XD+xS0Z1fsgj+4DSjdEhjGlVrX3UJeyqt8QX/VZSok7QfD17B1M+r9PWDTzEtJSHDGbh6CyVDeciYcQoKWUhELx+2bcKyN4xs0gouq+ClFdZycAJEYFl179BuHPaqgOFFj+aC00gSAioUtqW7qltz3ARYE/+sfHOZT2GJJpWf1dM4aZHACLOUFm8meRNV7xDXabBadDoMd6CkaP4QA/K4131mpsyROpV1vkA8HaF9vG2+SwCSxW0KKgqkYvLBAwDBtgDCVaLEYvIRRrZ052EsMHNMduU/frAR3q/I3hTxRYbQItur9F3+M2kl6iUcMeEgob98gTM45ENWOuLD4Xpuu1e+8EEIjK/Yqhq7+3f2/usM/1PxK9JAf42zA5YtS8r7++12aPzOSw0HUJNtixp5R7npjDgsV7aFAviQY5KbicFvblllNQ7CcnO5Edu0s47eRO9OvRiJsfnEXzJhn8tHgXmRlOHrhpOD07ZxMIyFrtmRlmD8G2nRXcO/k7flm+j5ZNU7ntqiF0757J/Pl7uG/yHCq9ESp9fkYNb8/99w/k+6/3cdujs2iQk0pBkY/mTZKJatUjq/He28GewVJKrFbB3nwv9zw1mwWLd9OofhK3XTGYfn1zePqlJUyfuZLS8iBtW2Tw1N0jURXBuIs+xhcIM3FcV16btpSczEReeWQUqlr7ii8hBCrqH+9oYvI3889J/TH5HyQWdDQ49dJpfPLVei6/oCcel40PP19DKKzx9fwtZKR7mPntRuplJ/LEywtQFcG23aW8Pm0JY0e3YfvuMsZe9D4VlREstZx+byRu6Iy9aArfL9zBtRf0Yf2WIoae+jrhoM5Tr/3E7AXrOWtsBzq1rUtWHQ96GOpmu2naKI0pny6hoNiLqsj93oZbLALLHzzjFUVyxhUfMPPbDVx9/jHkFXgZNOE1CvKC2G0WmjdJZ/TwdnzwxTKmf76apDQLrZtnMO/nbbw/Yzmr1+fRvVNdVLV6qRMTk/8iZiAz+csYQ2Mq5bmwat0urr2gPzfe3ZtZ757Biq8vY8KJ7WlcL43LzulFw3rJXD7xGBRV0K5VJs0b12FYv+bc+9hArrmgH7n5JezaWxFbfLN2Hsq6lNhsgp27K1m7qYCMtASWrdlH66YZdGiTRUFukEvP6kGH1vW496nvWbc5D5tVJVoBzTskcdsVQ7BanaQmOxGu/RNByisiVHjDB+yRSWksQLovN8DyNbnUzUhixdo8GtVLpUen+uzeW8nmHUVs3FrAzn1leNxuAsEoDqfKo08O4YaLB/D194u55YqBXHtnTwyH7v/G8JuJyd+BGchM/jKGp1DDkwF1s9J45+OlfP72Via/uohn31zIL8v3UFBSweoNeZSVB1ixLo/yyiBrN+Vjtah8/8sW7r3lB555/UdystJoWD+JUARELQ0txs0eOdkesjMS8AdDjBzWit5d61MvK4n0NBcLlu6mW4cGPPXQcErKgtz5xGwims7Ceft466OlRCIRPvlqHQsX5ALgcMGSlXvpN+Zppny66oBmD2MBTklGhoOGOUmUVfo5fnAL+nRvQNOGqVR4Qzz+0he0aprNpWf1wOuLsGFLId5AhJefXsEb05cxfGB37n96Hi8+stzoDZqzMib/YcxAZnIYCDRdotphyjPjyUx3cebl03n85R9ITnSwa18ZyQmC7btLycpIYMPmArLrJLJ6Yz4el42GOcnM/HIj2ZkJTHv+VDxuC1q0dvsWmiZxOVXef248LoeV86//kJfeW0RyogOLG7buKOaTr5bz7EuLsVps3Hz5ANxJCvc/M5+X3/uZJg3See6tH5n82kJUVaBYDbPHpu2lDB/UjGj4wOUFug4Wi8Lbk8eSk5XABTd+xDNv/ozdptKqeSrnjh/Ml3PXcsGNn9KvZ2PWbMhn9zYfr76/BLfLyglD2uJyWnj6tZ/x+aJHZY7MxOSfgsgzzR4mf5KaZo/5b8/k1mtvIOwzvldSFiQpwYHTbdT8xLMXdRmvGYN1Wws47rS3aNIwjcfvPI7eXXLQNQiGjl7WotNhZAgWlwZJTHDg9hgGEr8/igAKin2kJDmpk2YjECQ2LxUvJzBemgZWK7QZ9AzD+jfn+ceH/67ZQ0pjHTFdQlFJkAS3HU+CIBwyMhILS0J4XHbs9nhNWnXtmpTxVH0jC9T8Kz56xM0e40yzx99K3OzR+YWOXGqaPUyOOAL8gQg2q5XUJAeabpgxRExHpMeKoTVN4nELvpy9hfRUJ2Xlft79cDU9O+bgC+hYjpJ2KG72UBRBaooDXQdvpVG75bAbfyJNGyYZFpKArC7mproGLj54GInADRf3Z1j/poS9+9fG6br8TVF1IGicJzV5//OGwpJEjx1dl4RiNotfB6v4vf0raLpE6rLqIhRVoMTOoel6VeF1dWG2jqxhbVHV/evkNN2IrjWDds0FMH8dzOPf23//+BCpQI0t7mlc48GPY2ICZvq9yRGiSoeE0euSwlg5WbVANGJonBRF4A/ANZOO4fJzegFgtSqEwhy1IBYn3v5otNqkoarGnJeMGoEOxH7DhPJXH+NcOLGjYfYI718D5XIKwmGjB3aw8yqKqFohWrUAuiAQPLJ1YlJCgkeAQ1Q1XvcbdXNWG7g9sX+LCPhjPe2EJAVsVBXuRH2GQ1NRjGCa4BFgEQQqq20nriTFmLyIYmyvOr80jgf4vTW2JQqwCQiDz2sEdFUBd/w4ker9TUxqYgYykyNCVNPxeCTHnf4evTrX5967BjB/9l7e/mghI4d25PihTQn448NsAptVgVgh9D+BuNnDaJPEalGoqAxzw31zSUtxcv1FfSGupKph/6hCVG8vKzbMHvEejlAgGpVs3FZC/ewknA4VUPYLTPHPdV3icAnmL9zL61N/IS3Fw82XDyA50Y6m8dvzUm0g+XVEPVA9npTG8OfsH3ezan0eVosRUI7p2oB27eqQn+tn5vsb2LaziP49mzJ8UFM0DT6btZUtO4uxWlTsVpX+vRrRpFEyoaDE7RZMn7mJ0jI/Z47piKIK/IEoH325kWVr9tKuRRYTTupQVfhutwlee28VToeFsce3IRIFu10w85ttLFy6jV5dGjFiUDOiUaj0hnn/042s2biPLu3rM/aENuiamdpisj9mIDM5InhcNhQ3dGpbl6aN0gzfH5LXpi4mwZPEyac3w1qkEo4aw28xsfk/QzkkwWkXVZ7CuJnEahPM+3k7eQWV3HVdfxAQDhk9LbdLIGrUiUXCRq/T4xEg1dgEFqABFsjPjXDs6W/w4UunM+D4HEJ51b2w37ZHogiNVRvyWbVuGZef25v0VDuRiGHFV2r81UYjhmnEbhdY4z0mATI25/ib4chY6v/Vd33BvrxSMtKT2LBlG4/eOo4ug+rw8mOLmT5zGakpCTz+8nzmTr+Y7h1zuPiWGSB1XE47W3fu4aOXJ9GyWTLSDlt3lnHqZe/hcjgYObQldes7+XTWZm575BsaN0jliZfnUe4Nc9WkbkgNFizZy6Qb3qZ540aMOq4NLg+8MWUV598wneaNMnjg2e957r7RXHpFF954di2PvTiP+jkpPPHK90Sjp3P2hHZ4K2TV8KOJiTngbHIYGJZybPDI8/PpNfhVNmzOZ92mfILF0K9HPXp1acmPi7YxavQ0LrvtS3ILfFhtxgP1nxDEdCmxOWDhsn0ce/o79B3zOp2Gv8ATr/xCSmMrZ4zuiC51Bo17m74nv8bK9QW4k+HHxfs46Zz3adn3OSZe9Sk791TicMA1d37LsWe8y1vT1zB47Dv0Ouk1Vq0u5sV3fqGoxMvL7y7m4ft+YvO2kqr7UBNFEfh9kgFDGvDYrSdgtTqMnp4GDodg2epCTpk0jZZ9nuP0Sz9iw5ZS7Amwc08F51z5Cc36PMOwU9/lzCs/pbQsWJWUUvP4gSC89ODJbPvpeqY8O57U5EwG92mCVgQXnNadld9ezcO3jABUyiqCOBww7blT2f7LNTxx5/HUSatDn24NCYWMAHr7I3Po2CqLBtlJAEQCMKhPE5bOupypz52Gx+2hsNiLsEIopHPbI9/RsU1TMtPdRkF6GB56fj4De7dg08orObZ/ax576QfCpZJRw1uz/Osref3xsVgtdorL/AjVeJNkYhLHDGQmh0F8PAwa1kthYJ9G7M4t552PV4JizCtJXWfFur3YrCovvbeI86/7BKnL/UTCRxVpZAje9uh3/LBoG2eO7kDjeqkkeuzIiJHEUlJWRqumGazZVMALb/9CfkGQE895kw1bCxk3qg0ffrmGUy6cgq5L6uck8+38tdxw3ywa5CSQme6hqMTHdz9uRVEEPy3dybufrGBPbjkWy4HvgRAQ9ekUlnjRNGNhTMUiyS3wctL5b7N45V7GjWnLN/O3MGrSu1R6I5x22XSmzlzN2ad2IhzWmPLpErz+EKry24e+lNCjUzZJmVY++HwNKYkOOrapg9+r06CBi3k/72TA2Odo3SyTAb0bEI0KenWpiz1B5Z2PVtChVSZ16tiwO+DDzzeRV+jloZuPp6wyiN1uIRqFtBQ7JWUBWvR/AqsFxp/YHqzw7FuLSU9zc+2FAygpC+KwQyAg2ZNbTq8u9dFtkj7dG1BcFiQ/P0h2loOtO0tpN+QJ6qS5GXVcayIB9jPqm5iYvw0mh4UQAqIwYWQ7HnpsKGNPaI/dqqIIcDoF/mCEcSd2ZvrMsdx25RBmL9jI3jwfdrv4TW/kaKFLmHRaNxrWS+LeyfPJLSjD6bRWLTGTnprGCy8NZ/jAVhSVBFi9uoAKbxEvPzyG+54YxC1XDGHV+l1s21nBtRd2x+lI4OFbh/Pm9FHMeGMCgwc0YOrzE7BYrLz11FhWr7+U4cc3JhQ8uPHf4lFI9DgQQuBx2VBTBWs3FJGbv49n7j2Z+x4fyN3XHcvWHQXMnrODJav28H+XDOKOh/oxd/o5zP/oErIzEohEf1vHJqXRMwqUSaZ9tprjBjZHdWC8L1Ghf88GfPLqeezcW8b7n6zB5oBIRFKwK8w38zczfFALFJshWH7i5QWs25zH06//RGFxOedf/wnE5uEa1U/kq3fPIcHj4Nk3F4IOj7/0I+s25fHqlEVs3ZXHVXd+jd0msFpUvL4wikNQ4Q2jCoHLbgEV2rZM58u3zyMc0Xnp3cVYD1BkbvLfxpwjMzkilFeGSCy04vOHkVKiKLAvz09ZRYAfftnO51O28PnsdaSlJOLxWA3B7j9gaFEIgR6FtZsKOG5AG7r2yOLKGz7njke/4/Qz27BtVwnBUJjNy8rILaikojKAx2MD3Dz9xk/oll5M+WQZKcmJZKS7+GTWZgLBEOs25jP3g0TatcgmNdmK1x8mHA7z/oxVbN5ZyKJl+7jvxqEkum2/uRdCwKIFecxfuB1NizLzu/X0rWxA40bJqKqH59/+mcRUK29/tASnw0HnjplkZyby/ozlDOzbkE1bili+Jo+WTeqQmGCrWgYmjq5LEhIU5i7Yw7ZduRw/+ATQDWv95BeXUDfLQ0Z6Iv6An7wir7FytFswdeYGKip9HNuvOVrQmBO89YoBrFqfy9yfd6BL6NwuG0cCvDt9HRXeAIOOaUKFN8yevAqIwlN3Hc/6rQV8PW8LFlWlY+ts7AnQr2cjpny6ghHDm/POh0vp0r4uqfWsvPzqSiwW6NahHhWVQfblV5o2LpPfYPbITI4IKckO7HVU7FYLUU3H5oCfl+4mFA6Tmuzi1Ekfkl9YySuPjCI91U44sv/D9ehh1FKtXJvLm9MX8fLrS0nwuLjtqkGU79NYumYfLofCS+8spbjUx968EjRd8uaTE/hp8Q5OPvMdoprG1GdPxWG3cvtjs8lMd/P69CVcefssgsEImi7IyfRw/qndee+Tpdx037f4/GHsVsVY7yx2G4yMSCPh5Mb7vuG1ab9QLzuFmx78nMmvLKJl+2Refmgs6zblc/IZ71BU4uXtp8bRtGkibz5xCjarYNTEd7nnyTlYLQoulxrLcjzAfVbgm/lbaFgvk+4d6xHyS6xWWLU+j7Ovns6w015lQK9mTDq1KwG/RCjw7fwtdGpbn9bNUwmFjVqwE05uQoOcFLbtLCAjzc2WHSVggd37yrjxvi/pdNyzZKW7ueuawYT9cOqZrbFbreQXlZGU4GD77lJ0HR6+5Tga1kti7DnvkJOVwBN3jgANtu0q5vLbPqP7Cc/TpnkGN1zcl4j34D1Zk/8mptnD5E9TbfZYz/y3P+fW62/gnSmr8QfDPPD0D2Sme1j05SS8ldJIprAqFJUE8LjtJCUoBAL8o95VCwFeXxhdl+QXeamT5iarjiNWv2Vcg9WiEI0aRVSqquByQXm5TlllgDqpbpwOY10wqC4oVhRRtcK0qhqvktIgDoeVpCSVYMCwchw4cdFYqFQSq2mLPbhdTqj0SkrKfKSnenC7wOcDl8vIUiwq8ZGS6MKTKIiEqs0jVceN/U/TobwiBEBykr3KwGK3wb78AF5fmMb1k1AUCEeM75WWB7FaFTwuW9Xcnq5LorGCZUWI2L+3isMOxaURCoq91M9Owu1WCAaN5BotqleVK0jAqirYbRCKwL78cupmJGG3QygEDicUFIUpKfPRMCcFh/3oGWAOhmn2qB1Ms4fJ34aUEhSYu2Ab38zfSrNGqdx/47GGUgmwWhR0HTLSneg6+Py1u97YoSAlJHpsICA91U60hsFDVQUqRj2YxSIQCHQJXq/Ebleo63Qb+8euyyhqVqqsH/FAommGuSI5yYGUMYOHcvA1lBXFCF41ZBrGz/kkFougbqaHqGZ8rSgCn1+iKoLMOm7CEYmmS557ewkfz1qNzWoML6qKIBQJ0bNTIx64aQjJifZYjVu1+ioQNP6tsuo4CUcgqskqq0h6igNd7l/7pygCu6pWW06oPk5igpXU5BTCEarWmVOFwGI/wP5hiSoEjeolEYkaxhNFEQQCkJpkIz3VRiQCgZA8oLvS5L+NGchMDgOBajF+hZ5/8GSCIR2PS0FVjN6JqCGyjUSp6qX84xAQjT2co1Gqeguwf1ZhzZrjeE8r3qOqMpvEdvj1MIdQACmqFt9UFMF+T/NfUfNc8Y8CY2VtKY1eUtwEQtwIgnGfwQicXdrXxWG3YFHVWLmDIKpFqZ+dXNV2ZLxtsXOI2DHiDklFVNWmRbTqfWo26je12LFLi2o1jCVq9XEOtH+8eDwU3n9/ET9v/Dj/1CAm/ndWsv43YgYyk7+MrutUlpcTrAxQURbF5XQSCgBCQanxcIR/1Ejib5E12vcnG3rIu8cDxQG2HerP6wroAiy/TpT59X0WAhGA/t1y6N8nZ//zCAzVk9+YjztQO0TNhtaIplWnrLn/ga6h5rUe4DgH2z/W9INc0wF+7h+CAIQO0WjUDGZHCYs5QWbyZ5FAWIeszGzywkXc+ty9RCOSyvJySkuKCQb8/KOfPP9zSHSh4AqF8ASDFCQloUidg8yuoUiVfbbduKMJeKJJaGj77SmE+Gf2jP9HMYTYGsKiIISCLnWzXPtvIK6U/vXXErNHZvIXEEIQ0SAlNYXJLz9HBOOXaePGLSz7ZSHFRYXmO9MjiJCSiM1G3V27aLJpIz8OHYY1HEYeaJ0zdBJEIvdX3kRf+2AG2I6lUlagmAnKfysCgc1qxZOQgNvtqZI/m9QOZiAz+UsIjIy1yoiOEEaSQ3ZWXbp060EwEPhnpZX9jyOkRHc48WxcT7JqQR00DCUYOHAgkzopjjRe/vZJ2jTuyMBmx1EaLEKpKYY0OaLEpwx1XSchMYnMunWPdpP+c5iBzOQwEChq9QPS5XbRpFnz6vWsTI4Muo50WLFGwth37cLTugUidGDjsCY10h02bD/YyMypS5s29SkKZKAq5p/6340EVFWtygA1qT3M326TI4ax8KJAVc13/0cUIZBKLK1fMRJphKoeMJBJXaKK6rXTVCFRVBVFMf9NagsziNU+ZiAzMfnXUR3gJAIZ+8/k7+fglYEmfydmIDOpXeIVwvGJBfPv/o+J97yMwq5D/BGjeFsBFJR/bv2VickhYvxOG28Wfv2GwQxkJrWKtAlEPM0RDlxXZLI/MhbxNQ0RCh7Sj0S0cFU/TCLN4S6T/3mkNH6fdakTldH9QpkZyExqB10HKzg/noll6VJkUpKxRLTZJftjpERarai5+4h061617WCZoVGgVZ123Pr5FTz8/S1EdA3zPpv8G7AIhdLKEuonNSIkIf57LXJNabBJbaCCVCDhrnsJnnIKWk4Wwhc20/T/DEKgZ2X8tjL0VygCKkOV7CnbhYZWa80zMfm7kRJcNheNkpvuV6tq9shM/n4EiHIvakmJ0TOLamC1odVPPdot+59DRP54H11CoiOBzjlt//4GmZjUMrqEYHT/bWaPzOTvRdOQDpXEm27B+fqrxm8hkkiXbpR+NtNYH0QKs2d2qBzifTLmxcw/bZN/J8qvkp7MHplJrRDp0RP3ww8ST1eMduqEdFgRQQ1UU590pBEIUxNm8p/B7JGZ/P0ogKaT1q0z1jWrkQkJFP2yjGirpoiQbvTKTExMTP4if6pHFo1G/3gnE5NfExte9J52Bgm3/B/BgYMINm5oJHsoYv+VGk1MDgFhGmRMavCnemTJVoitxXdQlNjr94gnXcX3+6NjikM4psk/H7Xch6VBXfjgY4LHDjETwk3+MlGgImIWFZgYHFKPTAjDdD752Rex26JYrWqs2DJWYV21kJ7AH4zg9/1eapWOVVVRhSAYW5bXo4JFMXQ6KMYJhTC+VhQIRSX+kPmu/X8aASgq7oQEArO/Q1uzEhE9eC2UicmBEIqC1HXqN2rE6DFjCER1FHNo+j/PIQUyiwq5BcVsXrmURg3GsHdvOVbFiiKjQASpSqQq0bQIXTo15Ph+9dB1+ZvF+6TUUVQne8oqKA9FaVPHDcD8MigIRLHpOnpIR4Y1Y+35iCQcitI0x063Ju6q5dpN/keREn3CKSjlFaCZ9U0mfwEBoWCQZ15+ldHjxkDEnOI3AcuhKoIEOumZDQn4GnPpJRpFIkSZ4iEazSC0Q6WeTxLdvYcfdxZz/qT2Bz1OOLiJjxbaSU5uwrC2qSQr8NxuWFUGcluQSIkfrTRAuCyE8Eco2BBk4phszjk548hcscnRJ+doN8Dkf53Mzz6PqTqFqTkzOfRkDyEEfp+fxlka7dvN4Xt1F2vpjCLHoa+z0X43NPp/9s46TIora+O/W9Xe4wMM7u5OsODukJAESQJRiLu7e7Jx4kbchbgAgQQJBHeHYRifnvauqu+P0z0zsCSB7JLd/dLv8zT0VFfdunW7+r51zj3nPfn7+MldHs9fMVGHFPMzShdDwRNkbG5P2wGn4bVMogY0Kw8zK8OB3knDZvcQjbnRlUVMQSRosnBVKZZlYZgWerJEexJJ/K0RCYfwl/spLw/jsDv+091J4r8ARxW1qDSNSCiGeWApa3PW8LmyoReNxljsoMmvFhl5+4iOCqOU4sABgxUrynDYo4QjLprVWkKT2m+Tt8hOo90l2POKoX4mut2OK2wSCUKTxg7ufSJGwAhRU/ey3/RDzE6NRrZ4FWKVXFJJIom/Oex2O6XFxSz7+WdatGxFtZzqWGaylMLfGbYjscorpN2UQkVD4PuFXdU3sFTVR4XDWOsN9v6sUR7JJzJYWvxiXjFLVpSRXd9JavhbmqR8SOGPmXyzrhGbaw1j5as/c3uWh/at6mGEY6zcE6BO3VR6DYjxxS92zjtPcc2jbnq1VhiWBHokSSyJJJLQdBslJcVsWLuGzKwsMrKzkwEff3McsUVmWRZK14mUF7Lu10J2FZlEtHzIXwGFGeyKOPmJtURpAYDHY1CnTQo/blrJa7O+wbW1GmfcaePdQGda1yhh6ISaWHFBU5tpsmanj6VLUuhYS+PWA++z5epCptiKCHo7s7NBL5LFq5JIIokEjFiMSCQsyxjJNbK/PY7CtWihazo+Xwk/LA2xZ5uO0stQZT9jlXnZpTkIWOtJUc0A0PQou/ZpNCt/nf0fbuKqVwbwia8Pum8/e4KplPgMNF0sLd0wGN0jiznPKZYcsNNP205eyVJ2FRVglKeS1qLfsbj2JJJI4n8YyQjmJBI4cosMEWrcV5DLpi2lbHOBpbZghT6DAw42mDZibGRQeBixWAx/JERONY3Fqzswe+dwdmfVp5XHR5kjjerpadhdxYQiQWKxGLv3BjhhTAonnRKgU3eIRC+neqlBtm6hE+XLhQeI9aiHYSZl+ZJIIgmSgshJHIQjJjIjZpGZ7iIvpRF7dp+Cp8SgTsQE0wlZFka2RTDmpGGjxthsNmrXyeGXNVsZNeFEyiLl2FU5MdKJmWFcnhirtu6hYYOh2Gw2Bnapz6sLQ2Sn6ny71EQRQddBQ1Ee1BjWpxE2W1LhOIkkkhDYbLYkmSVRgSPiBtMCt8fL8mU/0aGdRp0G3bBpOhoWKBNUvBIHJkpbyaOPriMaNbD8ZWxaGpVKHZgoJftblkktp43XX3gBpRQeh4bDtCg5jH6spmD5HsXC/7Cyh2VZFUnef5VLI/FD/VfPJyXCrX8qffBHMCwDTWmSq3NIW0qpg7YnkcRfAaUUlmVx4MABHHZHksySAI5UogowrChZrhzGHdefYMBAVTDOwQmJhgmmYaKU4vjmtkQh6op9pUK7wjQtwpEIYGGYvx+RaFn/WZeiZYGmKVI8DsoDEUzT+tMRlJYlcl8Amv77VKDrGpYFhmkeFWUYpoVWIfMFutJRKAyrUvTZAkzrn9U1tHjun0KRak8lEAsQs2IV59eVraItU0TFfvtaAdOIX6uWTJ1I4t8BKQP0rv0jDMtIPkolARyF1mI0GqVWzVp06N6ZWAkcJDxdtS6iVbktgcRDk1IHvyfxOpKHqn/3HZtQKj60H1XLyCe2axAOwLJVhXTrnI3DHT/+aPtkISPujh9bXqWdw/SnrFTG2evl4KBN65A2tUM+8wARRFlVQTAKYSNMhtNZeZwC7IfpX5zrTBN+yv+F9pkdSHHoFef3Ry2CRoBMh/fgh4vDfYcakBL/LFjZnySS+NOI34fe57wYpkHyhkoCjlLZIxKJQNDCNA92d1kWBEMmFhZul47dDpEIhEIGNpuG0yH7RqJgt4HSIBwWV91feh/GNWoNw8Lh0HG5wIiBP2igKYUFuJ0aNgdgQjQKwaBBWqrG+s2F9JnwMMvnXUT7VtkEgxbqaFRGLLDZIDfPz+c/bARL4+Rx7XA6dKIxGTeHAyJhAIMt28sYPGUOx/doyhtPTCISlfHUdQ2nU2Ea0p5S4PeZwiOWWIoLvtlFyybZ5FT3EjMMJnw/mu3l21g0Yjk1Pen4oyaBWJBP93xEeaycQMwPQI47h2G1R5HtTKEwUk7v97vw8aAvGVlnEBETdpTvZtz3wyn1lfBInyc5sdFYfBEDhcKubLht4ob2xwx0TREMxXjrhTVgWQzt14w6NVOIJcksiX8RCjBNM+naTqICRxU/oesaPp/B1u3FKKVVWFgOh07TBhnYbLBlRxn78nzUq51O4wYplJQabN1RioVFjWopFBYFiBkm9euk43La+Etd3PH+pqXBvv0h1m7Ko0Z2Cu1aZhOOCMlu2lbMjj0lpKe6qJbloX69dHx+g0AwyoM3jSOnWgqmoaFpR5egbVgWLo9i4dJdzL72Xa6cPTS+ZqWRngbbdpSzZUch9euk06JJBg2bpdGsUU02biti9z4fsZiiUf0UfH6LDZuL8HqdlPqCRCIGHVvnYAEOOygbnHnF+zx++xjGn9gMinWG1BnO9SuvZF3ZWnYGXLTJaEeYANeuvIzc8lz61OpDcbiUtYWrWTh6GTnuLuwN7OGB7o/SIr0VhqVhYFLHW5N7Oj/IpG/HUBwtQtM1wCDVbqMoHGBRwQrS7Gl0ymqHpSCkNHbsLuHeJ7/h+ftPZsa0dviKTfRk8moS/wKS9JXEoTjyqEXDwutx8OmXu5l5xQu4XSmEI1LSRQHfvX0mX83fwq0PfUk0quNwmtx//Rh6dqlPz/GPY9Md3HXNUO57cgG5B0r48rUz6d29Nv7AX6efaJoWHq/i46+2cuUdn6EpGz6/n5PGdOK+2wbx8ty1XHLzx7RrUYu1m3Np37oO33w8neWLi5g8ay7hiEmLxtUYMagR4YiJHvetGaasFR2q9n84WEC1zGxuu2wApgV2B8x5bSX3P/UDdpsDfyDABTP7cNnVPWjVrAavvPMTXUY+TSQS4urzBjNlfHtGzXiFSDhMOALFpT6mTujKU3ePZv3mYoKhKJqm2LitgBU/p9A0pxrtstqhxXSmzD+BPF8u13a+mTt63sTURqfzxb7PuKLtNawrWccvGb+Q5cwmP1zOyfPHUxAoIMuRRbNmUwiEDVLsTgbUHITX6a0Qa/XYdBblL+Xcn84kakUJRgIMrTuCh7o+SlqqjZsuGchL76xIzj5JJJHEMcMRPxprmiIUjjGoTz2UcjDr1B5kZXg44+Su1M5J49m5y7junq8YN6wdKxedw8BezZl93ftkpDm54PTehCMxRg1sgWVZnHZiV47rXotA8K8jMStxDSGTS276jNKyCOfPOI6mDWpw/9OfsWFdCXtzSykqKaRD61qcdkIXzjqlG0Y5tGicxXP3TaKgyE8gGMWqsiCkFKSmKLwedcTWZcwwKCoNY7PB/rwgF934KR63i4vO6Inb5eLy2z6hZEcUwzSJxOCFB8dx4qiOXHP3hwRDUcYPbUVBkZ+PX5zGgzeO4bX3F/HZt1u49NZ5jDztefLy/dz56A8MPvk5Fi3PB1uMaCTC4z3mMKPlWby49VmMkIFDd7CucA3jPh/F53s/462Bc6nvrY/X5ub1498jYJZTEinBiCuwxEyTkkgxpmViWhYGBqaluPqXK9hevpXZLS6iR43jeHb5U3yz/xtsOhSW+onFkrXkkkgiiWOHo/LxGIZJ9Wo2UlPcdG1Xh4w0Nx1a1aRWjRTKAxEM02JAzya06JLNwN5NiMUCFBQFuPzcvnjcdi65+RMM0+Lq2f3QrL+4/IIlof3BgEFxWZDMDDeFxQF6dqnP2VMHomsa44a2YuZJ/Vi2dg8vv7uMF95cjq8sRkoNne4d6+F2O0hLcaKlSwSeBkSiBp98vY0fftqD3cYRk5mmFLoGpWVhQuEoaSlOCooDjB3aklnTe+Pw6DjtOjnVMhh1ajNOGN0OMNifX05WupvUFC+9u9emS/s6gEU0avD1W9NZ/93l5FT38sgto9iz7BqG9auNGdFxeV1MajSa9pmdAAvdLpGMbau357MR3zKt8QxiMakw4LXrdK3WlnRHBin2VHSn7Ou0a2S5qmHX7KTYUtCdOhHTIC+US3VnDiWRIlqmt+HsTrOp6aqFaZJ0IyaRRBLHHEc8y1iWidtl55sFeeTl7+LV91dyoKCcl99ZwYathezJLaVTm1qcf8P7nDL+PS6++SN6d21Nw7ppZFe3c/LY9rz3+decOKotDRt5CQTMI3LF/bugFERjFtnV7Ewc0Zot2w9QUORn8/YCvl+8g8xMF3PmLuWrBes45YR25FTLYMnKPWA3eejhJYyZ8TzBoI9Lb/2Eyy/7mljMwumFFWtzGXP6k3zz4zYcHlmEPhJYFoQj0LRRBoP7NmX9llxKy4KsWp/Lus0H2LunnPfmrWXv/n0M7z+X0y95i9o51WjXujoxw6S4tJDW/Z5k9Gkv0rRhPQb0aogRhax0J+lpLjIz3Lg9OmHL5NVtLxIqDfHQmsd5c8er7Cveyxub3ueLfZ/xa+4K9gf3cWaL6fijUbwOnec3v8qQz4aR78/nzlU3c+Z352Jh8cKmuYz7ajgl/mJu/fV6zvpmFm7dxrTGp7PDt409/t3s8u/gq7zPMS2zYlE+iSSSSOJY4iiCPST3KzVN4/zT+9OwXm26tKstVlivRjidNk4c1ZZ/PL+YDVsPcPV5/TnvtJ54PQ4iAbj4zF4oZXHutO5Ew0e2nvTvhqYUwQA8fPMoWjWrztcLtpCV4eWWSweSlmmna/u6FBSV8N23O+nQpiYP3zyKtHQHdrtOs8bZdO/UiDKfnxSvE6UplA6ff7eJtNQMLpjRnUjwyK5L0zQyMxxYpoS5v/H4STzy3I8s/XUPdWpmMGVce9wOO+OGtqZB3Z6s3pDHkOObceGM3mTVdxAMxWjSoA6zT+/KgYIAp53QmZzqHoJBC11XvP/MVLIy3ATLwbQUnbK6ULNDLTIcmQypPYJumT2wa3ZG1RnLcem9AIjETJSkuOPW3dTx1OXidlfgj5SL9aV03LqL+t4GXNz+CsojPtLsaYQMg6vbXkNNVy0+3vU+HkcKN7a/hVbpbTAsyEr3Jq2yJJJI4phC7Qv/sTPMbod9+w8w9+7HuPumWyUfKHGUVvk+4gdHIm9IQdiHhFvH23C4JR8rFvvPl2TxpCMBCDoQhoAPnE7QPcj1aUAU/H7wZgBOwIhvN6C80CIlRdH/hJfo060ht9/Qj7JCC5t++AszTIvUNMWr76xj+oWvcdXswVx9Xl8cdhuaAld6fEcdCIi15kyPnzORZ6bB99/t5qTZr3GgKMwV5/bh3msHETMgFLIqSNRuB8MQkgTwOCr7XZFzlnivyfX6I6KiYlrgdSCPOPFzYkEgBB4bknt2yHaL+DGqsu2wAf5glHueWMC9T37HCw9M5vQp7fCVVAbJ/B4S65D/iyHWh1NESeLfBwVMPH8sxw0bSN9+g2jRuk08gjaJvyuOrrCmUpgBi5KSKE6HI56TZcbVOuLBFIVWRVi+XkXOKRq1CIf/Womn30NZkbi+Ekojuq4IhS2MoKhiWJbIMGmawlcswQ2JrGmlFDZdIxiE5++fRFamm2Apv0liICQRCUGfbvV59LbxWJYwiqaE5MoKrYr+JMYoWiCTeUIey+PVcLsdTD+hC5rSSHE7KSyO4nbZDrIEgyHzoLEvCUWwLBObZhdFDsvCptkq2taUhq50ef5QUB4xMKpIgimlsCkbgRiYURMjrgiS2K4AX1i2WViSV6bLulrDupk8cecE+vdsFLdY45GeVVRFDp30TcvEHt8vZlkVsli/tf/h8K+SiYWFGa+DJ2NjVbhLtUMqnx+KVLtO2IBYlTRJwzLQ0P7p3k+c42jlww6Faco4/bf8vpJI4q/EUevwaprCYdcJhqKEwgbpqQ7sdq0iyEHX5Kle1/45aVp00v7z1hgIyVYlYJD+afEYlASJQZxYLFWh85bov2VB/TopRGN/HOShlCIahXq1Ujj/wm6gQ2g/cXkuCfyw4gEpiUrYvnIJpXe7bShNEQkrurbPoUe3IfEOgN/HP41pWopGOCKWr65BhtMBFgQNSLXJJGyZ4I+Z4iJFySRd0YhCP2SyVgr8UT+mZZJiT8G0DtZu1JQmY4NCUxqmCU6XjVkzO4EFoSCEoya60rCwSLXrFVZdMCpGnpwZvDaNA6EyNKWRZk/BaVMHqa+EY0ISYFU8cMj3UakBmWrXiZgQNayD78P4MYk+J5AglAScuoY9Ll8TiIJTU9h0UTgJxsCoMl5Vz2taJvPzltEsrTlZjgwMS6g91a4TMyFcpT8WkGLXMEwI/W4/5eIP7WPV/qekirxOLCzW/H/DbyyJJP4qHBWRmZYFTti2tojJs94mGPLx+O0nMmpYY8pLRTDR5VTY7aKKUWGBAR63QrOBEYVQ2PqPPjWapoXdrnA6RdkjGLLiEzq4XAqbHSwDAkGZEJxOFZfpArtNFEAiEWkrHBFL7Y8uxwJsdti738/X72zGsjROGNUGh10nFrNk3BzSrlIWW7eXMuLU5+jboykvPzyOSBQiEYtQWGGLuw1tOnjcEAhaWFbCWoTvF+2lScMsqmW7CUUjfLTncwCG1RrOp3u+xBcuo0VGK3rldCZiCJl6bBrR+Dxpi2tAWghJ2hTsChQw+ptBVHPV4MvBX2GhCBumkJYlSc5um8K0IBAzUUrDDkTLIRQzcdk0nDaNoGHh0hTz9n7LD/u/o1VGa05ocCI2ZcOwLHSlmLnoLL7f9w2pzjRe6/sOucG97PHvIWgGyHHVpF9Of9LtqfIAoBRRUyxeXSliFgRjUR5a9zQDaw6ldUazg/pp0zRcVfqpxYnVpWvYtMqHgm2+XBbmzUdpivH1JrChbCdL85aQ4c5gSO1heONWF4DLpggZwrMxy6D/F8fxxvHvM7nROMrCcu2Prp9Dh8yO9K7ZnUBUrEWHZvHs5tdo4G3AgFp9CcYMdKXHHxIUXrs8bAUM0U1z61qFoplNg0Dcba8UvPPxJkp9fo7r3IhmjTKIRpNklsTfB0flz1BKQQTq1krnugv6sWtvOYXFflRcmig1RbFvv5/5P+1l734/KV6ZEE3LYt3mYr5dsJutu8pEsuo/JFptWZDiVZT6Iiz8eR+btpfg9Sh0eaBl+64yvlu4h1XrC7HbAQt27fWxZXspZeURtu0qY9ce30FjciQThmlaOF0w/+ednHH5m6zddADLkv6kpir25wdY8NNedu/zYdMV9RqlULtmFqs3HiCvIMCBgiApKWIR7txTSmFxkC07S1i1vhCHQ2Gzgdul8HgU0y9+m6Wr9uKupgiZAa5fcRUnfTGeN3a8zuMbHmbmV9N4Z9eb7ArsZo8/l6gVY13pFooipZRF/Wzx7WJj2Q62lO1iU9l2tpXvo443m3YZHVhXupoD4WL2BQ7gscnt47FphI0Iiw78wpqSTbhtQgoHQoVs9G3FYdPYE9zPr8Ub8NgU96y9j5FfDOLdnW9x+oIpTFt4MoYVw6Urvt7/DS9ueJYzWpzDw90eJtOZzg0rruaM76fx+IaHmbbgREZ8PYjymJ/cQB5rSjdTHCklN5jPmpLNBGIBAC5bdiFLChZjdypsmngMUuwa5bEACw8sY0PpNrw2TR5eNMVO/z6+27+IJYWr2BfIZYtvA6d9fzKXLT0ffyzAjwcWMPPbqdy1+lbKoz7WlmzCHwsSMsIsLVhNIBYEYF9gH/d2eZi2Ge2JxsCu6diU4tZV1/NF7jx0h8KuiYiA3a5xx+qbeGfXm9gcCoeuY1ngtiksLH7KX8mKonXYNYVdU2wr38PeQB67A7n8UrQ+7uaUn9KuvcWcfeX7vPj2chzeZLRoEn8v2I6ETxI6ugrAhNQUByMHNsfj9gi5meB1azz96koefmY+pqVjGFGuvWAQM2e04657F/Pi20txO13szStlzj0TGDuyGYEyibL7q2CaFh6P4osfdnDF7Z8RjliEwyGmTerK7df34533NnH9fZ/jdbvZvruA6y4YyFnTuzL+jNdYuymX6y8czINzFtK4fhY/vHMGLpcNw7Aq3IpHErFoWhbZmVncdfVgrLiyx0tvr+Gex7/FMHVisQiXnHU851/ahfYta/LKez/TcehTRGNhrr9wCBNHtmbYtJcwjCj+gElRiY+ZJ/Xg0dtGsG1nKaGIPKbv2FXM+pUFNMzO4vyWF3FR3mye2vgPHuvxDONKhjO27ni6fdSdvjnHc1Wb6+n7cTcu73QNjVOacNFPs3E7XUSMCEppOHGyZOwv9Kjei/e2vU2PTztQFi7jjObncH+3e1hWsIJZP51FWbSMSCzCqHrjeKznw9z467XM3fIyw+qNZEnBYvaX5/LGgPe5Z83tDK8/knmjPuWhlY9x6fwLWNpyORZw2g8nY3fYeXHTc/hjfgY26s+MpmexoWw98wZ9y9W/XM5b2+cSMIKcsuAElu7/mas73cjGsnW8tfl1rut8CyuLl6MsxW2rbuQf6x7iug43MbnpBL7e8wOXLb2YkBkiFA1ycuOp3NPtDt7b8SmzF59Jk7SmbCnZRNOMFvw4cT596/Wna3Y3zlp8Gn2q96Nd3Q5c0+5GVhWtYuxXQ+ld63j8Rjk/717MVd2u54b2NzDp+1Ec8OeRYk+ldWYj/OEIp/14GmXhMl7c8iwfbfuAc9vM5rzWZzP9hxnklu/jw13v8eObC5nSbDpXdbicTcVbOXvxGewP7iMcC9O/5iDu6XI/UxZMYo9vNw67k12lO7ivx8Nc1uYiyqMml17Yg1ffW1VRWeHvhKo630n8PfGnVpijMYuikgCmaWKYFobNZOdeH+dd+xFpqR6uOLcPhgFnXfk+JXlRenapT//jmjB8QHMKiwN88s1GdEdlZNpfgYSyRzhicuENn3KgMMClZ/emUf3q3PGPj1nxSwGd29VkQM8mDO/fDJfLwesfrsKbovHknWPp1KYOb3y8hM7tavPcg+NwOHRMM17exXt0yh6GYVJSGsamw4EDIWZf8xF2u4Mrzu2D3e7gghs+oHRnjJhpEgqbPHr7CEYOaMUlt7xHKBRj5MDm7N1fyltPncRdVw/n+TcX8Nm3W5h17cf0P/Fp9ueXc9OD39Br3BMsWJpHWCsnJ70WhZEi7l19O0opGqQ0YkCtQWwr30KHnFY0zmrKjvLtDK41FEOLcU6zC7BrDs5tfj5RFWVp/i+YmITNMNe1v5lZLc/noZX38m3uQm799RbWlazlolZX0KNGT55c+g++3rOAa9teh91mY0PpOp7p+TwfDP4QXemUR8oZXmc0MSPKgJzB2JSNVSUraFO9OVOanIqFxbktz2dU3dFYEYmYKAuV0vnTNry59TXaZ3Ug05HGVW2vI2pGOT6nH1mObBplNubsFmcwsOYQHJqT46r3Ylqzk2mR3pKoYXLx0gvZE9jFJa2vpGVma+5dcierCjezo3wbecX76V6tJ6c1O4OZzc4GAxp5G/Hlvs9ZUvATb+6cyz7/XtLsafSs2ZV+dQfyw/7vOKPZ2bw34iPG1p2Arum81PsNyi0/+aEDGBjo6AyvPQqvzUu7zPZMbX4SHbI6ETFgZJ3hZDgzaZbWgmnNTqZrdjd0DW5bdSsLc3/gnObnMaLuaF5Z9QJf5n7FtMans9+XyyPdnmBwvWG8vPUFDNNEQxH1WURj/1yWJ4kk/g44eiKzwJOqqJbpxWbTSPU60LM1CosDGGaUFK+Tvft9jBvWmgtm9MTni3HHP75n+eo91M5Jo16tFLxuO+hHroLxb0E8AMXvN8gv8pOd6WHf/jK6dajLmaf0I8Xt4KFnFvHptxvIzvTQoE4abrcD3aboPag2Q45vzqat++nQqiZd+9SML+5DNGby1YJd/LhsHzbbkT8ZSqQkFJUGCYQipKW62Lu/jFEDm3PWlJ7YXRpOu06tGpmccHYrpp/QGYiRe8BHjWwvGWkpDBpQn+OPawyYhMIxvnxjGmu+vpSa1VN46KZR7PjpaoYeX4twyKRVVivu6/IwH237AH+snBRbKjVcNYhZMRwOGw6bE4/NQ/2UGlRzVad79ePIcmbTq0YfspxZpDlScWkuUt1pnNt6JrNbXoRSilXFv5IfzqOGsyZ5oVyapjZjZsezqOaqRtOM+njtKVzZ5jpGtx7OuEZj6ZjZGdMyWVOyCpvLzibfRmLEyLBnUT09kxManoRN2bmg1YX0qdsdZSlcupsMdwbrxm3jg8Hz+PXASp7eNIexTYfTrVYP7lx1K1/lfs5VbW+gfkYdzml2HrqucUKDk7mq19W0TGtFIBylMJxPNWcNcgN76ZjViTPan4NN2RhddwKntzuTH/N/4MXNzzF3+8uEwyYt09uwLncN57W8GI/NQ1GokDqeuqSmeMhx1+T4Wv05q8vpTGg8huOqdcal63St2ZZqrmqkxhVRbJrOzObTSHdl0r/mIK7uew3dsrsRihmc0vwkst3V6FatB1f3vYbjc/oRi1rsC+why5lFYbiA6q4azOhwFi3SmlHLXZuM1AzGNxtB56yu2DQbNl3DQv1H8jKTSOK/BUdFZKZlgQuefvEXTjl/LuV+H7c+/A2XnfM1rZtVp3vHBmzcth8sk83b89m4NZ+YEWPh0p2EIybRmMH+/BDvfLaWvdv8uJzqL6vwqhREYhbVqtkZO6QFW3fkE47E2JdXypKV+9B0WLx8N6VlITTdIq8gyMIlW1mydB9nnfMpdz/+GTNP6sejL37LwOGvUO4P40qBlWtzGTrlceZ9txmnR4qKHgkSyh7NGmVw/HGN2LQtD9M02bqzgM3bC8nd5+ejr9azJ3cf44e/xRmXv0ON7CzatKxGzDBFE7L/HEaf9gIN6tSmf88G6EqjZnUPXo+Dallu0rMcFEV9fLrnY77f9S1hI0yPOr0IlgUBi/rehqzOW8XYzybw6/5fmJ/3Hf9Y/xS7i3bx/q632V6+jTd3iCUyZ9MTvL/7HcpKShkybzgjvx6Ew+5gdN1RjK4zjl3+HZSESygMFzC/4HsiZoQbf7mdvJL93L3mNk6bdwabi/bSOL0OU5uexrPrnuK0L2Zy7qKZNKveglH1h/PT9mVc8vN5hMJBRn05lOfWvoJpwRvbX6XEV8IVyy/m7jW3YVkWNVw1MAyDq9pcz3e7vsauOTi54UmEgiYBo5xUeyqXLb2Aoe8Op+WHDYlYYU5scDJbSzcTjAXYH9jPgvwfyHRm8vK25/h+zzec0fwMGqQ1YEHeD0SNKNVc1bEsixMaTKZbdncsw6KmuxYfbJzHB9vfYXH+j0z+4BQ+3P45pt3kje3vMX7eJPaU7ebR9Q8y+4cLKAwXETYMMh2Z3LXyVka9O5bG79djdfFKjJhBtiObJ9Y9wrj3J9Lw7VosL/yVGU3PoChYREEoH1+0jAX5P1AcLmbu9pcpKS1hzpqX+GTPB6zIX86ivOW4bBAzks61JP6+OOrwexRYpkV6mpNzp/WlzB8gGjFw2DXef2Yq9z45n+9+2kaDOplMHt2OOnVTeevJk3n+zaX8vGI3t14xiM3bCgmHrHhY8V/3A9SUIhiEf9w2huaNs/l64RayMlK49Kxe1K6dwhN3jOGRFxbx5Q/bOHdaNzZtKyAYtKhZI4WzTunHhOGtcTl1whGDaMxC2eCL7zfj9aRy/ulHruyh6xpZGQ5MEyxT8daTJ3P/0wuY//N2auekc87UjthtOgN7NaFBvS6sXp9Hj071ueTMPlRr6CQUMmhcvw7TT2xH3oFAXLjZSyBooemK9+ZMoVq2l5APoqaib87xtPa0waU5eaDbozzhfQSFYlrjU9lYup5yw8eNXW6lOFqMTbNzZstzaZ3RhvNbXkSOqyZ13HXRlEbMitKxe0f2Bffh1bzc3+1hmqc15LI2V5HhyODDXe/jsXu4tPWVNE9rwSd7PuDMVucSIoRpmrh0FzEDnuj+DC1TW/HNvq84ocHJXNH2KjKdaYSMGC3SW9GtRg9KAsVoSkLTO2V2pp67PqWxEhp4G3LWgFlMqn8iuqHoU+N40lLSuLjV5aS73JSGYmQ4Unm258u8uPk5dF3ntk53k2rzclfn+6nrrscXe+eR7kznitbXkOVOpVVaGzpndePTXZ/TwNOYGzvcjsfhpFNmF67ofi0t0hpzYsNTSLWn4bU5CRoBJtU/CbvdTnGwCKfmAiUBJQ7NwTmtzsMf9YvbTylsms7D3R7niQ2PErUiXN/uJlqlt8YydR7o+g8eWf8A/pif6zrcSJOUZnTL7ohlWby+7TU0XWNW8/Non9WJVultqNE6Bw3FkNojOC67dzy/EZzpCpvt9/Pbkkji/yvU3qNQ9njjnse564pb4gkwVKpDWOAvkEKPzlT5Gx0Igj8Qr3Bsi28z5X2kVAptKv76MGGlwJ1GZcXmiCh7uFygOav0UwfTD5pbrtMKgPIACgKF4PHA8RNfpGeXBtxzy4AjUvZ45e21nHrRXG64eBiXndULu92GpoEr0Z/4uEUi4MhAxjixmq3Bgvl7OWnWa+QVhrj2gn7cdnk/DENSCBIk6nBIDplhiDvVlVDdiEHMlO8pGFfycNo5uMSKWeX6E88Zh16SVblveVQeSDyOxOBSkRvmdlQ5VkE4JPlfGvHP4tcUi0oeldemUPGiphWKI1HwOqu0TeV1PLP5WZ7e+AS/7l/BpV2u4oEud+GLmmhKx5u43+JKI4GoHOqp2idT+mnXJDWiQkXFkvM6ddnuD0vKgG4TBRSv/eB7hGi8n3YqlU/i5wiHpa8em9SKS4xfKAqGBW4dtH/abuG1q0p/iQXhKDgTfU/0U4EZg5ABr7y7gotv/pDzTuvL/bcOkrpv/0/VLg5V9mieVPb42+NPWWQlpTGUL5GhKsRg0zViMYtwoeSIWaZMrJqm8JVbFQti8TxWdF0j8QD5V0cKm6ZFcWEMXWkYpuRA2XRd8rEClf20LMmpMgJWhVKJUS4KHLquEQrBM/dOoHq2l2DZESp7dG3AgzeOBeJrG0pqvZUdMm5KKYJ5ZgXRJ5Q9dF1n4si2KKVjGlBQFMXjPljZIxyWZCgVl5wqC8WwLKsiydky5H3MsoiEZVZMuHiVksTbigTneBJ4xeRvHZzonmjTF5bSzwllD13pFeeFuBqYZpOkYSzKwqJ0YWKioaMphT9mYkQPVvzQlU5ZMIbSrLgKCliWwmuz4da9dMnuRt+cfjT2NiFmKlHPAErDRoW1omtiFVnx86pD+hk2LQIh6U8iAElXOmHDIhAzsGk2goaJaZjYlA1fxAQMNA2MMPH+a5RHTYxIZf8VCptmk2TymIkZL2eTOK9Cctn+ebvCV9GO9FRXGuGQId+jpqGUJflm2NCUwmG3cctlQxjct8URewaSSOL/C46eyIgnn+paBSklfjQWlWU7rCrKHrqmKshKAUqTQIdgKIZpgtupY1p/3Y9PU4pMtz1ubehEDCSpVqsk56qoSlBV+2ia0LRhOtEomMZhD61AQtmjTs0ULjm3B2gQ9AnRiOSVSnSu4hi7rfIpU9chEoYenWrSq+fIiu1B3z8HzRyabG5TtsP2TSZOW+KPynMlVD2qWFNVDjosKto5wvPalC2ebH2wOsjhpJrsuo1oFHxBse7tGoRNOL3JKZze7BTZyQR/rFI9Jj1FF+vIgIA/MUYKzbJVKrNUHQekPwpRV5EPZH/ZrqFZcs/bNA3D0PCVSUK6bo+rsigNRVzlRlV+lRXHo1WUEzrc9qpfm4Z+kFpOxXgi9115EBw2cLqknRlT2oGCWCih7JEksiT+PvhT9rjTYcNuExUPj7vyad7tlMRcTZPk3ITFZVkWbpeEqbvdCrcLCgqD9D/xOU6/9B3s9kQ7/7brOizk2dYCFeP6X26h3XsdOOX76ewPHhBVhz+xXhcMWxhVXEm/ByklA75SE1+JddTXq5SooviKzfjr6Nv4b0FCQeP3+m9ZYLdBfhEMmQK9J8CHX4gb1jQgrEyCRoyQGcOwGRXtuV3w7Y9wy73w5odxJQxdXORulzwUOOzgdsq9KmkU4PXI56aZ0AoFt1s+03X5XNchZsDEs6DnOHjmdXFJJ2J8HA5I8UrbiWtzOOQ6XA5pI5EI73BIn5zx7Yn+J8bG6xGiTGyLRsGTBjfcB11GwOzrKn/A5WUWvhKTcMT6y131SSTxn8afCr/fs7+UotIIu/aWs3FbCS6n/HK27fJRUhomEjXYurOMMn9EJJ4cis07SvnplzzWby4mLz9I9VpOmjXM5pc1+9m+u5QtO0pFZ/DffYVVYFombrtizqY53LH8ZgbUHciXe+dx5qLTsKs/R2TaESp7JKDi1uyfrYwtYfta/PU/OmNZ4IqveyX+PxyUEtLISIPLzobdubAnt3KtKe+ARnGxjfwCG+s2ieixNx3ufxoGnQzPvw4nz4YzrxTrKy8ftu6E8gDsL4Dtu2QN1+ORNcUVa2DLjriVZROJsi3b5bNwGNZukrVLXYMrZ4PPD5u2V/ZH02BvLixeLu044+uG+/KgsBj27od1m4XUZN0ZCopg/wFpW9Pi68wOseZ+XQfrt8jfug6pKVBWCsMHQ7uW8MsaSBiwmib3RdISS+LviCN2LVqWhd2uU1BgMHz6S5iGSVl5jIKiMi6c2Zcp49szdOoczjy5J0P7NmP8Wc9w48UjueaaXtxxxyIefXERTRtk8cuaXZw7vQ8PPjGYzu1r89m3q+l3wrMUl/qY+9hUJoxsRnm5eUxqWClEz+eVbS/Ss05v/jHgIep5G3LV8ovZ5T9AHU8NIsZ/Vgfy/ztME9xe+HYBXHcPzJgM50yHQKCKS++Q/V1OmDACMm/koCedybOEBGKGkMSkkXDnVXD9fTBiAHz2Adx1J1x7D4waCA8+Axu2wq2Xw8dfwaJl8Moj0KEdnHoB5BeKq3fSSLj/VnjlLbj4VhjcF3LzYOmvcOtlcMPlMHgo1M6pVLvxeOHtj+CWB8XSys2D266EU8bD+DOgpAxCIdifD1PGwxN3wUmzhVwjUSG78cPgxYeguETId/suseAH94Wn74ZvfoQLrhcyNYHqWX/9+nISSfw34ojZQilFOGKQVVfn+O4N2barkOfuG88dVw7jH89/xYHCcrp1aMiGrfn07lcHryeVfXk+LDt88+NWikrKGDWoOWeefBwj+jfD8ssaWShi8MIDE2nZtBbPvr4U1LEnkqJwEXU99YlGo9Rx10EpjcJwPvqftMqSOHIkXHbFpWKdFBZXWhW/BcOAwiL5H0uEp71eIZyde+GmS+Dlh+Hdz+CBp8UFN6wfGAr6dBdrpsQH50wVC2xwH3EtdmwDI4fC7Ktg9Qa4/Fzo2h4enANffg0TT4S2LWDed3DWFCG9QX0hFIBwPOrWssStaMagRRPo3wvGDRUL8OV3IKUmDOkLO3bD/TfA43fA3A/g6/lw2gmwYw/cdrn0/4Mv5PXAHPhmIcw+DUb0hxfehDmvwmW3yrluu0EILBQ6th6MJJL4X8FRmT2WZaE5oXq2l6yMNMaOasrIgS0BiIQMatVIIxYzSalhw+1ykp7qQplw6dm9GTukLS+/+ytvf/oLn3+/GaWDw6ZTv04Nhk9tRNsWOYQjJsp+jNfKFFR3VWd7+Tbsdjs7AtuxsKjuysGwkovkxxq6DkE/jBkMrz8u1kYk9NtkZlliwVXPFpdcihf0LNDsUKuGkOKE4dKeyyWFPm022LQN9FSxjAxDjp85HerXgbsegzUb4fYrIcUDW3ZKW3v2QaN6cNqJsj27CeRUk7bPuhKmTYfjOoKuwFlDXH4eN+jZ0v/HX4Qv58u2erXja3AuacPlhIkjYGy8Ak9hseyjKRg/AkYPlrHZsw927YWMdLE209Ng5kniity6U6y2qWdDv+PEenR5/mKFnCSS+C/EUfvvrJj444tKCug65FmGT3+e6tnV6Nu3HumpLr5euJETJr7Dntx9fPrtRkoORPnH84spKA5wxQW9KA8oFizZQSDP4OOv17NzzwHefHo93y/ezs8rdrJ+TREul6oInf53ImFtzWh6Fstyf+a0L2Zy18pbGVNnPHW91YiY1p8uxJjEkcE0wemG9ZvhhHNg7ofg9EjZnMPt63LDe5/AlPPFLffES3DRLAgHK62hfifAcWOlxtqlZ8G0CfDEy3DuqXDhjdCkIRzfXaILzzsN3vgIWjaFAb3kfj5xFGzbJS7KUBh+Wg6pqfDBs/D1QvhusZDbN1+A4YT5P8OMGbBmA7z1McyeBTt2wYIl4CuHrAwhqgVLYMsKCSAJhaHHGOgzAdJSYdgAcTeaFhw/EY4bIzl9k0bBiIFQUgrBkIzDzyugQR3o0w0efg5OPwle/wDWb4WFP8t4Jl2MSfydcVTh95ZlodwAivp1ajFxZEv25vo4c0o3amS7mXVqd3IPlGKza1x29lAKigMY5Yqenevx0y/bePPd9Qzr34zrzu9HJATtW9WkWaMsSkrDDOvXjEAwgj8Yk7DlwyXi/ovQlU4gajGzyQzKImV8sP0dpjSezs0d7yB6mIk0iX8/LEsSgL/5USbfC2dALMJvPlIpJUEXgRCcOgn8QSE0p0vcgxlp4mI8UACTx0Cn9uLCq1VDCGhoP7juAsjOFHfg6SfC2o1CTEqTdm+5TCy2j78GrxvOngpNm8L8n8RNqDRxbVpI36NRWU+bMkFC3Q/kSyj8Cw/AvU/CW5/AmaeI1WdGxZrKzpT1sp17YOp4aNAOvl8EmekwMd7/k8ZA80ZiFWLB6x+KlXbyWOjWEZ6+B25+QEjzmvPFQguFknXHkkjiiJU99uzL46NHn+HE4RczbMoT7N0f4qZL+nPjxcdL8b+AJUUpXYjaAYAGoRKZcDQXGEHQnZJEGomCOyO+XxTJ+VEQK5cIsWP94/TY42+UqCZULUufxLGDaUJKOgydDA3rwZyHwVcoE/bhYFlxZRgPEEMIzw7b1sHJ50oAxtlT4cEbwZsGZSVyv7lS4vvbIRaorJqsaeKOi4YTRUzjSi+p8RPqSO5ZGXhSqLgv0cEsg2BQohxVapX+KAgXy3mVI77NBNywZTWMOR02bIHLz4HbrpC+bdoEU8+HZavg3GlCvt4U8PnEXepJjZ83UUW7LJ5C4In3M9Env1hu/0kyM83KcfwrkFT2SOJQHJVFpgAzZjGkbzNsuoOSsjD5hWFSvA40XRGOWARDcWWMOD3abBqBkChmaJrCDEowh6YpfAWJLGlRtLCIVyf+C34RvkilwoMksiZp7K+ApkmwxEM3iRUULDt8tGICSom7zvLJelLMkLWpSAi6tINObWUNLDcP6unSVjQKoUKZ+GNGIoFf2jMM8JXKfonbzLSgrLgyj0sh+5eXyd9mIlE63r4/CEb5wQpeetxSs/zx85iyZucvF5dgn25Q5oPcA1DHJpXJu7SDzu2EZPPyoa49/hszoaSoSvtK1gcjUQgVywkTuWW6ToXiifYvkkkiF07XDrnu3/l+LCTfLRqVNIXEzyjh6jz02N/ankQS/wqOmMg0TREIRmjbMZXnH5hQoWMX8FUmcMp+WnxCqPQNakphJsrIawqFEnkfQzQIHXaFqVRcRPivgSgniE5gVRKzLKtickoQaoVCf5UM3mRQyJ+HGYNWzWRiNow/nnztNuJ6krLeZFnQuAE8eR8Veo2hcglVt9nE4rHi610pKdJGLCp/qzipVU08TpT4sYhXXLbi/yuZnB2OQ+5xJbljCdKr6L+SV2Lyj0WhdXN45gHAFX+VibXXpAE89QBiuaVCcH/l9dl0Ic0Ek4VDQsggbk6VOFeVc6emyPkSlmcClkWV+/nw2y1LvC6euI5oKCDnd7jk/MGgjL+mVR6nVRmLNRvFdZqVKYnqUoVdSCsYrAzksax4Qjjx7X/Qz6q+oqrnTCKJQ3F0FplSWGHw+02U0kQhwSFqEwqF06EwDHmSc9gVMSOhkmDhcig0XW50pSD3QJDxZ75G/drpvPHEieha5URzrGGaUpk60d9wRKxFC7DbVcXEKSoJCrtdkp5jMbDZZL9Y7Nj38/8tlITB/9FTeWKCzcuHU86DwhK44WI45QTwxcPxEwTjiMtEBfzw1XxZe2rfSsLYozFo3QyaNqoUU3Y45N40TSHKRL8S6QGlPph2oaQJfPYKpHllrS5BgiCkgyX3LchnNl0IWtek74H4hL3iF/hukURNjh4Elg4lhTKx33EfvP2JjMfTd8u2rTulnYw06NZegk8SfYvFZF9Nk2sDeOVdaNEYOrYVKbOqiiVuZzxcP1xJRja9cgxAglOWrBTC7NtdSHXZKom27NkFUr2yTY8rpEQi8ZxAF/Q/Ea6aDVdeCKVFErX59ifS9/59IeQXMnM44JOv5WFjcF/pjx7vp66LpZ3oZ8IKTXwnNpssOSSRxOFw1FqLSkFRSQCvx0UwFCUSMWhYL4VwGPbuD+D12HE6dPLyg6SlOnG7bDgdip17yynzhfF6HKSnOqiW46BOTio/r9jLvv3loBQ1q3uPefSVPBUqfH6TrTtLSE91U6+2m2B8kiooCpFXUE56iov6dVKIRKGoJCxpBR4HRcEIuq6RlvI7khRJ/D4smexiMVGX/60JSikhnbRUWQebebkESyibfFZSKi4904TSMmjRFHblSTSkTYcXHoKr74Ttu+Hhm+G0mlBeCpmZ4op0u8DpjOeyqYOtjnp1oVkjeOxFcW2aMcjMEIvHHifNzdvknmlcX7Q6A34hwDo1hagP7JXcsjc/gtMuhvQUOFAkydqvPy7XtWEz3PIQnDMNhg+AOrXgwhvgo68k4bq4FJo1ho9fAI9L+pKZLpN9OCJWUGo6XHaLRGl2HwAcgGhEri8akyRwl1OCSEJhIf2SMti9Wdyf1bNg5z4YOzNuYX0LW3fAhDOhbi345g0oK4dqmXLOPbkSTKNpokxyzfnQuxtEg3ECT4U7HhX1kSHjQRligTmqSY6c1wMjxoFeIuToccv/67fIZw3rSj+LSiUS1W6HohJJVxDf619wjybxP4Uj9lTL07FOQb7J0Kkv0Gfik3Qd+QTN+93P1Xd9x5pNB+g84iHufXIBi5fupt2Qe3jm9WW4q8GDz/xM30lPM+vaD+g47EHufXIBrto6PTrXp6S0hN7j59B20AN8NX8rLo9YTMcCpmnhcsGPy/YybMpzjJ3xKgMmP819T/2MOxM++2YzQ6Y8y6kXvU2v8U/w7OsriJkmI6e/RKsBD/DEy0voNPxxRk5/mUgkVjHpJXHkSITfz/8ZhkyVZF+X67fDx01TJvApE2QirWqxn3AO9BkvYe0t+8Oks6BRQzhzikQjfvYN3H2NTIAjB0LfcTD1Qti9B7qOghvul8jBrqOkja4jJYy/+2hYux4G9hKrYPDJ0v6ltwpB7tsPk86GEdNh8Ckw61pxw/3jeegwFGZcCn0nQst+8Oq7cNvDULcm7Fklyh3zvoPPv4PNW2H0DCGEH36CbxdCgxYw4yQhyK9eh4vOgFXrRK5q2DToPAJeeBtOOR/aDIIPP4cLrxVieuUd6NMfXnwbnBmSSzfyVBh9GgycDFfcIeS2Yi30OxFmXAZD4xqW3frAiaPl9fCzsHyVJJNfOFP61qo/nHUFDDgRmvWFV96TAJlJZ8v+838Sq0nX4YrrhAi/WwS9j4d7noCU6nDj9XLuZaug1wDRjHSnwsq1MHwajIr389aHpK0zLoceYyW9okU/yf9zOX77Xkni7wvNAo7khYJIxCCzjqJHp3ps2JLHI7eM4rrzB3DfU/PIy/fRrlVd1m46wHF9amO3edizrxTLAZ98vYH8wjImjmjNjMndGdy3KVYAgqEowXCUx+8YS6N61XnqtSUodWzCBy3i6xaGxblXf8zWncVcd2F/6tXK5Mo73mHVykLatqpO324NOWFUOzRN57k3luFNVdx+5WDq1MzgzY+XUr92BvfdMBS7Q6+I1kriyJEIUNifL5qEu/fFraDfOSZmSLh77BBljzGDYfMOiQZ89l54bx68977cPrVz4KsF8M6n4rKqng3HHwcbt0LDpuJqXLsRjussFuGoQSIQPKSvuMC+nJ9wL8O4YWIxPfKchOg//Jy4yM6fIQT5zFx4eS7MmCouuM+/g4vPhGfvg7QUyVEbNxxsThjUW65/ya+Q0wAmDpdrHNIXBvUBM+5yNQwhw3ueEHdk945w4kghrEG9xfJp1RSGDhKL0O0Wa65HVyFN3QZX3SVkculZQkoPPC1jsn0XrNskASinnyipCGhiCa3eAB99Ce/Mg83boWZ1GDVCLLAPvoRzp8MTd0LnthAKwoM3yfht2QFm3A3YprmsTVbLguO6Q9OGYiG2aAaZaWJR9uwmuXyGARfdLAR3zXnQrhXc9CD8slrSDnbvk1SGk8bCnNdE39Jmq1xTS76SL4ujTIg2LQvdraidk0pWRjonTW7JCaPbARAKGdSvlYERM0mrYyfF6yI91Yky4Ypz+zKif0uefm0p73/+Kz8s3i4+c5tGvdo5jJ/ZlA6taxEKGcdO2cOScjJlZTH25ZVRvVoKG7cV0KZlTaZN7IXTZuOFN1fwxfzNWKZJnZopuF0OdJti5AmNmTymA6vW76DfcQ0ZNK4Bmjr2av3/H5FQ9hg/DN5/VhQtwqHfXi9LKHvkVJMJrKqyR7060t60iXDyOGkjv1jWaAf0EvJ5+9PK9ZeGdeWmd1WTSdbpgBoNZbIe0DP+fy9xDXo84uay2+DmS+D2q8QaW7JCiCA7U/QRPS7RTqyWDQ3aiqvv7Klw5hVwxkzo3VVIZ8t2UOmy3mcYQngZDeC806Xdy86CcaeCikkum8MOn70MX78ubtBHX4DLLhRCue8pSYa+9XKokQMXz4L0VFENeeBJGDkAYqXihq2dIzJY1bPFqrXbRRVkxmRYuBSeehW++B7K9gu5r98iSimN60tuW91aULudXO/0SXD2VTDrHOjSVuK9ug6DBnVFCUWvJuN7+kxoVB96dIIHnoCTJkoaztQzhLzatIAHnoLpUyXwZcdu6efWnZKSMWW8KJo0byzjcMlZlQ8ATgeo5O8uiUNw9MoeUQn6KCopoNewFxh12otkpmfRp1ddvF4H3y7axPSTPmT3vly+mL+F0oIoT7zyM6FwjBsu74fPb/Hl/C0EDhjM+34zu/bm897zm1i4ZCfLVu1m07pinM7K0jD/LkgJFYvq1ewM6t2Y7bsKyExzYRomG7YWYrNrfPL1RkrLQjRumEFZeYyfftnBqlUHuPSir7nt4XlMn3Q8Dz7zLRMnvEM4HEHTkr+oo4VpSjLzxq1wymwJUnC6+V1lj4+/gJmXCQk8MxeuvhQi8Ug6w4ABk6HneAlqaNlUAjw+/14m5urZ8lRvWZBTXSbnU6eK9bZmI8x9RdaQPvlGJv6PvhQF+/fnwbvzZI1p4tkwYppYhEOPh2H9ZV3NMIVYV60XEn3tKVH7ePszuPAMWLkMsmrC6ZNlzev8s+HUS2RtbPoJsPVnuPgmCeo45xp46n5QdtFbjETjGotzpQ92m0huzT4VXn0PmjWEIcdDeZGQQYpXRJFPOxEa94atu+GEUUK2Toeohvy6FrIz4PMf4PvFcPFZ0LOzuHkLDkCtHBnz0YOF2C1LiGzu45Kv99k3ov/4849guuDHZTBrhrg93/scLr1Axs4ISXDMy++Im7R5T/h2MZhBIbz354mV1by7WIxTxotF53aL/NfKdfK9vvWxjMNTr8qY7MuT/W3xyNUkkkjgTyl7KKVRr3ZNBh/fiD37sjlneg9q5niYNb07u/YW4QuEOe/U/hQUB4mWQodWNVm0bCsvz11Nv+Mac8NF/QkHoXH9TGrVaMe+/T56datPIBChxBeRIpLWv99tp5QiFIan7h7HPU+k885nq8lM9zB1fHtq1fLwj1tGcd+cBTz9ynImjWjNhq355B0IYpgmE0d0YsKwNkSjJpGoQShs4XErorGkWv7RwLLEmvpukaxjzT7t4PyjQ6HiAQV79sv6TSAA6zeBwykBDOlpIhC8Lw8evkme4tu2kDa9HgnyeP9zIaFRA8US2b5b1n7y8iWva8JwWUebNFKCP+rVkeARh0NIyFcuuodP3wP9ekGvbhK1N/cDsRLGDIEu7UUWa8JwIbh1G+P5XSFR5K+WJSRZvzY8eSc0aQpLlwhJnTBKgin2H5AJPCUuiLxtl1iXt10hBKaZ4ua87RGJEtTtYARkjfGhG4XIdu8VgePqWXDFuUKA786TsTphFDRqIBZQw3qyfqdr8Njt0KCB5IKdPlmiFOvWknZyqsO2HTB2KFimBLjEDPkOfT5Zhxs/TFywm7ZVun9vvATueVzWyk4cI65I0wfXXSjf9cb4cZ3aifqKwwGffi0u41MnQZ0c2TZpJJT7xeqbOEKCaKzkzy2JQ6D2HI2yxz/mcMroSxk+9Ul27w1w+5WDuXp2LyzA748rezipyDFDQag0/jTplKdohwuMSFzZIz1+grgCA8SVPSLHcO3JkhwZVwpgUFlF2CcL4cpGhVoDWnzNwhV/H6x8HyqRCSv5mzo6mCakZMCQE6BubXjhsaNU9lCAHXZshKmzYdFyuGCGBHV4UsRt6c6Q/ayAEIGuCwHqmug6olHpizCoUPNIqGhAlfeJKLl4gIHfJ/emJ6EEEr/Pwz5wepFHw/i9Ey2R+1zT4sohUfncjEh/XC6wpVXpQxT8pVJTDY1KhZwwxMLw4LMw932xgJ69D2ZOluRspSTyT9njx1gQ8sUDZdLifY+3FSqT/Z0ekc8CISW/L14LLRWCpfHio14IlMavtcp1GWUijeXxgEr8juLjECmNR0y6pd3EWEd8Qtoup8wFid9YpFySw92Jftrk/2A5uFPi+8Xi/deAkIzdpAvG0iOp7JFEHEdlkemaIhQw6Nm5Pn27Odi1t4y8gjCpKaLsEYpYWCH59SdcgzabRihsYQYtdF0jXGqilKh3lBXK7KDiyh4A+rFW9oiHWZcWGVjKRFkKpTRsuobPb2DEfVyS7Kpw2GxE49t1TcPwmehKx2GzARYxy0BD41CFEAsLI/6ZOiTp+u8MTZO8onuvkzWpkO+PlT3Ky0UeCuKK704JdW/aUNZyikrEfVi/jlhiZfmV5wLhI10TayFSSkVuElYVNQ9NLA6lKrkskSyckF9KBKoA+Eoqt1nIOpevRB5uKipD22Uf0xTlEKxKRRGlQzAMsdzKc2nxPDRf8cGuMwtZN/OVSwh92xbSj0Twnorn5VU9pqKfxf/cT9MQhRAVJ2vTkofNWAzCBUJo0SiEiuI5dUVxS1qrHKuEwolZfvD3pevyeSAI9phcezQa367kGMsv15rIi0PJ+CSS0RPtJMZBaZXfl6bFj0kiiSo4KmUPfyBCh85pzH1scsUTVaC88sFVAapC2YMKs0okqST8XdNkT7mxNQzDQtcUlvor1TIsXHYdp0Nmg6gheUBeh45ui88A8SdxfxgyXDYJA0t0Lwb+KDh1hc1hkydSIBwDwxISsymF12k7qP0kBEZMaoFFIjJ5/tHXnlDjgLjxZMga0UvPITdfGPkOTPkskaBcVXIqgQrSVJV/KypVQaoqeCSQmFyrEm7ifdV9lZIoRc0h/QkEKtuz6WLB+ANyPpvtEAUPU6wcw4xvS/yo4ucOR+C2q4AUICTegUSCM8QVP6x/7lMiIrSqKobbHR/PxDkQKyoSrRwDqEzq9npl30BQyNlmF9IPhoSQqwjeVJw7UZLG7ZZqAGac4FO98n/wkNI9VZVVqraRRBJHgqNX9oiAv9xAaRqaprDbIRy2UJooYCRuWLutUuXDskSGStPiP1QN8g4EOXHWG9Srnc7LD08Uay9y7GVoTCycuqIgXMI9y25naf4SBtcdyk2drufrvfN5btPThK0Q/miAfjX7c02nq3h2w8vM2/MpMWIEo35Oa3omJzc7gbUFm3ho7X2sLV5Dzxq9uKHDLaTYUtCUojBSyt3LbmFZ/jKG1xvFde2vIhAz0f6oiuTfAErJuseRCs3a4ndpQpEiEpXXwi/kaf+4LhI2XlIq7so2zYUgzXgybeKetFWZGBNWWplPgjnSUuDlR2RdLRRXsEhoDTrjElXh+P2pNLFgEqoaDoeQsscjOV8Ll4rlNKiPfG4Y0o9bH5Lin3YbPHe/9GtfnliKmelC7ok8KT2uLoNWaU36yuCd10VfsmVT+S0llDE0TdYNTVP6krCedF3Olyh5Y1mwYo0EZSQSuw1TAmPq1pJxczlle8yQNcQNm2Xfnp1h6y5Z98rKgA6tK8dB0yoVP0DejzxNqgfcezuU5gmpffGDfA/HHyfjWbX/CWWPRP+TSOJI8aeUPXyBCG6Xk0gkQiRqUqemm1AYCorCuJw6DodOUUm4QuXD5VTsywvi84fxuBykeO1kVneQkeZi4ZKdFBQFUUqRleE6psmOYimBL+pj1NdDcCoHF7S+mObprdB0+Dl/EW9tm8sFbS8hGA3i0JzoOny46z0W5v3AWS3OJT9QgE3Z0DVYXriU4nAhI+uP4ZYl11EvpT6Xt7uIgkAZI77uj1t5uaD1hbTO6EDUTAaFJGBZsqaTkCZKWFCHQ0I0GITQSkqhdk0IRSUReeNWIYU3PpQcqTNOhodvEWvI65XoQpdDJtYyX/z8UKFXmFNLQvvnfR+XYFIiB+UPynGWJVWonQ4Jyw/FrciiEiEfXZdCmA3qw+vvwRlXQIobCkslXP3pu6QfK9fATQ9IPbR+vUQl5JT4Gl+NbFEE6dkF3npCCKmsSPQTLUusuKwMicq84Aa491ro2Be0/WJJedxC6Dt2SzpA7ZpiPTmdUFYG+wtkH7dT0gNOu1j2DYTi5GHB2VPgsfsgXCbkhQX1msKPn8PUCyQ4ZMP3olJy0wPQvyd8+DwUFUubIORYPbvSHXz2VOjYGqIBGXNHDbj3CXlYGDwG7MXST49bHkx27Jb3tXPku0hGJiZxpDhqZY/CfJPBpzxPvxOeptPwJ2ja5z5ufGA+6zbl02nYg9z/9EIW/byLdoPv4dnXl+HOhkdfWEbvCU9x+iXv0G7w/dzzxHw8dXX69mhIaVkZx419itYD7+e7RduPrbKHZeKyKeZue4MVhcsYUX80aY4UWqe3lcFQOi6HG01pdMzuzLnNzwcDHLoDrz0FhcWQusOY3HA8wSCc0mgq7w16j3YZ7UnzplPbUxfs8NLWl/i1cCUj648m3ZFOm4wWmMk1MqBS2WPRMhh9uoSS/56yh2HA9Iug5zhJEG7WVxJ702rDRTNln8dfghsvjldzHiIKHbOuhTXrodMwuOtxKZDZZaSodnQdCd1Gi5rH7j0STh+LSRh/64FiOXlcQlDjzhRlj76T4Np7JADhy++g/RBR8BgzA5r0hmvuhKvvFstm7zp44AZJLfjpF1i5GiaeKUS84GdYuwHqt5AQdJcTFr4vVaC/Xwy79kkOWochcP/TcPlt0qebHoCLbhLSf+xFGDJUQtJdWZJGMPp0GHQyHH+CyEN5UkSdo9+JUi6m5zg4ebYQ+LbdYn22aylJ3TMnC1nnH4BJ50Dz46HVQJgxGyaMlP2mjIfTLxF1lYb14NoLJMqw7WDJLRs2FRr2lKRll1vkxB5+RkL0bZoQ1J23Vip7DBom4+xKkf6POi3e/0mSBJ6wFpNI4khwxESmlCh7ZNRWdGpTm1Xr93DnVUO4aGZvbn/kU3LzfTRvXJNV6/bTrWdNTMvOzj0l4IS3P11D7oESTh7blmkTu9LvuEZYAQgEo/iDEe67bgS1amTy5Cs/i7LHMYJCVvJXlaxAt3Se3/wMYz4fyeXLLwIFdTx1aOxtwrqSNZy/8GzO/ul00KBJajNqOGrwY/4ipn51Ivevexi3DXRlsSx/FTMWTsWtXLTNaA8mrC1djRbTeH7LM4z+fDiXL78Mty5E+ndHQgB2515Rz9i4Nb7wf5h9TRM8XhjYW/KMTp8sodqPvQhmSFxTmekS6PHkyzL51a8tofBrNkLLFhI+vn6zKHgcKIyTliHyU5EIfLdA7u1gCE4YCaOHiLLEwqVw+z9g3rdw6dnQtxvc/Ti89yEcP0AI661PoHcXePpeCTrZkysh5Y506NdTrLVFyyGnHgw+Xq69bw/o0AqssIxDKAx9JkquVPPG8jppNBSXiTVTo5qMxbRJYu3Y7ULYTZpAVrqsVV1yMyxcBteeL6Rz/b2wfKUQ2ZqNkp5w+glSwFPT4NbLxI0ZjYkqx0njpCbaDXfDp99IgdA7roIX34Ln5or48tcLJRdu7gfies3OhL69JMDmzY/kAeLhm6FDG7GurjhXvtM1G8DU5IGkdm1JLUjxQvOmokRiWkLQP/0iBVDbNIer74JFS8WSNQ6TX5hEEofiqDzRpmWhexT1aqeTnZnJaae35bQTuwAWwUCURvWziBkmmQ2dpKd6RVjXhCtn9WVwn2Y88vxPfPLNapas3FOh7FG/Tg4nz2pJl3Z18PtjqLi6/DGDgpARItOTxY7J2ziz7bm8su15wiGY3mQKayas5ssJnzO5xRS+3f81ZYEYd3e+g18mLmfh2Pk0r9GKz/d+VtFY95z25J9Sis3u4J41t4ENgkaIVG8q2ydv5ay2s3hj+6uURWLYNR3r2F7dfz0Syh4TR8DHL8rkGg4efk3EQkK427USy+Wy8yUhWVOgxQMWGtWTCMi5H0JxieSVNakvJJheVyZ/lxNqNhFrYnh/qF1D1Ncb1BVLIdUjQQy33wR3XinrNouXi4JHTnVRnEhPkwrODgdUbyZlWI7vIaR39iyRjwLYnQvKKy7QhIJHrZaiTqFpcPNlMGEKKFPSPdwuGYe3n5TzPfsGnHCqSFK9/G6cSM+CDscJUaV6Jcn4qRdh8AAIFsGWnSJLtWm7uBUnjxHLa9wwOHGUSEs9/xZ8u0hcmFdcCk3aU1FzbMAJMGoY/LxCyPPkM+CicyVx+6dfRDx56UrJXSsoFpKtkQV128i62rhhcMXtcNH50K+76N71HCWlejxu0GuIxXv62dC2uZDdky/BmWdKOsCWHeK23bhV1jhPGiNWeiwpAZfEEeJPKntAYXE+A0a+zNiZL5GakkGvnnVxu+z88NMWzpr+Kbv27uO7xdvwFUZ57o3l6JrO7dcNpLTM5MMv1xPMN/h64VZ27S3gk1e2snj5Llau3cvWTaXHRNkDqCCRQbWGUBDM58HV/+DH3AW0Tm+Lww4vbX2VCxddwl2L7+WjHe/TNqMdKQ6d21bdyVU/Xc9VP13PpsL1dMjqBDa45pdrmPb9DB5e9wB7y3eT46oJBgyqOYTSUCkPrnqUhbnzaZ7WErdNx0haZOJadMrkdepF8NLbcWWPwwyNUhANiQpHKAyvvC6Cu3v2w8/fwY9L4Zc1EnBwXGdZ14pEJPl4yw6YPUtUPlasgw/fkbWfj76E/CJxy+Xly//vfi5WxJQzYNpFEvwwsBcM6C37ZKSJBbJpm6xV/fihBC2s3gCXnQNffwIZNYRAnn1d1OAvvBEy0mHCKNjyE1xzl6xjzboaXn9Bru+Tr8USfPdTeO8LsZAUoiV52dnw8VewN0/WmsL5cn1Oh1iKM0+Cdv2hoESkqbbulL6lp0o16tQUCSzZtAOuv0wsnQ8+l/NtXQ+XXirJzZ99K9ZXJCLJ3CvXwblnwcTT44EwI+I1xCyYOkHIKRqVB4QPX4OFS2DxMrhiFixaCDGbtHHZbPj5F/jmR7jmYrFWTZ8EfHz4heT+te0p5HriKOl/dpYQ9cZt8p0m4z2SOFL8KWUPTdOoWyuHbp1qUzPHy3mn9qRObS/nTO3Glh357M4tZeZJfSgsDhIqgSYNsvhx6RaefXElPTrX56aLBxDyQ41sLyMGtGDz9iI6tKlFIBAhvyhIowbpx0TZQ1c6wajFSQ0ns823lWc3zKFhWiPu7vJAPOfV5Nv9XxHZH2VsvfHc1PF2QBE0gry/62103cb5bS/mqjbXYcSgXWY7vs/9hp/yf+Ts5rO5qt31BIMwrfFUdvl38Oz6p2mU3ph7ujwASlUU8vw7I6Hs8f1iKVFyzlQJxz8cNCXBDE67qHLsyxMLacQA2LlbyGXEABEUvv8GuPF+iYg7aYwoh/y6HmZNFytpx24R+E1Pk4k/EoVRg8HvlwjKU08QoisukWTjTm2lLIxlCZE6HOIebN0c3v5YrESnHX5aLuK7KHjsNtFC/PhLqFcL5twL9erD/AVyrWOHQl6hrIPFItLmyIGyjqSAWy4TgtKDYuWkp8mEX7selBSIhXT/9fDYS2J9nTRGyOv2K8XyefMj+X/cUHHjpaVIwMozL4mV+dRdULMOrFwBy1eLmzUaE/djJAiXnyv7vROPrHz0dhg3Fr76UvrVqClMHS8qKHanWFA9u8gxPy6F4f1EGLmoRCy53t3koWDhz+IutWJw9WwhzZ9WiAxWu1YS3anrErDjdYt7tkHdyrpqSSTxRzhiZY+9uXl8+Mgcpo67jJFTn2bH7nLuuW4ol5zZAwWUByxcToUtoS4QzzMLlcVDgJ2Sc+bxSEJmOFJF2SOueICCmP8YK3vE4bFXhi/HDAgb4LVLHljMlEkqGoOIKdsjRlxUwgbhKMQs2Q6SP+a0yf+xeMj2P7X/J1RADpfT9FcjYcUemtD9W9v/CAllj8GToGYNePXp31f2gLg6haJSAUPJGpNKKEdEIRqW+zQYkjF3JBRmEhNhDLnH4om1FYodiTwui4pcNBT4y+OKHClVzqvJ/exyA474MTZJ8A0EJGTelSKyVLpDaphVKHhUbScsBOpNXFfi2kPi6nv3EynF8tm3cOUsIapEWLvXE98/fkwwniheoRwSvydD5fHUAXecEBTYHHJdDjvY06lU5LAgUCL3WsX1xsfN7xML2uYCf0lcscMB/jLwplSeDx0Mn6yfudygJ9qJfxYtlYcHl1PGJnHdkXJxwR6u/78VAKSAiecnlT2SqMQRW2SSha9RXhqlXcscOrWpx7pNBRxIKHtoouxBOD5XJJQ9dC2epCqJz+Xlsl3T4soelrw349IDx1zZIw5fxEBTGlZMZi5NaZRHzQoVDl+4UpXDFzHQlcwcobBRoeDhi0gsoqa0ivYSE/vh2of42JiVY/B7+LPDYFkHh/ofGmRypEojhlV53RZWxTG/tf1IoCkI++H2Ky1q5UDQp/7wqTuh8JDIjTrce6XieV5aPIghGueqRDKz4jfL7ljxfyqUQKzKPLIKBY/4ProeVxqJE15C8ixResVXHK/OHIqrdWgSUBEIVNk/roxRoeAR325akJYu2pKmKdqIHhfEopX99vmrdrqyYrWvuFKdJLEdoNxXOVaJCs+RKAQPVLaRSDiver1VxyEUlgRsmy7h8lYgPg6+g8choeoRCoGR6CeV/UkE1VhBKtRVEvzzW/1PIokjwVEqe4Tp1DWd956bIkdG5aZNPDlpSsUfdi1QWsUPQil5wDNNK54EKx/YqjxFaX9xeLqmdJnw42Ql2zQsy8LEqiAx6ZuOaVlxqTm94oleryAnq2JiT0BXely26pDtGrjcCpRUzU3Yw1ZipozPmnEFLAyz8vOqE0xVHDo5O52qIiEYwGPTKhLNLQuCRmIOq7SqqhJSYm5NdeiEYpJbZVqqwtpMbNfiR0etxFx2qJVmxdtSlZ8pSZQ/rreCiMhV/RFhH+mkVvV+0+Pvq3Lk0bqp1G+cO0FEhzu/Hr89dHXwdtthfmmHazvoh1mniqp8QoMqGKhyzO+cV3b4575ah+yTUBr5p3Z+o0+aiquN8M/qJr81Doe73kOPr4rf6n8SSRwJjuqnbQlFsWpdAT1HPE/3UU+wcOkuXB4wTDMuQQUOR6UkFSRCrhUup0LXj00gx9HANK24YoPCpquD+qnrCpdDYbdV9lPUEcRStOn//GP/LYvk0O2aBj5/hO8W7eKrH3YSi5koBUaVcVOAw26xc3cZ/SfP4bp7v8LhkKdV06zsj6bJZCHKFZX9V8DmbSWU+yNx6SCTlUXr+DZ3EV/s+4HlhWtQ8cRwXSn0xEOFUnEOlW9ZA65adj09P+nK0K+HsD94ALsmDyK3/no3vT/txqCv+rO9fCd2ZWFaJg5NYVOqwgJUqvJvXSnsKk53lsXXX+3mmx92UuoL/2Fhzf81/CuPZEpBeQDKy8TyKy//18fm770qm8TfAUdFZApQhgRpjBzYnKW/7mJvbilaXFomxauIxSz25fmJxixSvGJdOB3gK4+ya6+PQNDA5fzPFaUUVQkh2ty8AOWBGCkp0k+HQ1yHu/aVU1waweWUKSAcMfAHYpimRSAYIxw5+uQWw7RweeDbH7cx8KQ5vPb+r8Ri4lpN9YiVkpvnJxI1sDsU1Wu6KPPF+OGnHViWhWUi/QQCwRiGAf5AjJLSCCleVfEUbLPD+DNfZcHSnbjTIGJEOHvxaQya15spCybRe14XTvxhPGEzRDAWImiIrEZZzE/EiGJZFh6HYmH+Qu5deQej6o/hrKZnYFd2HHbF6uJV3LTsGvrW7MesFufi0j04NIVT18gLFlIaLSfFLtZ4zDQoi5bjtWtETYOSiA+7pojFTD74fC2DT5nDR19twJUCpvEbCyJ/Q2iq0tpJBjskkcQf4+iITAExqJbl5sIZPfF6MsT9ZoLHrfHJN9sYOuUZ+k58hkEnz2HedzvwZMPjLy2l/+SnGT79JXpPeJIFS/bgdB87BY/fgmlaOJ3w67p8xpz+Mn0nPkPfSU8y59WVeLLg8++2MmDyHEad9jLdxzzG3A/WEjVMhk19kTaDHuLpV5fSZeQTDJv6EpFILL72YGGa1hFbmaGwQUZaKo/eNga324bdCV8t3Mmwac/KuJ00h/c+20xmfQfHH9eIXXvy6TDsSbqPfpR3PtlMUUmA/pOfY9DJz9Bh6GM07XMftzy0EJsN/IEoJWURgqEYpaUh/GVR0u0uZjQ7C6/Ly+qxm5ncaAqf7vqIFcWrOO6zjly+7ELWlayhw7vNuWfN7XjdGu/t+JSZC6bicDr4ft+3lETLqZ2RyZe753PK95OwO+wsOvAjeYECGqRWZ5NvJxO/H0/vz7vQ59Mu3L36AdwOuGL5RXT8sCUXLrmUbp+2p+7b1Vh0YAnpXp17rx9GzerZBIKxpMmQRBJJ/Es4+uc9BZGoRV5BOYZhYBgWhmZyID/AKbPfJBKFWy8bzP4DfiadPRdfcYwWTarTu0tDpk3syIYt+cz9YBW2/wCRiavN4szLP+CXNbnceMkAqmelcs7Vc1m3ppimjTLp2r4u0yd2JBIxefSFxXjTFBfO7IlN13jz42U4nTaunNUbu0OPBw8o3C5VYb0dSR8AgqGolMgojTDlvLcoLg1zy+WDKfNFmXT2a5TvMYgZJoUl5Uyf2J6c6mlMveBVwhGTDq1yWLJyOzde3J9pEztx84Of8dX87Yw/Yy7N+t5L7gEfF970KXW73sVXC/ZRLTWDQDBAt0/b8erml+hQrRNds7pQL6UBK4qW0zyrEU67k01lG8CyaJRSny7Vu6FQdK3enbqeukSiJvW8tTgupycAnbO70iC1ATHL4vJlFzNv7ydc1fYGOmR34pofLmf+vp85rckMCqL5vLVjLue3PI/rO9xCdVd1DFOsXIX1H4/KTCKJJP73YTsSKklELCf+8KQoamSnoOsaqSlO9OoauxaXUR4IkpLiYuW6XAb2agJKUVoc5c2PV/Pr2j2kp3uonePF5dDhL14XsSwLm01RXBJh+55iauWksmrDfpo1qk61rK5gwodfbeD7n7aR6nVRs4YHl9OOTVdMObM1m3cUcfMD73DVrHFMnNGCwA7AlDWl9VtK0DVoVD/zqESP7XbYt7+cguIAzRpXY+XaXPp0b0indnWwFDjsOvVq53DNXX047u2GDJy8lj25pTRvVI3qWdmcdV5HVi2qz5Ov/EBeQTmvPT6R3XvLmXzuG1w4sycjBzWmSY1s3stXeF1e3u//GauLV3HewjP5dM/HdM3uzmd7PyYt1UuOtyap9lSUqehUqx3nhGbzde6XPNzzPtChxBejVfVmXNb2at7d9TYPdnsUTwr4ygzWla6hgachG8vWk+XKZkLLE7BrTnrW6kimM4ubO9zJud1mQLmEkUfMeGDNsfqyk/jbwOKQ+SmJvyWOUqIKcMIHn23i2ns+xx/w8+zcJTxx13JaNs6mUb1sDhSU0L5lDja71C8LR2K8+NZynE4HPTvXo6QsxjeLtlKYG8Jh/+vWypRSRKMW1as5OK5zPXbtLaJ5o2yyMl0cKAzgdNp46Z2VlJSEGNC7IdGoYvnq3WzcWMgt1y7g5ge+5KSxfbnnyW85Y9onhMNRXF5Yt+kAvcf/gxffXlER9HIkSJQFadIwg1bNqrP/QAntWtbA5dLFRVgaYuGSHezet4/LZ33N1XfOw+Vy07RBBpGYSX7RAUaOeZ3J575GWkoGvbvWp17dVHp2roWmQbNG2bTtVAOb2+LLPZ9THi7nm9wv+SHvG8LhMDHLJMuZzeqCX7n0+yv4OW8xPxcspihUyqr9G3lozX2Uh33MXngR87Z/i9els/bAZm5fcTPhcIjzFp/Fh5vnkerSGVhzCNvKt1HbXYc6nrrsDu9EVxpz1r1Enm8/c7e9xO0L72ZnaT5G/Av/q63xJJJI4v8vjs61aFlggzUb8lj6606GHt+K0vIgX36/lRSvnY9emE7zRtW5+4nv2by9iCF9m1C7rpcn7xpHJBrlvqcWcOqkjuRUS6WgICKRgX/hs5QIH8Oz903g5LEd+MfzP/Ldom0M6t2YnBw3918/nJbNqnPdPd9yfI+G9OhYjy07ytixt4QBPZsybkhrhvVryfbdxfj9MTQnfPPjNsr9MWae3IVY5I8ThCUoQyczwwEW2G0a7z8zhc7t6nDPEz+wan0e44e2JBQwSU9zM21iT75buB3DsHjtH9Op09pLLGpQr3YOjRtm0Lp5Dp+8eBrNGqXjK7EIhixefPAEurSvTajIwh+VsPqBtQbz7q63WF+6jhuOu5VJ9ccxvt5EBtcZxuKCRZza7HRy3DUpjgTYWb6TsrCPoXWHszT/J7aUbUbXFbvK97DPv4dh9Uewtmg1m8o2YZhwV+f7uaT15byw6Rne2/k2/XMGUc9Tj58KfmRgrcHELIMv9szDwqxQNklP07HZ9KRrMYkkkviXoXYfobLHvv0HeOuex7nriluwDFAeRC0hXmnWXyLRiTYXGGHQ3fJ5wC8K5mZMpIkSih/h8iOrDvzvRkJ93ekBI1KpMhD0Sb0mCwl1xy7XZYRAd8o+Rgh0l1xDoESuq9eY52nVPIfnHh2Fr8BC1w9/QYZpkZqmePGNNcy49A2evHMSUye0R9N0UVpwx8fNBRgQCYEjRfpAVKxhzQkrV+Zz8qzX2bWvnAdvHs65UztLzapgpfyVxy3WXiwmEXBuO1SU8AYwIRAFuyavqp+Fo1J2Q0+oYMQVNfxRSBTKPnS7roHLLootWuL7jYraScU5ldTyMi0L07J497N1nH7Jmzx88zgumtUVX5GJ/gfqDH+F0knix3Doaaqm+SXxn0VVZY8+SWWPJPgThTVRUFYeQwW0CmUfSaTUCEUsrJCFpmmYQVHJ0DSFr8wScghWKn6IqsVfPysoBbGYRaTEEkWRIGBZ6LpGeaCS06v20wxRoZNoBRPbNcIhuPuaYTRukEWozPpdpQ5NiYxSt/Z1uHBmH7btKiZqWHhsEI5YhMKV44ZSaEoRLjJFAV5TmIaFx1LkFwRp1iibZo1r8NOyvUwa3haPx36QhmO5X5Q9EooUvogRzw9LfF8KXelETIuwEXf1xVcabEonZoARMyr219DQlEbIsA673bAsfGEzrmRixRPBNSIRs0qStCSTa5rCjFls21nM+acfR9/uDYgF/1jl5GhIrKp390irUIMocyQSf6uezzAq1UP+G2TDkkgiiYNx9EQGKE1h07WK9a0KRQUUmq7iskGVyh4VSdCqUn4qkVgcMypL0f9VE4RSlYnZmlKo+CSqaYk1OwtVRZlEU4AVJwZLVDkUYvEc37MOkXBcufx3+q+UIhKBZo0zeeS24WIF+uOWVhVSr2qVVH2v2RSREAzoVZ8h/aYmmIRQoFKGqWLfQ0jhUNWRij5R+X1oB20Hm/rnW0OhfnN74hxVpbEOd14p0KpxyxV9wRJR4Ej44OMO3V/XRR8wFBeRTRDVQZdtVZKWx135XuTRqqiixK/v0PvNsiA1TcR8lZJzRKLyWWqaKNInxjkSqSQ1ueaD26mqwJIkvSSSOPb4U/Z4Qg1C18VNV1VxIjGBJN5DvI6ZrrDbKyelwuIQI097jfOu+6Qimdf8iyI/JO9L1Dr0gxRIRGHDbldx7bm49VVF3kfXqZB7kpLuFtHYkYWRKyUlMMp9FuVl1tEHuihxGZaXW5T7Lcp91j+R2P8CLAt8ZRZlZZboc/7G2AnpSQ2ssTOkCvG87+LCvEY8cTj+stlkfyMGK9eKGvv8n2Dzdkl0r7gvKx6uqt6fIoz70Bzod4JUVd6wVY6z2+GZV6H/ZOg3CVaskX1jRjwBXY8Tq1Up8ZT4Xm22ZDRdEkn8FfhTeWTRmBGflE0CQYMUryhlhMImMcOMi4OaGHG3lcelCARj5BcGKffHCIUN0jJtRKMG877fTCgUIxgysNvUMf/lWxa43QqHHYpLw0SiZoWyh9OhMEzILwwSCBi4nRK6YZoQiYgZEI2aFZqRINbP0YgcKyXH/JEr7UiO/7Nt/KeRUFdJTVF43b9/DaYhwrnH95CqzRu2ivo6CJlZlgjNlpWLmnyRD4afKmQ0diZ0GQmX3Ra3/hNiwqpyDdEypWLx1h1w6S1SpmXGSVL+xO6C/AKYfR3UzoEzpkCKR9YEUzxyzvKAHJ+Q4AwGpVimTReFe/uf8nkkkUQSR4MjJjJ5OtYpzDcZPOUFhk55no7DHqdxr3u4/+klbNhSSKdhD/LQnEX8+PMu2g+5hxfeWo47G154azW9xj/FuJmv0rL/vdz9+AJS6tsY2q8Z5eXldB/9JG0GPsCiZbtxeY5daLZpWjicsH5zIePPfI3uY56iz8QneemtNXiy4IsftjPgxKcZfPLzdB/zKG9/up6IYTJs6gu0H/Iwc+Yuo9voJxk29SXC4YSyxzHp6v9bmBY4XVIP65TzpdaX0/nP7lGIuwZNKRJ5xSypRVZV/HjCmTDoJOg+Bhr0gFlXQq16Uq25QR3Y+INUPH7zI9i5B4ZOhWkXwq490DVOcJ40+HEJTDpHCGr9ZigohGZt4JcVQoaGAdt2wt790LIZHCiEs66E7qPk3DfcB55UePAZaD9U2h14EuR0kuKZbs9vlyRJIokk/nUcMZEpBZGoQVoNRaN6mSxcupnzTz+OyWM6cMXt77N3fynVstNY8use2nWqTnFpjE3bClFueGbuUrbtymfG5I5MGNaOLu1rYwUhEIzi8we47Jw+uJxOHn3xJ5R+7JhBKVBYzLzsAxYv382NFw8gI83D6Ze+woZ1xTSsl0b7VrU47YTOlAdiPPTMIrxpMPPkLoTCMd78eDmxmMns07pVUfY4Zt39fwnLFD3ItZuEYBYvl0jI33sgiMVg/wFZhzQtWa/yeqF7RynQOG4YXHs+PPUKfPwR1K0lxSuPGwuLlkO3DtCkGTSqB0tXSqHKzHSpZGxZUlG6Qys5V+MGUhwzEpCilZ3aynfcqD7Urg7ocOej8PybcN5pMKSvVGx+8x0YN1LKlMx5TQp+XjlbyNcwkvdJEkkcSxyV48M0LeypimaNsqmWVY1LLu/GphVlzHntB/z+KK2b1eRAQTk5Ld1Uz04n1esAA66a3ZdHnoM7Hl2A12PRvHENlCY5VHVr1eTcKzuxYMlO9uX5UPqxyS1LKHsUFUfYsqOQWjXSWLF2H43qZ5OR3gkjCl/M38KPy3bgdjnIqebG6bBh0zVmnt+ePbk+bnrgLa45bzxTZrUhsK0ycCCJI4euS5DLiaOEQOrXhnDot8VxLUssGocd7HrctZcJFEPbluLCu+4C+fyWh2HLTjlHjWx491kpUvnwc7BqlVQz/vZHSK0HTRvC/nzQTGjRQdp4+xN45GbIbAElm6BhM7j7GnjpbbjzKmjaA4y9sGyVtL99t1haowfLeli7XuKCHNIXrrsXyAcjIKWOkkSWRBLHDke9RmZFZXIpKDrA+ElvMXn2XByOFLp3q43NprFo2XauOu9bduzex88r9+AvjvHWJ2uoWSOdB24fSn5hhJfe+YVwkcmiZbvYl1fC9+/vZsXafWzcmseu7T4cjn9/qZeqyh5d2tdmd24xHVrVol7tNHzlEVwuG3NeXUZRcYixQ1tgWTor1+1l65Zi7r55MTc/+DUnjurDXY9/z/lnfEHMiKGppF/xaGGaEkSxay+cdx0896a4Fq3DuN5MUyo9z18MNz4AeQXiinzsfoiGJKowZsCYGTDiVLF8OreF7xdJgMiyVbBmkxSDDAUhPU3auOZieP8L2LhV+rFrE9z9hFh8V90FH70qLsfdW+GmB+QctzwEbz8v+ZGDeot7sWYNaNsCikqkcvPnb8L6LfDDT3DfjbBhrRybfNpJIolji6OrR2ZZKLcoU9TKqU6N6m5qVkvhg2dPpWHDVM44qQvNGmUzf8kOJg7vjGVa+AtNUr0Ofl27m8fmLKVlsxwevGkk/jIT0zTp0bEOi5ftplaNVOrXyWDXXh92+7FZexL3KDx//0TGDW3FXY99y8dfbaBHx7rUqOHmrmuG0rB+BhfdNI+u7evQtnkO6zYXsXpDHj061mXMkNYc36MxK9bso9wf+6+orfa/BsuSJPT5S2D3Pjh10u+vH9ns8Ot6+OhL6NtdAizmvifbvW5ISxGrzjRh7mPQvhWEY9ClHTzyjKyH3X0NdO0EA3uJy++jr2H8UKhXG3IPwN5cWLVe2v95hbg7bW7Yd0ACTPp2h9UbYPEyiIXhinPhqtliqT3+EjRvBK2awRfzoWt7sQhfeUsI1G47PEknkUQS/z4csbLH3tw8Pnz4aWZOvpLR055hy44yHr1tFDNP6oimSRKu2xUPy7dRofgRile3ddihpCxGWqpNyt1HwO2Nn8CkQvEjGhSyOVauGAm7B4cbIkFwxJU6guWi7BEz4yHdTulXhfoHktBsd8r+ofLkAv6fgWlCSgYMniQW0rsvga/wt6tAS4QjKAcVFZOxQ+4eOONSCce/9XK47BxRWgmUS+BFIs8OAEMUZmx6ZeXiRORjJCgGk91D5X0YA3852B3gqLrdkO2aBu4UITVdA+WEiF8szcR9jCbbosfwXv67IqnskcShOOI1MiEAnQO5IXKqeamdk8lX87cxZnArUlMcaJoiGI6rR8SVMFAKPR5mFgxZeNw2wmErniiqKCsxQSGKGfFE5KqJ1McCSkE0ZhEuFTWPiM+qqAxdHqgMqzcDByt7ADjsolKSUAJJ4uihFIQDcM0F0LCuSJX9XvFIpaDcD5ZfJjDTkgeO/APy+ZC+sOBnmDRCAjUME3ylxHUsxbWXSKqOxOQBSmlgBuJ8Ez93qPjgc2qakFD4MNtNE3wllceafnkfiRzsSUiogSSRRBLHFkdMZJqmKPdH6NYjg3mvzJTEYE2itBI/3gQhyQ/80F+wiueVxasZ6+B2acRilZPN0eRj/SuoquwhMlqV15i4lqqaiXpcxaGkNEyK11mhBJLE0UMpiEVhUJ+4qscfWCxKyfpTzJA1MNOUtawWTeGz1+M72YCQJENDpaVc6pNjJWk/bonb44odlrSXuE11/Z+DdxKJ/YfrU9XtifdJ0koiif8MjrpCtBWFYChGIGjhj7sNTVPiDKvq2lX9UZumKGbYdBVXzoDCkhDjzniTi26eB1gHKWkcayQqOuvx/lRV9kiojCSepk3Twu2CjVsLqH/cfWzZWSh5T/+Lkhr/JVAKynwiHfVH+xkGnH0VnDRbjnE45KHCNGHzJliyFH76ERYtlXB6X7nsU1AEDXvB4l/A5RIS25MLo06DMafDj8vB5a2URzOtuJtQJV3GSSTxv4aj9o8pTSwah11IIGZYpHgVNk3cOgmLLGZUHuP1KGIxk7LyCJGoRTRqkZpmo7g0yIdfbsAwLGKG9dcpe8QrOgeDMSwLUrwKy6SiynNpWYRIxKzIEzNNyM50c/7pPcnKcGPE/jrr8f8jEuteqSmigvFbMExwucVK+uBzCIQkp8xuEyvovOug1ziJWpx2IfQYDR99BbYUcDnhvFOhXk2xAA1LFDjatoSvFsCWHbIOasSjKL1uCZM3DEhJ+atGIokkkvh34KiVPYryTYZOfYGRp71Mp+GP06T3vTz6wi9s3FZI5+EP8chzouzRceh9vPj2L7iz4NX319Fr/NOMmP4SLY6/h3ueWEBqQxujBrXA7/fTffSTtB30IEtW7MV5TJU9ZNLavKOEE899k07DH6fvxKd448MNeDPhx2V7GXjSswyb+iJtBz3EjMvexVtdsXpDIWNnvsyyX3ezY1cJNjvJaMU/CdOSkPpV62DGpaJ84XQcXtnDssDmgLFDRaZq7AxoeBy8+Qk4smHqBLG2nn8A7rgGWjQRIvIXwvBpkgy9eYdEOEYiUD0bbr5EIh11DTDF1ZibJ0TYcTj0HCcJza7fUBtJIokk/vtwVMoe0ahBSnVFzeqpfLNwHadO6sSIAS258MZ32JNbSorXzeLlu2jdrhq5BwKs35yP8sBjLyxm07b9nHFyJ0YMaEXbFjlYIQgGo5SV+zl7ancsS+MfLyyuKKNxLKCUhdIsZl76Pt8t2s71F/XH43ZwyvkvsndPgI+/3sDPK9Zxyvj2jB/ehh6d6mGGoVYNL6eM68D8nzez74APNCtJZH8SlinRgCvWwotvwzc/gv576RYm+INijY0dCi2bwt2PgxWGjHQIh2HqBXD5LfDOHDhxtFhtZ0+VMPptu8CM3+XRqJBWYr3NMMS6u+QWePNjCatv0hDOuUpEh73epJsxiST+F3BUrkXDtHCkKVo1q071rOpce0Mvrr9wIBCjvDxC+5a1iRkWtdp6qFk9i5S4sscV5/alS/u63PLQDyz+ZRv78sriC+YadWrmcMmN3ejdtREFRUGUfmy8ixXKHkVRNmzNp3ZOGr+s2UeDulkM79+OosIQp07qxMDeHXn42UV89NVacvN8hHwmOQ1cXDizF26Xh6x0N1p60q34Z5FQ9pg8Gj54Ds44+feVPdDEanI64I7rYMwQKCmTByuHXVyUl50tScoN64ollZ4F554N2ZmQnhpXAgGcXrHKdF3cjHo1iYj8ZY0cu26T7D+8f+W6WRJJJPHfD80CjvQFCWUPi/yifE4+5T2mXfQmNt1D18610DTFkhU7uPnS+WzfvY8Va3IJlMb46KsNNG1YnYfvGsb+/BBz5i4lXGyy7Nc95BWUsejTfazZuJ8tO/LZu8uPw36MlD1iFtWyHXRoVZO9eSV071iXFo2zCYVNauak8tm3G7HZFI/cM5zsjFQefGYh/lCUb77cxU0PfEkwFOKld5bz9mvr443+W7v4t0DCvbt3P1x+myh7OH5D2UMh9cEWL5ew+Xlfwk+/QF4+bFwn5VrKyqFOTXj2vnhFbBvM/xFuuRMKi+Hdz+DlOZIbuOBHuP9pCQh551N4+UnwpkCvriIq3KaFJFQHAvHctaQG2X81jmbuSr7+f7+OXtnDBXabjZrVs7E7FW6njXeenk7jJumcPrkztWqm8vE3Gxk5oB2+8jC+fBNNg4VLt/CPp5bSuH417rtuOP4SE58/TLuWNfhm/jbSUl1kZ3rYurMEx2+smfzLsGSye/7BiQzt25Qb7/+SuR+sol3LGngzNKJRk83b9vHQYz9jYfHAjSOoVtvJh19u4KOv1tKjUyN+Wb2b1z9YU1FcM+lhPDoklD0WLJGAi1PGclgSs5B1rHBIog07t4NFyyQgo0NrqQu2P1+2f/mDEB1KEtwX/AyvvS+iwtt2wwtvymcLfhYXYveOIk/1whuSAvDgjTB1orgsn34FmjcRcoxGkzyWRBL/C1C7jkbZ46GnOWvKVYyd/hybtpXy5F2jmTq+HbpNij26XQojXnBQswGWTDymKduKS8JkpDtx2CAUAbdb2rdMiYYEWZQ/lmoIiWKNDqeoPbidohoR8oNhWDjsilJfFJfTRkqKwu+XXCR0wKBCsSTg/1c6wbGdIY91+/8CKpQ9TpBIwQ9f+31lD6XikY3q4PskFouHy8f/DsRTQSqUQGzI9xVX2gj6xT2p2Q/eHiiXczvdso/DDroLwn45RzI49b8PCWWP7klljyTiOCplD4ddZ9+uACkeG93a1+aDzzcw7PhmpKY4qyh7iAvPtBLKCZJkHIlYpKc5icUsolHZ7vOZMufGZwsVf3/MlT2iFuGIuJv8QVHxsGkaSikiUUjx2jFNIWdNE8UPDqF7rWonFQd//kf9tyGyR1WPScggHQkO9+hR9ZyHa/9o+ncMoZTIQl12NjSuL4Txe8oeliXrWHIwFdehEpka8b8TbSglGoeHPp5VJO8H/3l7LAaRMiHGUBjMYFKVI4kk/pdw1MoePXpm8vUbZ6NpcddPhIp8q0qpKUXiAUkIEOx2RSwmnyWSUJ1ODYdD8nxihlQD/ismWaUUOuDxJKoMC4ElkFAgSVRg1pT6537pVFhnRJCRTFgBsT/oQDC+b2ICV0AKEKJST/D34Igfk+iTBcTVKlBAIL5PPMQcHSwXqGj87xj/MTJTStx5IwbFlT0if0wYBxHdIc8Ph7uOqon5R7pdjxPjb6l5JJFEEv+90I5mRU0psGIQCsUIhy1CYeLSUtJYQhlD1+QQw7BwuWDVhnyGnPIyJ89+hy07irDZxM2zcUsRI6e/zqSz57J+cwFO11+jmBGLGThdFrc8uIChU57llofmS58r+i/J3lXnPMuyRBHEtIQgykBtBLUH0EAVgloPKp/KAxNWkaKCUFQ5uIeA7Quw0hDii4D+HaiyxMkOc3zib+ScamP8fGtBbUPISQfC4D4ebF8D7njfSsF5HjjPAG0+WCnxtn6j/WMNpcDnOzIS+yvxX9SVJI4E/+kIg+Trv+Z19MoeFjidNrwehUWlyoKsZQgBhCMGdhs4HQojBhmpDjIzPLw7bwW5B8pFzDVmkZpio0a2l4++Wsnu3FJ0B8c8P0uUPXR0p6JliywOFAZ597M1aEqUPWw6hMKGWJaq8hiXS5GSonA5FJYb7C+Deww4rgSywH43uMeC/T7AiwywF0goV8TV1i03GKPBbAQqFN/HD84ZoHaDVZtK16Ar/kqszaWC8oHrdDm3a1r8/SjQVsf3dUBsEpj1EXKzADtY9UD/FrR1Vdqs2r4N8MT3/wugJ113SSSRxL8JR0VkpmWBHfbkljJ51lvU73YvnUc+yfEnPMeufaU8/+av9JnwFN3HPMnwaS+yZUcxlgVNmqRz33Uj0HUXdpusgYUjFg0bpnHX1UOx29PQ/4JZLaEqsXl7MRNOe5PnX19JiteD1+NAd8LSX/czZMoLDDzpOdoOeoizrvwAj1eCQxYv38esqz/gx+V7cQCREy0hpQFgvxLMLmB5IDYD7E+AeyTYHwHnVHB3BW0JEBLLSFsGai/gBLUfHPcCsfj+s0HbBFYaqE3gPAfcg8F1ilhtZiMwBoGVDeGnITobrOqgYkBQiE3/VUgxEaBipULkarBqUOludILaUtm+8xTQf0SsuGQScBJJJPE/hKOzyCwFNjjzyvd5//O13Hb1IPof15glK7bhKw+TnemhfataTJvQie8WbWHuB6tweiAcNMk94MMwTAxDXHRKQTRkVW43LYxj7FbUlEUsajLtwrf59sdtNGuaxcq1e4nFDJQXXnv/V+b/vJop4zswYkBL2rXMwTAkpPu7Rdt56tXP+XbRNuw2MKpbWPVAWwr254RkSAWrLhhtgDywPwZmG7HAcABOiA0BbQVo68GyAREhMzRxS6qtQFjWs5wXgvYrRC8EysA5DdQBMGuLK9N5OugfQehtMNoDUYiNlz5p68FKrOHFQOXJ5xiV25yzQVsp7WslQroqN97Xv8gySyKJJJL4V3FUUYs2m0a0BH5avpvJYzoz++ouUAznTu9O7ZwUnn19OWs27sfhsJGV7hULToEzRSM704OmKdJSXWipCqvcwp6qKrenONHTFJQdmxlUVOwVm3f4WLE2l5suGcTND/ahMD/E6g37USZMHd+BVetzuf/phaR4FZNHdyYaNYmEFeef3oPWzWrQ77iGhH2iSmJVB9t3ED0P7C+JlWR5wBwMVk2IDYXw40I+yg/YITYLHE8ipOcFqz6EHwBPH4jcL8eoUiEwbSuYrcVtaDUGIxMIAxpYmeJCVD5pg1LAG+/LP+LtZ0pbuMGyI9+2Wyw4bR2o7WC1AG0VmE2BnHh7OcfkK0giiSSSOCY4Kq3FmGFgz4BuHevw1kcrmHPvCu69bzFX3vkFqzfk8/Sr31OzegZTJ3TE54+xfNVeAoEYX3+zk+feWIJpRnnl3V+Y98k2XE6N77/fzTNzlxCLRXjjo1/56J0taL8Xi/0vIBFaX7OGm3q103nl3WU8/cAK5n2/idwDpeTtDfDj8l2kpzp49L4RpKV6uefJ+RQWhXGlKd74aDWX3PIGb360CocbTJspQRMGxKaDmSEWkOUF24eg7RYycjwM2hYZabUG7A+KdaQtAMfzgC++VhYVC855ETini2vRbC6Wl9EDzJZUrLdpv4IqAqM/RG4CSgCnEJ79fiFObQE4npP+qdVgf16O0ReA/WkhM6sRqGIwesu5cIKVLsckkUQSSfyv4ChZQ4EBz943kdGDW3DjfV8xZ+4ymjfKpm3LbK49fwSrN+zjvOs+ZuSg5hQUBSguivLWJ2t46+MVdGxTj0++Wcur763C7oR3P1vPax8sp0Preny1YCNzXl2G3XZsAj6ktpVFWoqdFx+aiNfj4Oa7v6NP1/rkVPOwfmMRpmmxfPU2Hnz0J2Ixk3uuGUqNam7MMGSmu9F1NyleZ0XOl9lOXHlmSzDGgtFXzqV/KsEWWi7YHxKryPKAvkzckGYjWcOyPS6RimZDiJ4la2f6x+KeJB3CD8pnjlv5v/bOX7eJIIjD3+xtzrFdAOIRIsSb8EbUiAqJnhS8AgWiyVPAO6AUCKVBYMfeO19uKX67tuN/cooILO0nnbyanRvPNTe63ZlZqs/Qv9SSo91I7q9QcOuVROK+wtlH6C+U2egvgQ6qbwpk/Qtw37UXR4TmUr7Ub6D6ovtycC4pfIVC4VSw63BcZ48fP2/49P4D716/JQQdnzGZ9IyGjmqg4+sHA5hMI8OB6aiTXnVm9dnqiHjntEw5D2rwui4HFbM+JjGqo0jXqTB6PDb6O51LFUKP945fvwOjc8/TJ17+RD1bLjVoGvSi9yihIgCD9ActCi4569Gl+Tu095QzEvNcss8w6dUQay3xkZcD/wDjJM81aJnAqlB4n32/Qz5bsz8BRsn+jJLsUfivWXb2eFU6exTE0XtkSwzatqPrKrx36oQQIs6MxSLiK6NZQGhiKkA15mE7Vh6SPyZmMJupY4dzxnQaUxq44b0jRnj+7FydPW6lh+l5tnxcpMvQ3hVpvBmMc/Fym67NOYBblkHP5mncJru1fi0kebfj/kP2D8kbFNDW7RcKhcIJ8fBAhl7kztmyo0dOnTezZWsqc3ZPf5+df0Hu2KEvwZUP+du06+7rwR5f7YjxPv0tp9Z0bGPc75A/xP4h+S77hUKhcEL8BRKt59ibGuVbAAAAAElFTkSuQmCC
- data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAAZwAAAB9CAYAAACWLtWqAAAWpWlDQ1BJQ0MgUHJvZmlsZQAAeJyVWAdUFE+T79kIyy5pyXkJS84555xzEIEl55wNICoqKEmSBAVUEFFAEERQCQYUyYigiBJERFExIAgqN+KJ3//73t29q/fm9W9qqqu6p7q6uhoAdg1KZGQogh6AsPDYaDtjPT4XVzc+7CsAAQSgAgIAUHxiInVtbCwATH/af9LXx7A0TGOSv3T95/f/lRh9/WJ8AIDcYeztG+MTBuMu+PnuExkdCwDyBswXSIiN/IVnYMwUDQ8Qxl9+4YBtjKL6hb1/Y65tGQc7fRjLAECFp1CiAwDAa8B8vnifAFgPHraFYQz3DQqHzUfCWMsnkOILAFsjLCMRFhbxCz+DsQgsD39nR8FYxftfdAb8Q7/3jn4KJWAH/57XNlEZBMVEhlKS/p+/5v+msNC4PzbI8IMPjDaxg1tB+P9NhkSY7+BwbyvrPzjId1t+GwfGmTj+wT4x+m5/sC/FwHynb6iVxR/sH2RkuqMn1tThD/aLMbT/g6Mj7HZs+Ufr6/7BlOi/duNCHHf4gX6mO/qTAx2c/+D4ICerPzgmxN78r4z+Dj86zm5n/H7hxnp/7RrtzD0s5l/mG2S60zc20MFkZ+6Uv+P3C9f9qzPGZWdsvn4Ghn9lHHfkI2P1dmxFhtrsyPuFGu/wY+Ltd/rGwovzb1+bnX8YTDGz+YOBBTAEBoAP6IMgEA78QBigwG8G8FsMiASh8FtSrF9i7K+J6UdEJkUHBQTG8unC0efHZxruIyXBJycjJwfAr1j+vTw+223HKMQy9JcXBfdXUwUAUf6XRxEHoF0CDqFLf3mCSgDQlALQMe8TFx3/m/crJAAa4AAdYALsgAfeKUSAJJADSkAd6MCjNwPWwAG4Ag/gAwLh8UeDBLAXHADpIBPkgAJQAs6As+ACuAyawDVwA3SDe+AhGAbjYArMgAXwFqyAr2ATgiAsRICIEDvECwlB4pAcpAJpQYaQBWQHuUJeUAAUDsVBe6GDUCaUB5VAlVAtdAW6DnVDD6AR6Ak0Cy1Bn6ANBBKBRzAhuBFkhDRCBaGLMEc4IHYjAhBRiGTEIUQWohhRhbiEaEV0Ix4ixhEziLeIVSRA0iBZkCSkJFIFqY+0Rroh/ZHRyP3IDGQhsgpZj2xH9iLHkDPIZeQ3FAZFRPGhJFHqKBOUI8oHFYXajzqOKkFdQLWi7qDGULOoFdRPNAHNhRZHq6FN0S7oAHQCOh1diK5Gt6DvosfRC+ivGAyGBSOMUcaYYFwxwZg9mOOYckwDpgszgpnHrGKxWHasOFYTa42lYGOx6dhT2EvYTuwodgG7TkVDxUslR2VE5UYVTpVGVUh1keoW1SjVItUmNT21ELUatTW1L3USdTb1Oep26iHqBepNHANOGKeJc8AF4w7ginH1uLu4Z7jPNDQ0/DSqNLY0QTSpNMU0jTT3aWZpvuEZ8WJ4fbw7Pg6fha/Bd+Gf4D8TCAQyQYfgRoglZBFqCbcJzwnrtERaKVpTWl/aFNpS2lbaUdr3dNR0QnS6dB50yXSFdM10Q3TL9NT0ZHp9egr9fvpS+uv0E/SrDEQGWQZrhjCG4wwXGR4wvGbEMpIZDRl9GQ8xnmW8zThPRBIFiPpEH+JB4jniXeICE4ZJmMmUKZgpk+ky0yDTCjMjswKzE3MicynzTeYZFiQLmcWUJZQlm6WJ5THLBis3qy6rH+sx1nrWUdY1Nk42HTY/tgy2BrZxtg12PnZD9hD2XPZr7NMcKA4xDluOBI7THHc5ljmZONU5fTgzOJs4n3IhuMS47Lj2cJ3l6uda5ebhNuaO5D7FfZt7mYeFR4cnmCef5xbPEi+RV4s3iDeft5P3DR8zny5fKF8x3x2+FRIXyYQUR6okDZI2+YX5HfnT+Bv4pwVwAioC/gL5Aj0CK4K8gpaCewXrBJ8KUQupCAUKFQn1Cq2RhcnO5CPka+TXwmzCpsLJwnXCz0QIItoiUSJVIo9EMaIqoiGi5aLDYggxRbFAsVKxIXGEuJJ4kHi5+IgEWkJVIlyiSmJCEi+pKxkvWSc5K8UiZSGVJnVN6r20oLSbdK50r/RPGUWZUJlzMlOyjLJmsmmy7bKf5MTkfORK5R7JE+SN5FPk2+Q/Kogr+CmcVphUJCpaKh5R7FH8oaSsFK1Ur7SkLKjspVymPKHCpGKjclzlvipaVU81RfWG6jc1JbVYtSa1D+qS6iHqF9Vfawhr+Gmc05jX5NekaFZqzmjxaXlpVWjNaJO0KdpV2nM6Ajq+OtU6i7qiusG6l3Tf68noReu16K3pq+nv0+8yQBoYG2QYDBoyGjoalhg+N+I3CjCqM1oxVjTeY9xlgjYxN8k1mTDlNvUxrTVdMVM222d2xxxvbm9eYj5nIWYRbdFuibA0szxp+cxKyCrc6po1sDa1Pmk9bSNsE2XTYYuxtbEttX1lJ2u3167XnmjvaX/R/quDnkO2w5SjiGOcY48TnZO7U63TmrOBc57zjIu0yz6Xh64crkGubW5YNye3arfVXYa7CnYtuCu6p7s/3i28O3H3Aw8Oj1CPm550nhTPZi+0l7PXRa/vFGtKFWXV29S7zHvFR9+nyOetr45vvu+Sn6Zfnt+iv6Z/nv/rAM2AkwFLgdqBhYHLQfpBJUEfg02CzwSvhViH1IRshTqHNoRRhXmFXQ9nDA8JvxPBE5EYMRIpHpkeOROlFlUQtRJtHl0dA8XsjmmLZYIPTf1xInGH42bjteJL49cTnBKaExkSwxP7k8SSjiUtJhsln9+D2uOzp2cvae+BvbP7dPdV7of2e+/vSRFIOZSykGqceuEA7kDIgYE0mbS8tC8HnQ+2H+I+lHpo/rDx4bp02vTo9Ikj6kfOHEUdDTo6eEz+2KljPzN8M/oyZTILM78f9zned0L2RPGJrSz/rMFspezTOZic8JzHudq5F/IY8pLz5k9anmzN58vPyP9S4FnwoFCh8EwRriiuaKbYorjtlOCpnFPfSwJLxkv1ShvKuMqOla2V+5aPntY5XX+G+0zmmY2KoIrJSuPK1ipyVeFZzNn4s6/OOZ3rPa9yvraaozqz+kdNeM3MBbsLd2qVa2svcl3MrkPUxdUtXXK/NHzZ4HJbvWR9ZQNLQ2YjaIxrfHPF68rjJvOmnmaV5vqrQlfLWogtGa1Qa1LryrXAazNtrm0j182u97Srt7d0SHXU3CDdKL3JfDP7Fu7WoVtbncmdq12RXcvdAd3zPZ49U7ddbj+6Y3tn8K753fv3jO7d7tXt7byvef/GA7UH1/tU+q49VHrY2q/Y3zKgONAyqDTYOqQ81DasOtw+ojFya1R7tHvMYOzeI9NHD8etxkceOz6enHCfmJn0nXz9JPTJx6fxTzenUp+hn2VM008XPud6XvVC9EXDjNLMzVmD2f45+7mpeZ/5ty9jXn5fOPSK8KpwkXex9rXc6xtLRkvDb3a9WXgb+XZzOf0dw7uy9yLvr37Q+dC/4rKy8DH649an45/ZP9d8UfjSs2qz+vxr2NfNtYx19vUL31S+9W44byxuJnzHfi/+Ifqj/af5z2dbYVtbkZRoyvZRAAk/CH9/AD7VAEBwBYA4DABu1++z9n8TEj58IODWCZKC3iLKkR4oUTQW/RGzhJ2gekE9i1vDowlkWnO6WPoKhgkiDZMWczJLA+siuxgHhbOIa4gHzavI50fK4m8SGBV8T0YI04rQidLAO9838XcSs5JjUrelW2TOyebI7ZMPVnBS1FESUyYqf1dZUO1Xu6pepnFQM1jLTltLR0KXV49Fn96A2hBl+MNozXjF5LXpjNmk+aDFXcsbVs3Wl20u2tbaXbS/7NDgeMWp2bnZ5arrVbfmXU3uV3Y3eDR4Nnm1Ubq9+32e+L7y++K/FUgTxBLMHyIeqhimHW4a4RjpF5UQfSKmOrYzbjL+YyJ1El+y8h6rvT77EvdnpBSlVhyoTDtzsPhQ9uH09D1Hoo76H3PLsMrUPa54QiSLK5sxhyaXOo/mJH0+WwGpULxIoVjzlGGJZalj2a5yn9MhZ2IrUitzqirPtpzrO/+i+ssFqlqui9J1epccLwfUJzYcbSy8UtVU19x8tb2ls/XutQdtA9dH2sc7Jm9M3Xxx62Xn267VHuRt5jsidzXu2fT63E94kNFX9rChv3tgZHBm6N3w6sjG6PexzUfr46uPP068g1fb/NPnU5PPRqcHnt9/cXfm3mzf3Oj89MulhdVF6DV+ie2NwFupZdV3+u9NP5ivGHyU+8T66dPn3i+nVkO+aqzRrr1Yb/iWumG7Sdr8+L37R+5Pry2Zra1/+F8KzYf+DPv/DdUc9UcaHF6IYEgbSJdN38PwmSjJ5Ml8iuURG4HdkuMwZxfXVx5xXk++46Sr/I8FvgjRkbmEySIkUTYxGrF18TmJQcl2qbPSx2XiZb3kTOVlFFgVfii+VOpTblDJV01W81DX0yBrUmm+1RrRbtM5q5url6afYBBq6G3kZGxuomUqayZgzmyBtVi3fGP1zHrE5r5tj90t+w6HNscWp0bnOpdq10q3kl357id2H/FI80zxSqGkeWf4nPQt86vxbwxoC+wKuh88FDIe+izsZfhyxHoUJpo1RiJWL84lPjzhYGJR0qXkzj2je1/uW01BpOIO0KbhD2IO/jz05fBS+vSRkaN3j7Vl1GWePp5zIi0rITssJyA3IC/4ZHR+csHBwsyik8Wlp6pKaksby1rKb5zuOfOw4nHly6rVc5jzbNViNRoXrGo9L0bWpV7KuVxR39Bws7HvynjTi+bXV1da1lu32jDXCe1MHRw3+G6Sb0l0yndpdpv1uN4OvZNy9+S9mt72+wMPZvo+9aMGWAbJQ4rDeiMWo/Zjzo/cxt0fe0x4Tno98XpKmaI8o0xTnlNe+MwEzkbO7Z3PeFmyUPeqY7H/9fTSuzffl/HvON6TP0itSH8UhlfA1ufZL92rFV/3r7mvq31j+/Z1Y2yz8fuJH8E/jbYE/s3//3P8DxJxTBrMMXD8f4Dj34ezlOsRD4FXgy+EVMR/S2BO8CeZQZgkIiYqKiYsTpLgkKSXopYG0p9lFmUn5e7LtypUKxYoHVSOUtmtaq6mrC6gQauxrjmvNazdpdOse0GvQr/UoMAwy+iIcapJommkWYC5h4WDpamVlrWSjbStqB3ZXtCB35HkxOvM5cLuyuLGuAvvjt0N7f7h8c1zzWudsumD8KXyo/NnCeAKJAWRg8VCpEPlwhTDVSO0I42jbKM9YyJjU+Ny4ysTriR2JQ0lT+95u3d9PyIFl4o/QJ0GwVn05aFHh3vSG46UH804FpdBybQ8rnJCIIsu60f2u5y53Gd5kycn8icLnhROFk0WT5x6XPKodKxspHzo9MCZwYqRysdV03CmWzm/UYO6QKhlvshTR74kdVmhXq1Bu1H/ikGTYbPBVb0WnVbNa2ptytfl26U7xG+Qb/Lf4unk7OLs5ukRvC15R/mu3j3LXuf73g9C++IfpvQfHcgdLB46PVw5UjVaMVb2qGg893HmxKHJfU8SnkZMBT7zmnZ9bv/CZsZ21nnOez7qZdpCwasLix2vB5Zm3nxaRr1jei/4QW5F86PBJ6PPRl/0V7W/qq8prct+E98gb/J9Z/9B/EnYwvzy/+87l1+EgWvKc3CecDwCgEUuAKfVASDjAMDTAmBDAMBBFSD0sgFCXh4gZM7u5A8ILjypAT1gAyQgDpTh+tgWeIIIkALXlFWgBTwA0+AzhINIkBrkAEVAGVANdA9aQGAQIggLuNYrhuu7ZSQ70gSZjGxAvkYJwpXaOdRrtBRci/Vg6DBemGYsFdYL20HFRpVI9ZRam7oGrpP2497ReNKM4A3w1whihNO0zLQn6KjoDtOj6Y8w4BlOMnIz1hKVib1MzkyLzEksNCwVrMqsw2yh7Dj2Og4rji+cZVzGXJ+5K3gseTZ4a/gcSWhSK3+wAEngqWCBkB2ZSB4XLhHxEhUWfSfWLJ4koS2JkRySKpUOlFGRpZF9Idcqn6MQqmihJKfMo0JUpVWjV2fVIGlKa2lr2+sE6x7Sq9TvNpg3whqLmZibBpkdNq+w6LCctFqzYbfVtPOzz3bocHwLr2Vr1zS3q7sWdrN4GHkmeNVRZnzYfe39cv1HAolBLsEVIcth6uFZEYtRhtE1sYS4hPiXiQ5JvXs097bul0tpPCCb1nRI/vCVI5JHqzN4MotPELNycxhy809y5FcVShZ1nLIsmS9LOS1wZrjy8Fnd88jqBxfyLnpekqlHNjy9crU5tyXqmu11mQ6aG3O3WrrSe1zuSNxD9E49aH1YMBA/5DaiNyYzLjIh98Rxqnh6cyZ+7vvCkdesby69M/rw8tORVem1ZxtZPwy2948//mfd9r8S7H8b4AHCwD6QBSpAM7gHpsAKhIV4IGXIBgqB0qGzUDc0g4AQAggjRAgiD9GBeIUkIvWQcciLyJcoEoqCOo9aRiugU9ADGG5MBOYOlgsbjx2Da+l8qm/UXtR9OGVcNQ07zQk8Ep+M/0gIIszS7qKdoHOim6DfRT/HEMKwxniYyEKsZdJiGmMOYt5iKWKVZR2AvU/L3sThwongrOdy5yZwd/JE8wrxTvJlkDRJn/gvCFAEuQWnhErJHsKCwm9FWkRTxSzEWcXnJeolk6SMpJmkF2TaZLPk/OR1FLgUNhWnlW7D+axStUStVL1Ko17zJryfvdLZ0uPUVzNwNzxgVGs8YvLNjMdc28LTcp9VufUtmzk7ans5Bw/HE063nD+7irp57yp1H/PAeep6JVKueL/1FfEL8K8NeBekELw/pC+MPTwkoiuKPTo+ZiJOI/5cIl3SvuT3eyn7JlNsUwfSLA4OHLZJHz1qd2wk0+p4X5ZJdm+uad5gvmPB86KQ4o2S42Wk8o4zrhU/q+rOeVSz1jyqLahzu0yqX2683pRx1aNVoY1wfbGj82Z+p1+3wm1wZ+Be2f2wPp1+1oGVof6RurGs8fiJgCcBU8nTNS/ezum+rFrELcW9XXjvtjL62Xp1eN1p48WPsH/4/3+O/+fb8c+/Hf/h2/F/F45/NEIYYY6IRBQhOhFvkCxIQ2QCsg45h+JGuaFKUM/QJHQAuhH9HWOGKcV8wBpiy7HrVI5ULdSs1Hup53GWuHYaEZpiPBW8ApYJnoRHtBa09+j06Lrp9ejvMVgwjDNSGD8Q9zPRMlUwyzHfY3Fn+cKazSbB1s8ezkHk6OD042Lk6uKO5OHjGeY9wCfH94pUym8vQCvwUDBTyJLMQH4iXCUSJqoqhhYbES+XCJJUlsJKPZGulzks6yGnJs8uv6HwXLFXqUW5TuWCar1ah3q/xqzmhjaLjqKui95+/RqDMSOksbyJj2mOWbv5nCW1lay1m80R22t2Sw48js5Oec7DrvRu9rsK3Sc9ODx3eZVRnvsI+Ab7XQ2AAm2CqoLXQq3D6iJwkWFR4zF6sU3xwgkVSVzJpXu59lWliKW2pOkffHQ4MP370ZwMUmbjCc2sBzlOua9OJhbgC88Va52aKt1TznP6TkVEFe/Zx+cLatxqhS6uXrpff6Yxqcn5qnIrZxvi+nLHxM3uzpru9Nued2V7ofvDfRX90YPGw7wj38Yej7dOlDw5MBU+7f3CczZgPmnh5GLz0uQyeC++4vbp+Jeer5vflDfjf1z/5f8Yf3m57fQB4fUAQD/f2vpMBgCbB8CP3K2tzaqtrR9n4WLjGQBdob/v8bdzDT0AeWQWDLj80D7hP+7Qf9/x/0sd8+8t2M5Ev+hXJtpu4awE/gtIy3Ss+LPLjAAAEAdJREFUeJztncuyFakSQMsT+iH+oXMH3T3ouX/oLzg3Qu/AKC/S+YSEqr33WhFGHDdF8iiKhASSd8dx/DwAAAAW8/7n929X5wEAAF6A9//8+0UN/Ovzp99/n8+1v0m/a89ZSHnQ4mvpSWjPSOWy4rfPauXPpC/J1vDqV6pvr46ktL1n2nCv/kbrVyNT5qzsaNo9I/K1OpTS8dp3tm2NfJd3oKr+R+p+Rfw71n9FHx7lrRX61+dPv/9JGer/rqAtXJu2lI7XeVl512RL5bfyKaVrxc+UbxV9Hnu8OrIUmCTbq9/qhuzlPxLXwqu/KJFBlPXRR8LbsF6+FBZlVXvdUf9W+420HemZkfhSWJSd/cVK3rQAqWHv6Cw12Vd10P/8+yWdtvVRXPnhWvGiM8qZkbf03CzR0dj5HkcGMpHfRqkeTfb1X/H9rv72dtZ/dsDjvR9P3iPU/07eSz9KpiONvz5/+s+HPNogPGVzptWnX01b/pFGotXfjg+3oj5WT/uz+cy+9xHZo3UXmflWDlh2o43OswOP/h2239fq+re4U11LrK5/KawPr+SPGc7IaP446kwOUvzsCNAakXtlGy1/Jv6OzvyuzNTvbBuzzHkVM3dtgGKZY7K09bero4yaRLXyt//3zNor6//820rDqltrhtzLrnw3O+pfSmcVfygc66PwKlv6O0NWGVimkb4MfblGp8ceXv2t5O4jteOo6XRXscNcPMusWebuZTuO+vqXOmyJjOlMyqMXfvf634W4hqNpUMtMVLHGY6XrKY3K0UX1LK1K7mi6WVZ/HDtmedLCrVeuuyidFfV/Z2V/clX975g1PkL970DdNLD7pe8yNV310q8wgWSej9qCs5sMNKraV3UntbvTq05vtJ1HFHL73Cp2179kesqu11bk9S71v5o3yca5s0D9i/bsqNLfHhG7rfacZMrT4mhT7TZetkOQPoSRziSTxz4NzS6sybbCV43eW/l9Hs7/R0eZ2uy5/9uLJ+XNW8OQOsA2bS9cy8cM1vuXntOItuHK+o/G1dpl5tt4lvpfybuf37/h2gYAlnF1J/fq3Kn+VZMaAMAsFRuKYJy71T8zHAAA2ELal1ofptmUZ9YZJHlW/izbqyffC8vGjeTvDlNbAIDdpHypVWx9lojIj+bNW0y1dl1l447kT4sPAPDsiK5tjmN+xhKlWn7fmc/KZzYCAFDDkC+1flbUbymsPDiZkRWdOVQqEU8WCgsA4Be386XmMbsXXXveK3t0D3vkHBFKCABekbAvNYtdW++ih0Kz9OXWDvB5azAoGwAAnbAvtZZ2tL9iUVyabYycUM7InwVlAwBg4/pSW72zqkq+Z2Lz5GtKYVY5SfXILjUAeEXeR8xhKzYGVMmX4vbxPfneWZqKsqNkAODVwdMAAABsAV9qAACwBRQOAABswfWl5vkpq/ClFk3jWcLZrQYAr8i7n9+//ZSUROttoA33FExW4Whpa+k9ejhbpAHgVVFNarPbjEeJbl9+1HAAgFdFVDiZTlM6XzI6er9aGawIH/XeAADwbNzOl9qsM8w7h2NOA4BX5ja+1O44O1kRjrIBgFdlyJdaS6UvtTvPTmbCUTYAAAFfatrv1Z3nXZXFbDi+1AAAfvHu77//Vl3bcA5nPtzyTwcA8ErgSw0AALaAaxsAANgCCgcAALYw5EvtDDuO69dwRvPvpVEp3yufxYgrIe/yPOtWUu2ZzF1CmbuGImTKnJUdlQ8A87z1hzb7szhS+HHUuXDpt1X38r1wK+9W/q089L9ZaXjh0fyvxDuY621ttxSYJNsKX+F5oXJrPgCsI+1LbTU7fJVZs4ERGZnwq3zQefGi27qju++8/FS1r+j7O7ejo4gAruPhfamNjJj/+feLGceTOaoUV3d2VfJXzEJasvmU8jLz/mblA8AY79v/ZDrS3lRSZfeOrItY4VY+ZjvkitmXl/9Z7jyCn8mbZxbMxF8hHwB8Ur7UPBt//3eGis7cU3qzI/dM/Wh5W8UjdJKrZ04AcG+expdaZoYVtfePxrcU3koq10VWKsjV9SDlnzUcgOtJ+1JbxYyyqUg3W97sjGzXyH5080N0E0B2k4FG5XpTpTwAWMeQL7Uz7DiuP4fTP6P9rsXznrv6HI6VtzbM+u3Rz+FEuErBA0AcfKkBAMAWcG0DAABbQOEAAMAWXF9qxxFbQ9DiRvjx4eN/fnv7/tV89gyX4vYy+mda2V780fBo/gEAXgXXl5q37VmK3z9j0XbA57/2d+lZsSBdfE1+L6d9XpIhhffpSuHZ/AMAPDu386Wmdcq7O2trBjIyO0HZAMCrk/altvK0uKdspI5emnWsykcbnkkTMxoAQMCX2nnWJHK+RjO1ZejXRbKddf/8KS8yw4gommh4b1pD2QDAq/OHwvE2CZyKZ4XrlmxnL80ytM492vl7GxEy4X3+IvkHAHhmXF9q0uxmlRsRy2RmLeYfR+1MwpORSSOafwCAZ+c2vtRWd8CjpjkAAKjB9aV2HLlzOCNmteg5nMh5Gi+eNjOSkM7ZRONn8w8A8OzgSw0AALaAaxsAANgCCgcAALbg+lKL3oejhUfI3BeT2THn3RsTiR/NW/beHe5rAYBXw/Wl5vlKm/Wl1vtqs+JHPCB4ysBSDFJ8qS6k64v7+Nn8AwA8O7fzpaZ1yqOddVQZtFhlz1653OcDAOBVSftSW4mnbKROfYVvN8ubQgTL4zYAwKvi+lLTwj3T1Wjn2q+bZDvrmc59haJF2QAA/CLkS00Kl2YBM51qRtmd/9c2AEQW9SVWuu6J5B8A4Jl5L/14VUeomcxavN1mnmPRjOIZRVo3ksIAAF6J2/hSe5QOuFcYqx2aAgA8C64vtew5nKq1k+xZl+jMxzvHEzmnM3oOp6KuAAAeFXypAQDAFnBtAwAAW0DhAADAFlxfaseRX+eY9aNmyfF2eUnh1jrMrC+5Pu3oluyKta42f9p6VoWvu5VIZ7ci+ffCLRdMM/KjvviqdyeuWv+7un1kvv+oP8SR/ueqg9pXp78b15daxDWM5nstg+ULrc9LJtzz1Zb1peb5U8umn8Gq597VjhZnNP1Vu/C89uK1z9nyZeVH4vfpW778Ioy4Z9JkSFR8v6N4319UxjN2zs/I7XypaYwom9HnsiOkzMe/cvv0Ktk7t3xHR3fZ9pktQ/UMYlRZVIx2s1aEq7996yzdqrxxrGEP4sFP6xR89QuPyPNMIFETSUYpRcuZ6UQesVFro3PLZLm6wxr10hCNd3cvEBmTUuT9eUTlS89o36ZnyahsX9H4UZN4pvyZ9F+BP2Y40mi9bTg7Okzv3Iz3vIfX0D2FNTviXNXYTrnR8o3U16jJNUrkXc++n2j8ESrax0iaZ3pS/Xvvb1Z+n4723Z6duSVDq/+ZmU22fVrpj5Q/k/4jDkizhHyp9Upn9bQ2MsrwRkFeuITXIGbqYVUn3FJthtrNOQrW6jbyfkbCovJbpDxa7aOqM4nOMqvZ0RnODlgsIu9+pSJ4BWUSwfWl1mvoVUpH61g184E2orc66IpZ0Ax37/AfBaserTYaUTqe/OMY6zyqOlOtDKvb1s62uyKt6IBNGri28Uffn7VE0bbX3TPk3dzGl9pqrn6BV6dfxWrTavTDrv7wq+SPctarZV3IyBkNn5V/d7z871h/fOT6m8X1pXYc/qJXxaJYRLOP5sMaEWZlRmT3cmZHpJFFS+23qgVLzZTj5W9ErpX/Pp1o/Gj9WPIz4dZaRp+f9ncprA/X0ojGz76/mfYnxbfComX35EfTyOa/b1Mj5besMs8+w8GXGgAs5dk7UYiDaxsAWEY7un9lUxL8ghkOAABswfWlFll/qLLhe+m0z2tpWDZVSXY0/Wi6Vlwt3KJyjUNKv3qNI2KDX7kGOCMjIteSP2I68tZutHxgnoJHxPWlJv1tNf7RD0FKu2dk51K/rdvqaLU8eGaBPo32Ny99D68+s+9vJv1o+2ix6iYSHqFShkRF+47I1qgo3yyYw6CCtC+1uzb4zLbRCJJi8jrMyvS9+BlFlJEbJSrfG0TMUrEgnZ1lW99GdVnvsOCOsoEq0r7UqsmO8LwZhncGIcJs+aNmt1WM5j8ar7J9rGhnI9t6+79nzMKzJkNPycxsW85sWe7DR+sH4OQPhXOHkUz03IL2vIellHaU31OKFtl1JCt8RMZM/WTSruzMpPbUKsyKsw9W5+2l7z3vkZWvsbJ+AE7+MKmtNn94WA37/BD6ZzPhHlb5e/lZKpSZZ8703t9oWFR+izTqznTMo5zvyWsfV+G1sfMZgGfE9aW2C+1j08wH7QgsIkf7TcKKG+m0omVZhadYtFFwdPYVNQlFqexotTI8QiduvZsWFBM8Kmlfao/a2FctokcVUfWaR9UmCk2+R2Y9LGKm6006mhxtvaIyPytnQp78zFrLFdxlpgiPietLLTJazC6KSkQU2ejirFUG7+OPrilFF6alcAtp7SO6SaIPt+JrC80Z+VJ4XwYtLS2u9Jxmch1JPyI/2+4y6XvvJ5KHTP76dz7Svh9tsAn3AU8DAACwBXypAQDAFlA4AACwBRQOAABsAYUDAABbQOEAAMAWUDgAALAFFA4AAGwBhQMAAFtwb/w8jpqT4ho/PnxUw96+fxWfOX+PxpfSs2RE42XT//Hhoyg7iuZja+QkfOakupcnjZn2o+UjewrfipdNf8QLMwD8H/fGz/N36W8pbNT309v3r7//tbQdvaaArPiSrKz89v+WcrLyYCmmCBHfdlLd9+H9M178KFrbicrX4kuysvItL+KR9q+lDQA5RG/Rx3Eff0kzM4IWrcP35Pczmx8fPoZmKpZyzFDtFLTC712GKvmjM2nNOagX725OMwGeAXENZ+dH5s1KKuJr5rBVtEpmtnzeqD/Divc6m79I/N0eyntHlXcZfAE8OqU3flZ4lI2slUTMZv0MI6qUIs9GZOwmWveah+cqb8Cz3oaj3ou1eJFnIzIAoJ7SGz8jdngLSzl4azhe/NMU1j8bld/Hl5idzczgrZFETHOzZiRLOUTkW/H7e1gk06BX/kwdAEA9t7nxc9bspcW3NiFkyKzJXKV0PFa+11mzlxbf2oSQIaNMUToAa0jf+LmbyMzijvJ3mdeiNzBqnWg0vnbjZlX+Rlkl/y7tH+CZcG/8PI652wajeOawlsw5mYicyDkfbU3IO4czujvuJLI7a8c5nOiNmyPnhLz4npxI+9TWhEZvNGUWBJCHGz8BAGALuLYBAIAtoHAAAGALKBwAANgCCgcAALaAwgEAgC2gcAAAYAsoHAAA2AIKBwAAtvDbl1r1rY87XOpHTpqPpuHdShk9qV9xUj3rSUBL/6prADLto8oTwLOEH8f+6xkAVvF2HHO3Pno3Ss7i3cg4e2Nl9kbM7I2ZUv4zecze6GmlP0OFB+moR+u+ztq/LeeezxjePoN/N3h03qpHT7s+ilWjPS//uz/6nS7ztbQqyzxyNUGP98wzhqN04Bn4H9EQ+5ZOFEKeAAAAAElFTkSuQmCC